T-110.6220: Windows OS with an Antivirus PerspectiveAntti Tikkanen, F-Secure Corporation
October 11, 2007 Page 2
Agenda
1. Applications on Windows
2. Processes and threads
3. Windows architecture
4. System mechanisms
5. Management mechanisms
6. Memory management
7. Security mechanisms
8. File systems
9. I/O System and drivers
10. Windows API for malware analysts
11. Case study: rootkits on Windows
October 11, 2007 Page 3
Note on Windows versions!
• Much of this presentation will include details specific to Windows XP!
• Vista includes many changes and new security features like
• Address space randomization (ASLR)
• Integrity levels
• User account control (UAC)
• I don’t have time to go into these, sorry!
Applications on Windows
October 11, 2007 Page 5
Windows Executables
• Common filename extensions hint the type of an executable
• EXE
• An executable program, anything from a DOS executable to 32-bit PE executables
• DLL
• Dynamic-link library, exports functions using a numeric ordinal (and optionally, a name)
• .OCX files are ActiveX controls, basically just DLL’s
• SYS
• A device driver loaded to kernel space
• OBJ
• An object file created by a compiler, used as input to the linker
• All of the above follow the PE/COFF file format specification
October 11, 2007 Page 6
PE/COFF File Format
• Windows executables and object files follow the
Portable Executable (PE) specification
• Based on UNIX COFF (Common Object File Format)
• Full specification available online *)
• More on this in the Reverse Engineering lectures
*) http://www.microsoft.com/whdc/system/platform/firmware/PECOFF.mspx
October 11, 2007 Page 7
Windows API
• The Windows API (aka. Win32 API) is the set of core usermode interfaces to the OS
• Exposed by several DLL’s (kernel32, user32, gdi32)
• Can be logically divided in to subcategories
• Administration and management
• Task scheduler, WMI, …
• Diagnostics
• Event logging, debugging, …
• Graphics and multimedia
• Networking
• Winsock, …
• Security
• System services
• Processes, threads, registry, file systems
• Windows UI
• See full documentation on MSDN
• http://msdn2.microsoft.com/en-us/library/default.aspx
Processes and threads
October 11, 2007 Page 9
Processes
• Process is an abstraction of a running program
• Process consists of following essential components:
• A private virtual address space
• An executable program
• A list of open handles to resources allocated by the operating system
• An access token, which uniquely identifies the owner, security groups, and privileges associated with the process
• A process ID
• One or more threads
October 11, 2007 Page 10
Threads
• Thread is an entity scheduled for execution on the CPU
• Thread consists of following essential components:
• The CPU state
• Two stacks, one for kernel-mode and one for user-mode
• Thread-Local Storage (TLS), a private storage area that can be used by subsystems, run-time libraries, and DLLs
• A thread ID
• An access token, which uniquely identifies the owner, security groups, and privileges associated with the thread
October 11, 2007 Page 11
Processes and threads
October 11, 2007 Page 12
What happens when a process is created?
1. Image file is opened and read
2. Process object is created
3. The initial thread is created (stack, context and object)
4. Windows subsystem is notified of a new process
5. Initial thread executes (unless process was created as suspended)
6. In the context of new thread, the new process initialization is completed (DLL’s are
loaded)
October 11, 2007 Page 13
TEB & PEB
• TEB = Thread environment block
• One for each thread, contains information about things like exception handlers, stack etc
• Easily found using the fs segment (offset 0x18 has self-pointer)
• mov eax, fs:[18]
• PEB = Process environment block
• One for each process, contains information about loaded modules, OS version etc
• TEB has a pointer to PEB at offset 0x30
• When analyzing code, you need to know about TEB and PEB
• Enumerating modules (PEB.Ldr)
• Checking if a debugger is present (PEB.BeingDebugged)
• Installing an exception handler (TEB.NtTib.ExceptionList)
• …
October 11, 2007 Page 14
Example: checking for a debugger
; Call IsDebuggerPresent()
call [IsDebuggerPresent]
test eax, eax
; Do the same by checking PEB
mov eax, large fs:18h ; Offset 18h has self-pointer to TEB
mov eax, [eax+30h] ; Offset 30h has pointer to PEB
movzx eax, byte ptr [eax+2] ; PEB.BeingDebugged
test eax, eax
October 11, 2007 Page 15
Example: installing an exception handler
; Install a SEH exception handler
push offset_my_handler ; pointer to our handler
push fs:[0] ; pointer to old exception record
mov fs:[0], esp ; update TEB.NtTib.ExceptionList
Architecture
October 11, 2007 Page 17
Windows architecture
October 11, 2007 Page 18
Important system processes
• Smss.exe
• Session Manager, the first process to run at boot time
• Csrss.exe
• Windows subsystem process (client-server runtime process)
• Winlogon.exe
• Handles interactive logons
• Services.exe
• The service control manager, starts and stops services
• Svchost.exe
• Service host process for shared services
• Lsass.exe
• Local Security Authentication Server, verifies user credentials
• Userinit.exe
• The process that initiates a user session
October 11, 2007 Page 19
Native API
• Undocumented interface to core OS functionality, exposed by Ntdll.dll
• Used by OS native processes (smss.exe, csrss.exe)
• .. but also by malware to access certain OS features
• .. and by rootkits to modify system behaviour
• Examples of interesting functions
