T-110.6220 Windows OS

T-110.6220: Windows OS with an Antivirus PerspectiveAntti Tikkanen, F-Secure Corporation

October 11, 2007 Page 2

Agenda

1. Applications on Windows

2. Processes and threads

3. Windows architecture

4. System mechanisms

5. Management mechanisms

6. Memory management

7. Security mechanisms

8. File systems

9. I/O System and drivers

10. Windows API for malware analysts

11. Case study: rootkits on Windows


Note on Windows versions!

• Much of this presentation will include details specific to Windows XP!

• Vista includes many changes and new security features like

• Address space randomization (ASLR)

• Integrity levels

• User account control (UAC)

• I don’t have time to go into these, sorry!

Applications on Windows


Windows Executables

• Common filename extensions hint the type of an executable

• EXE

• An executable program, anything from a DOS executable to 32-bit PE executables

• DLL

• Dynamic-link library, exports functions using a numeric ordinal (and optionally, a name)

• .OCX files are ActiveX controls, basically just DLL’s

• SYS

• A device driver loaded to kernel space

• OBJ

• An object file created by a compiler, used as input to the linker

• All of the above follow the PE/COFF file format specification


PE/COFF File Format

• Windows executables and object files follow the

Portable Executable (PE) specification

• Based on UNIX COFF (Common Object File Format)

• Full specification available online *)

• More on this in the Reverse Engineering lectures

*) http://www.microsoft.com/whdc/system/platform/firmware/PECOFF.mspx


Windows API

• The Windows API (aka. Win32 API) is the set of core usermode interfaces to the OS

• Exposed by several DLL’s (kernel32, user32, gdi32)

• Can be logically divided in to subcategories

• Administration and management

• Task scheduler, WMI, …

• Diagnostics

• Event logging, debugging, …

• Graphics and multimedia

• Networking

• Winsock, …

• Security

• System services

• Processes, threads, registry, file systems

• Windows UI

• See full documentation on MSDN

• http://msdn2.microsoft.com/en-us/library/default.aspx

Processes and threads


Processes

• Process is an abstraction of a running program

• Process consists of following essential components:

• A private virtual address space

• An executable program

• A list of open handles to resources allocated by the operating system

• An access token, which uniquely identifies the owner, security groups, and privileges associated with the process

• A process ID

• One or more threads


Threads

• Thread is an entity scheduled for execution on the CPU

• Thread consists of following essential components:

• The CPU state

• Two stacks, one for kernel-mode and one for user-mode

• Thread-Local Storage (TLS), a private storage area that can be used by subsystems, run-time libraries, and DLLs

• A thread ID

• An access token, which uniquely identifies the owner, security groups, and privileges associated with the thread




What happens when a process is created?

1. Image file is opened and read

2. Process object is created

3. The initial thread is created (stack, context and object)

4. Windows subsystem is notified of a new process

5. Initial thread executes (unless process was created as suspended)

6. In the context of new thread, the new process initialization is completed (DLL’s are

loaded)


TEB & PEB

• TEB = Thread environment block

• One for each thread, contains information about things like exception handlers, stack etc

• Easily found using the fs segment (offset 0x18 has self-pointer)

• mov eax, fs:[18]

• PEB = Process environment block

• One for each process, contains information about loaded modules, OS version etc

• TEB has a pointer to PEB at offset 0x30

• When analyzing code, you need to know about TEB and PEB

• Enumerating modules (PEB.Ldr)

• Checking if a debugger is present (PEB.BeingDebugged)

• Installing an exception handler (TEB.NtTib.ExceptionList)

• …


Example: checking for a debugger

; Call IsDebuggerPresent()

call [IsDebuggerPresent]

test eax, eax

; Do the same by checking PEB

mov eax, large fs:18h ; Offset 18h has self-pointer to TEB

mov eax, [eax+30h] ; Offset 30h has pointer to PEB

movzx eax, byte ptr [eax+2] ; PEB.BeingDebugged

test eax, eax


Example: installing an exception handler

; Install a SEH exception handler

push offset_my_handler ; pointer to our handler

push fs:[0] ; pointer to old exception record

mov fs:[0], esp ; update TEB.NtTib.ExceptionList

Architecture


Windows architecture


Important system processes

• Smss.exe

• Session Manager, the first process to run at boot time

• Csrss.exe

• Windows subsystem process (client-server runtime process)

