Embed Size (px)
Citation preview
Windows Code ShreddedCan an ordinary person understand Windows code?Ahmed Sallam
Chief Software Architect
McAfee Avert Labs
04/24/09 | HT2-401
Notes
• This is not the final presentation. This is an initial draft that tells the story. I will be working with Jeffrey Cufaude on completing the presentation.
• I will deliver the presentation using my own laptops as I will be showing simple code breaking techniques using IDA and WinDBG.
2
What this presentation is all about?
• Is Windows code the big secret people think it is?
• Who knows Windows code very well?
• Can you contact and learn from those who knows Windows source code?
• Why some of you need to know Windows code?
• Can you learn Windows code and how?
• Is Windows code changing much?
• Case studies from McAfee’s research
3
What this session is not about
• Not about teaching you how to break Windows code for fun or for bad purpose.
• Not about discovering Windows vulnerabilities
• Not about exploiting Windows code
• If you are looking for any of the above then sorry you won’t find any of it here
4
Historical perspectives
5
• Microsoft always kept windows source code as a big secret over the past twenty years
Source: http://www.microsoft.com/presspass/press/2004/Feb04/02-12windowssource.mspx
More historical perspectives
• Besides few technical articles and the popular “Windows Internals” book series, Microsoft never provided any serious documentation on their operating systems secrets
• Microsoft used not to provide good kernel debugger
• Microsoft used not to provide symbol files
• Windows internals were only known mostly to hackers
• Hackers had their own communities where they share information about Windows internals
• Security companies have skillful people who tries to understand windows code
6
Windows secret books
• Any Windows book with the words “secret”, “undocumented”, “internals”, etc. would sell immediately.
7
How people used to break Windows code?
• Using a disassembler like IDA:– With no symbols debugging was painful
• Using a low level debugger like Numega SoftIce:– Major compatibility issues
– Platform support always late
– Operating system frequent crashes
• Runtime instrumentation tools and debuggers– Thousands of irrelevant events per second
– Required some data mining and reporting engines
8
Skill set required to break Windows code?
• Understanding of assembly language
• Understanding of CPU architecture
• Understanding of operating systems architecture
• Understanding of file structure on disk and in memory
• Patience, patience, patience, patience
• Who has all of the above;
– Only people with clear targets and strong intentions
– Mostly hackers
– Few security experts
9
Why this is all changing now?
• Microsoft is providing:
– Symbol files for Windows core modules and applications
– Windows kernel Debugger, WinDBG
– Documentation to abide to EC rulings
– Online communities and groups for people to ask Windows experts
• Virtualization making whole system debugging simpler
• Disassemblers are designed with Windows APIs and symbols knowledge in mind.
• Online Windows open source documentation projects
• And off course Google
10
Microsoft Windows Symbols
• Available as a download package from Microsoft debugging web site: http://www.microsoft.com/whdc/DevTools/Debugging/symbolpkg.mspx
• Microsoft making symbols available online via the Microsoft Symbol Server
• For WinDBG Set the debugger symbol path as follows: SRV*DownstreamStore*http://msdl.microsoft.com/download/symbols
• Microsoft provides a programmable library to read symbols (Debug help)
• IDA and other Disassemblers can automatically load Windows symbols from server
• Private symbols files have all information in them for the debugger to resolve data (local variables, structure type information, functions, source file name/line info...).
• In next slides will show how understanding Windows code is pretty straightforward with the availability of Windows symbols
11
Debugging Windows in A virtual Environment
• Using WinDbg and a desktop virtual environment like Microsoft Virtual PC or VMware workstation you can debug an entire Windows environment
• Trick is to debug over a virtual serial port
• Trick is to map a virtual serial port to a named pipe and configure WinDbg to do kernel debugging via the virtual serial port
• Good instructions from VMware site:
http://www.vmware.com/support/gsx3/doc/devices_serial_debug_gsx.html
• Here will show a live demo of how this looks like
12
Dumping Windows Private Symbols using WinDbg
• In this slide will present a video or active demo that shows how to use WinDbg to list all Windows kernel internal data structure
13
Traversing windows key code modules via a disassembler
• You can use WinDbg but requires interactive session
• You can use a commercial Disassembler
• Here will place a video recording that shows how to traverse through windows disassembled code.
• Will cover:
– Windows system service dispatch table and transfer of control form user mode to kernel mode
– Windows ntoskrnl covering object manager, I/O manager, security reference monitor, etc.