• NtSetSystemInformation• NtQuerySystemInformation
• NtQueryDirectoryFile
• You should not use the Native API in your applications
without a good reason (it may and will change without notice)
• See “Windows NT/2000 Native API Reference”
(Nebbett)
System mechanisms
October 11, 2007 Page 21
Kernel mode vs. user mode
• Windows supports two processor modes
• User mode (ring 3)
• Kernel mode (ring 0)
• Code running in kernel mode can
access all memory
• Pages in system space are not
accessible to user-mode code
• Controlled transition from user mode to
kernel mode (32-bit memory layout with default configuration)
October 11, 2007 Page 22
System Service Dispatching
October 11, 2007 Page 23
System Service Dispatching
October 11, 2007 Page 24
System Service Dispatching
System Service Dispatching
Memory management
October 11, 2007 Page 26
Memory manager
Each process sees a large and contiguous private address space
The memory manager has two important tasks
1. Mapping access to virtual memory into physical memory
2. Paging contents of memory to disk as physical memory runs out; and paging the data back into memory when needed
October 11, 2007 Page 27
Virtual memory
• Every process has its own virtual address space
• Virtual memory provides a logical view of the memory that might not correspond to its physical layout
• Paging is the process of transferring memory contents to and from the disk
• Virtual memory can exceed availablephysical memory
October 11, 2007 Page 28
Virtual memory (x86)
• Flat 32-bit address space, total of 4GB virtual
memory
• By default, only the lower half can be used by
a process for its private storage because the
OS takes the upper half for its own protected
OS memory utilization.
• The memory mappings of the lower half is
changed to match the virtual address space of
the currently running process
Management mechanisms
October 11, 2007 Page 30
Registry
• A directory that contains all settings and configuration data for the OS and other
software
• Think of it as a huge .INI file
• Basic concepts: hive, key, value
• Also contains in-memory volatile data
• Current HW configuration, ...
• Hives are just files, most under
SystemRoot%\System32\Config\
October 11, 2007 Page 31
Registry hive format
October 11, 2007 Page 32
Registry roots
• HKEY_LOCAL_MACHINE
• System-related information
• HKEY_USERS
• User-specific information for all accounts
• HKEY_CURRENT_USER
• User-specific info for current user, links to HKEY_USERS
• HKEY_CLASSES_ROOT
• File associations and COM registration, links to HKLM\Software\Classes
• HKEY_PERFORMANCE_DATA
• Performance data
• HKEY_CURRENT_CONFIG
• Current hardware profile, links to HKLM\System\CurrentControlSet\Hardware Profiles\Current
October 11, 2007 Page 33
Registry and malware
Malware typically wants to survive a reboot
• The registry is the most common place to do this
• Hundreds of launchpoints
• HKLM\Software\Microsoft\Windows\CurrentVersion\Run:MyApp
• HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe:Debugger
Malware also wants to change (security) settings for other components
• Windows Firewall, IE extensions and settings, Windows File Protection, …
The registry is also a great source for forensic data, for example:
• HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist
October 11, 2007 Page 34
Services
• Services are background processes that usually perform a specific task
and require no user-interaction
• For example, Automatic Updates
• Controlled by the Service Control Manager (SCM), services.exe
• Configuration data under HKLM\System\CurrentControlSet\Services
• Different types of services
• Kernel drivers
• Separate process
• Shared process (hosted by svchost.exe)
October 11, 2007 Page 35
Hands on: services
• Which process is hosting the “Automatic Updates” service?
• What file implements the service?
October 11, 2007 Page 36
Services and malware
• You should be able to identify three kinds of components
• Programs that control services (SCP’s, service control programs)
• Services
• Drivers
• Imports are a giveaway:
• SCP’s: OpenSCManager, CreateService, StartService, ...
• Services: StartServiceCtrlDispatcher, RegisterServiceCtrlHandler
• Drivers:
• Optional header subsystem: Native (1)
• No imports from usermode libraries
October 11, 2007 Page 37
Hands on: services and drivers
• Let’s look at c:\windows\system32\smss.exe.
• Is it a service?
• An application that controls a service?
• A driver?
• Something else?
File systems
October 11, 2007 Page 39
Windows File System Formats
• Windows supports the following file system formats
• CDFS
• read-only filesystem for CD’s
• UDF
• for DVD’s, read-only support
• FAT12, FAT16, FAT32
• older format
• NTFS
• native file system format
October 11, 2007 Page 40
NTFS
• Designed to improve perfomance and reliability over FAT
• Interesting NTFS Features
• Disk quotas
• Encrypting File System (EFS)
• Multiple data streams
• Hard links and junction points
• Unicode-based naming
Security mechanisms
October 11, 2007 Page 42
Security components
• Security Reference Monitor (SRM)
• Performs the access checks, generates audit messages
• Local security authority subsystem (LSASS)
• LSASS.EXE, enforces local security policy
• Security Accounts Manager (SAM)
• Manages database of local accounts
• Active Directory (AD)
• Directory service for objects in a domain
• Winlogon
• Responds to SAS, manages logon sessions
• GINA
• Obtains the username and password (or smartcard PIN)
October 11, 2007 Page 43
Objects and how to protect them
• Almost everything is an object (file, process, thread, desktop, ...)