• Winlogon.exe

• Handles interactive logons

• Services.exe

• The service control manager, starts and stops services

• Svchost.exe

• Service host process for shared services

• Lsass.exe

• Local Security Authentication Server, verifies user credentials

• Userinit.exe

• The process that initiates a user session


Native API

• Undocumented interface to core OS functionality, exposed by Ntdll.dll

• Used by OS native processes (smss.exe, csrss.exe)

• .. but also by malware to access certain OS features

• .. and by rootkits to modify system behaviour

• Examples of interesting functions

• NtSetSystemInformation• NtQuerySystemInformation

• NtQueryDirectoryFile

• You should not use the Native API in your applications

without a good reason (it may and will change without notice)

• See “Windows NT/2000 Native API Reference”

(Nebbett)

System mechanisms


Kernel mode vs. user mode

• Windows supports two processor modes

• User mode (ring 3)

• Kernel mode (ring 0)

• Code running in kernel mode can

access all memory

• Pages in system space are not

accessible to user-mode code

• Controlled transition from user mode to

kernel mode (32-bit memory layout with default configuration)


System Service Dispatching






Memory management


Memory manager

Each process sees a large and contiguous private address space

The memory manager has two important tasks

1. Mapping access to virtual memory into physical memory

2. Paging contents of memory to disk as physical memory runs out; and paging the data back into memory when needed


Virtual memory

• Every process has its own virtual address space

• Virtual memory provides a logical view of the memory that might not correspond to its physical layout

• Paging is the process of transferring memory contents to and from the disk

• Virtual memory can exceed availablephysical memory


Virtual memory (x86)

• Flat 32-bit address space, total of 4GB virtual

memory

• By default, only the lower half can be used by

a process for its private storage because the

OS takes the upper half for its own protected

OS memory utilization.

• The memory mappings of the lower half is

changed to match the virtual address space of

the currently running process

Management mechanisms


Registry

• A directory that contains all settings and configuration data for the OS and other

software

• Think of it as a huge .INI file

• Basic concepts: hive, key, value

• Also contains in-memory volatile data

• Current HW configuration, ...

• Hives are just files, most under

SystemRoot%\System32\Config\


Registry hive format


Registry roots

• HKEY_LOCAL_MACHINE

• System-related information

• HKEY_USERS

• User-specific information for all accounts

• HKEY_CURRENT_USER

• User-specific info for current user, links to HKEY_USERS

• HKEY_CLASSES_ROOT

• File associations and COM registration, links to HKLM\Software\Classes

• HKEY_PERFORMANCE_DATA

• Performance data

• HKEY_CURRENT_CONFIG

• Current hardware profile, links to HKLM\System\CurrentControlSet\Hardware Profiles\Current


Registry and malware

Malware typically wants to survive a reboot

• The registry is the most common place to do this

• Hundreds of launchpoints

• HKLM\Software\Microsoft\Windows\CurrentVersion\Run:MyApp

• HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe:Debugger

Malware also wants to change (security) settings for other components

• Windows Firewall, IE extensions and settings, Windows File Protection, …

The registry is also a great source for forensic data, for example:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist


Services

• Services are background processes that usually perform a specific task

and require no user-interaction

• For example, Automatic Updates

• Controlled by the Service Control Manager (SCM), services.exe

• Configuration data under HKLM\System\CurrentControlSet\Services

• Different types of services

• Kernel drivers

• Separate process

• Shared process (hosted by svchost.exe)


Hands on: services

• Which process is hosting the “Automatic Updates” service?

• What file implements the service?


Services and malware

• You should be able to identify three kinds of components

• Programs that control services (SCP’s, service control programs)

• Services

• Drivers

• Imports are a giveaway:

• SCP’s: OpenSCManager, CreateService, StartService, ...

• Services: StartServiceCtrlDispatcher, RegisterServiceCtrlHandler

• Drivers:

• Optional header subsystem: Native (1)

• No imports from usermode libraries


Hands on: services and drivers

• Let’s look at c:\windows\system32\smss.exe.

• Is it a service?

• An application that controls a service?

• A driver?

• Something else?

File systems


Windows File System Formats

• Windows supports the following file system formats

• CDFS

• read-only filesystem for CD’s

• UDF

• for DVD’s, read-only support

• FAT12, FAT16, FAT32

• older format

• NTFS

• native file system format


NTFS

• Designed to improve perfomance and reliability over FAT

• Interesting NTFS Features

• Disk quotas

• Encrypting File System (EFS)

• Multiple data streams

• Hard links and junction points

• Unicode-based naming

Security mechanisms


Security components

• Security Reference Monitor (SRM)

• Performs the access checks, generates audit messages

• Local security authority subsystem (LSASS)

• LSASS.EXE, enforces local security policy

• Security Accounts Manager (SAM)

• Manages database of local accounts

• Active Directory (AD)

• Directory service for objects in a domain

• Winlogon

• Responds to SAS, manages logon sessions

• GINA

• Obtains the username and password (or smartcard PIN)


Objects and how to protect them

• Almost everything is an object (file, process, thread, desktop, ...)