– Windows device drivers: ntfs driver, tcip, etc.
– Internet explorer internal modules
14
Simple debugging techniques
• Using both kernel debugger and a disassembler can provide good results
• Example, finding Windows functions inter-dependencies:– Use disassembler as it shows who calls who
– Works but gives many results
– Use WinDBG and put a break point at an internal function then dump the stack.
– Using WinDBG to understand devices stacks
• Will place a video to demonstrate the above
15
Windows Open Specification Online Documentation
• Microsoft made key information available pursuant to the Consent Decree and the European Commission's 2004 Decision
• Example of available documentation:
– Windows protocols
– Office protocols
– Office file formats
– SQL server protocols
– Computer languages
• Whole information available at MSDN Library web site: http://msdn.microsoft.com/en-us/library under the “Open Specification” section.
• Use the documentation along other tools and you will find answers to how Windows work and what is happening there
16
Googling Windows Symbols
• Are you impatient and need immediate answer? Google everything.
• Pick a Windows internal symbols name and Google the web.
• Do you want more specialized technical info? Google the groups. http://groups.google.com
• Are you wondering if there is open source that may explain how it works? Google the code. http://code.google.com
• Are you looking for papers? Google the web and specify the file format to be PDF, .DOC, PPT or whatever makes sense to you.
• Are you looking for people blogging about it? Google the blogs.
http://blogsearch.google.com
• Are you looking for books maybe talking about it? Google the books.
http://books.google.com
• Do you find what you’re looking for in a foreign language? Translate the page. http://translate.google.com
• Point is, just pick any symbol name or even a memory address and Google it.
17
Windows Open Source Documentation Projects
• Many open source projects aim at building an operating system equivalent to Windows Architecture
• Some aim at achieving full application compatibility with Windows
• React Operating System http://www.reactos.org/en/index.html is a good example
• Exact implementation of Windows modules and device drivers
• Code is written by literally converting each Windows assembly function back into its equivalent C code
• A good place to start learning about Windows architecture
• A video will be placed to compare some Windows assembly with its equivalent ReactOS C function
18
Windows Driver Kit (WDK)
• Available on: http://www.microsoft.com/whdc/devtools/wdk/default.mspx
• Contain many useful help files and technical docs
• Installable File System available for free in WDK– IFS used to cost about $1000 and to require a special NDA with Microsoft
– Contains source code of Microsoft FastFat and CDFS file system drivers
– Contains working file system filter drivers
• Good source for documentation about Microsoft Windows Architecture
• Includes OSR technical documents
19
Microsoft WinHEC Conference
• All conference papers and pres available via:– http://www.microsoft.com/whdc/winhec/2008/pres.mspx
– http://www.microsoft.com/whdc/winhec/2008/papers.mspx
• Advanced Windows Architecture documents designed for device driver and hardware engineer
• Good source to learn about Windows kernel mode and devices archiecture
20
Microsoft MVP / MVPSP/ open source
• Microsoft Most Valuable Professionals (MVPs) are exceptional technical community leaders from around the world who are awarded for voluntarily sharing their high quality, real world expertise in offline and online technical communities. (source Microsoft MVP web site)
• The MVP Source Licensing Program (MVPSLP) recognizes some of the most valuable individuals within the Microsoft platforms community, by giving them the opportunity to differentiate themselves professionally as Windows-platforms experts through access to Microsoft Windows Shared Source access. (source Microsoft MVP web site)
• MVP official web site: http://mvp.support.microsoft.com/
• Find MVP, track their blogs, their online postings, correspond with them and you will lean more about Windows internals
• If interested you can license Windows and application source code if you meet certain criteria.
• You can check http://www.codeplex.com/ Microsoft’s open source project and look for projects with participation form MVPs
21
Nicely Designed Windows Hacking Web Sites
• In old days hackers used cryptic web sites with cryptic names and cryptic content
• Nowadays, more hackers tend to find useful use of their internal Windows knowledge and build their own social networking alike sites
• Hacking alike documents are now written with higher level of accuracy, clarity and professionalism.
• Helps people find jobs as security experts or consultants. So we can no longer call them bad hackers anymore.