• Basic concepts
• Security Identifier (SID) is a unique ID for any actor
• “S-1-5-21-525843606-2469437151-111719316-1006”
• A token identifies the security context of a process
• “Member of Administrators group, can shut down OS”
• Security Descriptor specifies who can do what to an object
• Owner
• Discretionary Access Control List (DACL)
• Privileges
October 11, 2007 Page 44
Access check
I/O Subsystem
October 11, 2007 Page 46
I/O Subsystem
• A set of components in the kernel that manage and provide access
to hardware devices
• I/O Manager
• Plug and Play Manager
• Power Manager
• Key concepts
• Driver
• Device
• I/O requests
October 11, 2007 Page 47
I/O Manager
• The core of the I/O system
• Provides a framework for other components to have device independent I/O services.
• Responsible for dispatching the service requests to the appropriate device drivers for further processing.
• Packet-driven (IRP’s, I/O request packets)
• Handles creation and destruction of IRP’s
• Offers uniform interface for drivers that handle IRP’s
October 11, 2007 Page 48
Device drivers
• Drivers are loadable kernel-mode components
• Code in drivers gets executed in different contexts:
1. In the user thread that initiated I/O
2. A system thread
3. As a result of an interrupt (any thread)
• Different types: file system drivers, protocol drivers, hardware drivers
• Layered driver model
October 11, 2007 Page 49
Layered driver model
October 11, 2007 Page 50
Driver example:How on-access scanning might work
October 11, 2007 Page 51
Interesting elements of a driver
1. The initialization routine (DriverEntry)
• The entry point of the driver
• Sets up globals, ...
2. Add-device routine
• For PnP drivers, called by the PnP manager when a new device for the driver appears
3. Dispatch routines
• Main functionality (”read”, ”write”, ”close”)
• In many cases the most interesting part
Windows API for malware analysts
October 11, 2007 Page 53
Processes and threads
• CreateProcess, TerminateProcess
• CreateThread, _beginthread
• CreateRemoteThread
• GetThreadContext, SetThreadContext
• CreateToolhelp32Snapshot
• Process32First, Process32Next
• NtQueryInformationProcess
• NtQueryInformationThread
October 11, 2007 Page 54
Memory
• ReadProcessMemory
• WriteProcessMemory
• VirtualAlloc
• VirtualProtect
October 11, 2007 Page 55
Files and registry
• CreateFile
• FindFirstFile, FindNextFile
• RegOpenKey
• RegCreateKey
• RegEnumKey
• RegEnumValue
• ... and lots more
October 11, 2007 Page 56
Services
• OpenSCManager
• CreateService
• StartService
• StartServiceCtrlDispatcher
• RegisterServiceCtrlHandler
October 11, 2007 Page 57
Miscellaneous
• LoadLibrary
• GetProcAddress
• IsDebuggerPresent
• DeviceIoControl
• FindResource, LoadResource, LockResource
• SetWindowsHook
October 11, 2007 Page 58
What is a rootkit?
• In the early 1990s rootkits used to be a set of tools that allowed root-level
access to the system, hence the name
• Back then, hiding malware was called "stealth"
• Currently the word "rootkit" is used to describe an application that uses
some kind of filtering for hiding things
• This "rootkit" is actually feature - not a class of programs
• Rootkits usually hide files, processes, network connections, and registry keys
• So, the term "rootkit" has replaced "stealth"
October 11, 2007 Page 59
API hooking
• Hooking is a technique to instrument functions and extend or replace their
functionality
• For example, you want to know each time a program calls CreateFile() and strip write access from the caller
• Many implementations, including
• Hooking a function table (IAT, SSDT, IDT, …)
• Inline hooking (patching the first code bytes of a function)
• Hooking is used by rootkits to hide or protect objects
October 11, 2007 Page 60
Rootkit techniques:hooking the handler table
October 11, 2007 Page 61
Rootkit techniques:inline hooking
October 11, 2007 Page 62
Rootkit techniques: in-memory data structure manipulation
October 11, 2007 Page 63
Suggested tools & reading
• Hex editors
• HT (http://hte.sourceforge.net/)
• Sysinternals tools (http://www.sysinternals.com)
• Process Explorer
• Autoruns
• Process Monitor
• The Art of Computer Virus Research and Defense
• Chapter 3: Malicious Code Environments, from 3.1 through 3.6
• Chapter 12: Memory Scanning and Disinfection
• Microsoft Windows Internals (M. Russinovich & D. Solomon)
• New Vista edition out soon