• Basic concepts

• Security Identifier (SID) is a unique ID for any actor

• “S-1-5-21-525843606-2469437151-111719316-1006”

• A token identifies the security context of a process

• “Member of Administrators group, can shut down OS”

• Security Descriptor specifies who can do what to an object

• Owner

• Discretionary Access Control List (DACL)

• Privileges


Access check

I/O Subsystem


I/O Subsystem

• A set of components in the kernel that manage and provide access

to hardware devices

• I/O Manager

• Plug and Play Manager

• Power Manager

• Key concepts

• Driver

• Device

• I/O requests


I/O Manager

• The core of the I/O system

• Provides a framework for other components to have device independent I/O services.

• Responsible for dispatching the service requests to the appropriate device drivers for further processing.

• Packet-driven (IRP’s, I/O request packets)

• Handles creation and destruction of IRP’s

• Offers uniform interface for drivers that handle IRP’s


Device drivers

• Drivers are loadable kernel-mode components

• Code in drivers gets executed in different contexts:

1. In the user thread that initiated I/O

2. A system thread

3. As a result of an interrupt (any thread)

• Different types: file system drivers, protocol drivers, hardware drivers

• Layered driver model


Layered driver model


Driver example:How on-access scanning might work


Interesting elements of a driver

1. The initialization routine (DriverEntry)

• The entry point of the driver

• Sets up globals, ...

2. Add-device routine

• For PnP drivers, called by the PnP manager when a new device for the driver appears

3. Dispatch routines

• Main functionality (”read”, ”write”, ”close”)

• In many cases the most interesting part

Windows API for malware analysts



• CreateProcess, TerminateProcess

• CreateThread, _beginthread

• CreateRemoteThread

• GetThreadContext, SetThreadContext

• CreateToolhelp32Snapshot

• Process32First, Process32Next

• NtQueryInformationProcess

• NtQueryInformationThread


Memory

• ReadProcessMemory

• WriteProcessMemory

• VirtualAlloc

• VirtualProtect


Files and registry

• CreateFile

• FindFirstFile, FindNextFile

• RegOpenKey

• RegCreateKey

• RegEnumKey

• RegEnumValue

• ... and lots more


Services

• OpenSCManager

• CreateService

• StartService

• StartServiceCtrlDispatcher

• RegisterServiceCtrlHandler


Miscellaneous

• LoadLibrary

• GetProcAddress

• IsDebuggerPresent

• DeviceIoControl

• FindResource, LoadResource, LockResource

• SetWindowsHook


What is a rootkit?

• In the early 1990s rootkits used to be a set of tools that allowed root-level

access to the system, hence the name

• Back then, hiding malware was called "stealth"

• Currently the word "rootkit" is used to describe an application that uses

some kind of filtering for hiding things

• This "rootkit" is actually feature - not a class of programs

• Rootkits usually hide files, processes, network connections, and registry keys

• So, the term "rootkit" has replaced "stealth"


API hooking

• Hooking is a technique to instrument functions and extend or replace their

functionality

• For example, you want to know each time a program calls CreateFile() and strip write access from the caller

• Many implementations, including

• Hooking a function table (IAT, SSDT, IDT, …)

• Inline hooking (patching the first code bytes of a function)

• Hooking is used by rootkits to hide or protect objects


Rootkit techniques:hooking the handler table


Rootkit techniques:inline hooking


Rootkit techniques: in-memory data structure manipulation


Suggested tools & reading

• Hex editors

• HT (http://hte.sourceforge.net/)

• Sysinternals tools (http://www.sysinternals.com)

• Process Explorer

• Autoruns

• Process Monitor

• The Art of Computer Virus Research and Defense

• Chapter 3: Malicious Code Environments, from 3.1 through 3.6

• Chapter 12: Memory Scanning and Disinfection

• Microsoft Windows Internals (M. Russinovich & D. Solomon)

• New Vista edition out soon

Date post:	30-Nov-2021
Category:	Documents
Upload:	others
View:	6 times
Download:	0 times

T-110.6220 Windows OS

Documents