• Some even have their own blog
• Some useful sources:– http://www.phrack.org/ (written by hackers for hackers)
– http://www.uninformed.org/
– http://www.rootkit.com/ (mainly Rootkits source code and methods)
– http://www.blackhat.com/ (many useful session on code breaking techniques)
22
Using Microsoft Windows Internals
• Windows Internals book series, by Mark Russinovich and , David A. Solomon from Microsoft Press is one of the best sources to learn about Windows internals
• The book references many parameters using their symbol name
• Use the symbol then use WinDbg or a Disassembler to understand more the code referenced by the symbol
23
Referencing symbols programmatically
• Microsoft provides a programmable interface called Debug Help library to load, enumerate and find modules symbols in memory
• There was time when library was not documented. Full library documentation is available with nice sample code under: http://msdn.microsoft.com/en-us/library/ms679309(VS.85).aspx
• You can load a module symbol using: SymLoadModuleEx()
• You can enumerate symbols using: SymEnumerateModules64()
• You can retrieve a symbol by address (SymFromAddr(()) or by name (SymFromName())
• Very useful to write your own memory diagnostic
• You can also use your favorite scripting language as long as it can call into Windows DLLs
• You can even reference symbols programmatically in a kernel mode device driver
24
Case studies
• Three case studies will be covered here:– Terminating DKOM Rootkits
– Obtaining documentation for DnsQueryEx
– Finding Windows user mode API filtering code
25
Case study a: terminating DKOM Rootkits
• Direct Kernel Object Manipulation (DKOM) Rootkits modify Windows kernel dynamic lists to hide their presence
• While working on terminating a Rootkit we get into some interesting situation:
– If you terminate the Rootkit other processes in the system becomes hidden!?
– If you terminate the hidden IE process created by the Rootkit more processes becomes hidden!?
• How to find out what is going out?
– Contacting Microsoft is not a valid option.
– Check the Windows kernel, yes that’s simpler
• Runtime debugger
• Kernel assembly dump
26
Case study 1: terminating DKOM Rootkits
• Here will provdie live demo that shows:– how to use WinDBG to identify process termination stack
through the PspProcessDelete() function
27
Case study 1: terminating DKOM RootkitsAnalyzing PspProcess Delete in IDA.
• Will clean this slide a little bit
28
28
Case study 2: DnsQueryEx
• DnsQuery() is a documented API to query public DNS records
• DnsQuery does not create another thread hence calling function has to wait until DnsQuery returns
• But calling public DNS servers can take time
• Normal solution is create another thread which calls DnsQuery and wait until that thread returns or time out
• While looking into the code found DnsQueryEx which internally creates a thread
• Contacted Microsoft to obtain correct prototype. Microsoft said function undocumented
• Did a whole search inside Windows SKD found the function prototype
• Contacted Microsoft again with finding and asked for more documentation for parameters
• Microsoft thankfully responded with full detailed documentation
• Point is, sometimes Microsoft support team say it is documented but once you prove it is not they fully cooperate
29
Case study 3: finding Windows filtering interface
• Here will do a live demo on how to find the interface using WinDbg and how this is useful.
• Point is sometimes API you’re looking for is available but you can not find the documentation so WinDbg is a nice solution
30
Did Google Disassemble windows Code?
31
Is Windows Code changing much?
• Not really, only few changes
• You can easily spot changes in Windows kernel data structures using WinDbg “dt” command
• You can compare stack frames
• You can use Debug Help library to compare functions, a simple MD5 hash per function body can do it
• You can easily find newly exported functions from WinDbg or Disassembler or even parsing the executable file .EXPORTS section
32
Why do you need to understand how Windows work?
• Obviously software developers can achieve a lot as covered in slide deck
• Software developers can write many useful system diagnostic and profiling tools
• With current economy downturn condition McAfee expects more corporate targeted attacks
• Attackers are using all available resources to learn how to break Windows and its applications
• Security professionals ought to leverage same available resources and come up with better defensive methods
• System security administrators can write simple scripts to explore their systems memory and ensure kernel and applications memory integrity:
– Who is hooking Windows functions and why?
– Who is hooking browser functions and why?
– Who is loading device driver and why?
– Who is attaching as a filter driver and why?
• Many free security tools are available too but using the knowledge available online you can write your own, especially if you are a software developer
33
Conclusion
• Windows code is not the top secret people think it is
• Microsoft provide many useful means to understand windows internals: WinDbg, symbols, Windows Internals book, Debug Help library, Online documentation and communites
• Not only hackers can learn Windows Internals but also average software engineers
• Encourage your people to leverage available resources
34
Finally
• Obviously Microsoft provides all of those resources for good purpose so make sure you keep your usage within the intended good usage boundaries
35
Thank you for your timeTime for Q&A
36
