T-110.6220: Windows OS with an Antivirus Perspective Antti Tikkanen, F-Secure Corporation Agenda 1. Applications on Windows 2. Processes and threads 3. Windows architecture 4. System mechanisms 5. Management mechanisms 6. Memory management 7. Security mechanisms 8. File systems 9. I/O System and drivers 10. Windows API for malware analysts 11. Case study: rootkits on Windows October 11, 2007 Page 2 Note on Windows versions! • Much of this presentation will include details specific to Windows XP! • Vista includes many changes and new security features like • Address space randomization (ASLR) • Integrity levels • User account control (UAC) • I don’t have time to go into these, sorry! October 11, 2007 Page 3 Applications on Windows Windows Executables • Common filename extensions hint the type of an executable • EXE • • • DLL • Dynamic-link library, exports functions using a numeric ordinal (and optionally, a name) • .OCX files are ActiveX controls, basically just DLL’s SYS • • A device driver loaded to kernel space OBJ • • An executable program, anything from a DOS executable to 32-bit PE executables An object file created by a compiler, used as input to the linker All of the above follow the PE/COFF file format specification October 11, 2007 Page 5 PE/COFF File Format • Windows executables and object files follow the Portable Executable (PE) specification • Based on UNIX COFF (Common Object File Format) • Full specification available online *) • More on this in the Reverse Engineering lectures *) http://www.microsoft.com/whdc/system/platform/firmware/PECOFF.mspx October 11, 2007 Page 6 Windows API • The Windows API (aka. Win32 API) is the set of core usermode interfaces to the OS • Exposed by several DLL’s (kernel32, user32, gdi32) • Can be logically divided in to subcategories • Administration and management • Task scheduler, WMI, … • Diagnostics • Event logging, debugging, … • Graphics and multimedia • Networking • Winsock, … • Security • System services • Processes, threads, registry, file systems • Windows UI • See full documentation on MSDN • http://msdn2.microsoft.com/en-us/library/default.aspx October 11, 2007 Page 7 Processes and threads Processes • Process is an abstraction of a running program • Process consists of following essential components: • A private virtual address space • An executable program • A list of open handles to resources allocated by the operating system • An access token, which uniquely identifies the owner, security groups, and privileges associated with the process • A process ID • One or more threads October 11, 2007 Page 9 Threads • Thread is an entity scheduled for execution on the CPU • Thread consists of following essential components: • The CPU state • Two stacks, one for kernel-mode and one for user-mode • Thread-Local Storage (TLS), a private storage area that can be used by subsystems, run-time libraries, and DLLs • A thread ID • An access token, which uniquely identifies the owner, security groups, and privileges associated with the thread October 11, 2007 Page 10 Processes and threads October 11, 2007 Page 11 What happens when a process is created? 1. Image file is opened and read 2. Process object is created 3. The initial thread is created (stack, context and object) 4. Windows subsystem is notified of a new process 5. Initial thread executes (unless process was created as suspended) 6. In the context of new thread, the new process initialization is completed (DLL’s are loaded) October 11, 2007 Page 12 TEB & PEB • TEB = Thread environment block • One for each thread, contains information about things like exception handlers, stack etc • Easily found using the fs segment (offset 0x18 has self-pointer) • mov eax, fs:[18] • PEB = Process environment block • One for each process, contains information about loaded modules, OS version etc • TEB has a pointer to PEB at offset 0x30 • When analyzing code, you need to know about TEB and PEB • Enumerating modules (PEB.Ldr) • Checking if a debugger is present (PEB.BeingDebugged) • Installing an exception handler (TEB.NtTib.ExceptionList) • … October 11, 2007 Page 13 Example: checking for a debugger ; Call IsDebuggerPresent() call [IsDebuggerPresent] test eax, eax ; Do the same by checking PEB mov eax, large fs:18h ; Offset 18h has self-pointer to TEB mov eax, [eax+30h] ; Offset 30h has pointer to PEB movzx eax, byte ptr [eax+2] test ; PEB.BeingDebugged eax, eax October 11, 2007 Page 14 Example: installing an exception handler ; Install a SEH exception handler push offset_my_handler ; pointer to our handler push fs:[0] ; pointer to old exception record mov fs:[0], esp ; update TEB.NtTib.ExceptionList October 11, 2007 Page 15 Architecture Windows architecture October 11, 2007 Page 17 Important system processes • Smss.exe • Session Manager, the first process to run at boot time • Csrss.exe • Windows subsystem process (client-server runtime process) • Winlogon.exe • Handles interactive logons • Services.exe • The service control manager, starts and stops services • Svchost.exe • Service host process for shared services • Lsass.exe • Local Security Authentication Server, verifies user credentials • Userinit.exe • The process that initiates a user session October 11, 2007 Page 18 Native API • Undocumented interface to core OS functionality, exposed by Ntdll.dll • Used by OS native processes (smss.exe, csrss.exe) • .. but also by malware to access certain OS features • .. and by rootkits to modify system behaviour • Examples of interesting functions • NtSetSystemInformation • NtQuerySystemInformation • NtQueryDirectoryFile • You should not use the Native API in your applications without a good reason (it may and will change without notice) • See “Windows NT/2000 Native API Reference” (Nebbett) October 11, 2007 Page 19 System mechanisms Kernel mode vs. user mode • Windows supports two processor modes • User mode (ring 3) • Kernel mode (ring 0) • Code running in kernel mode can access all memory • Pages in system space are not accessible to user-mode code • Controlled transition from user mode to kernel mode (32-bit memory layout with default configuration) October 11, 2007 Page 21 System Service Dispatching October 11, 2007 Page 22 System Service Dispatching October 11, 2007 Page 23 System Service Dispatching System Service Dispatching October 11, 2007 Page 24 Memory management Memory manager Each process sees a large and contiguous private address space The memory manager has two important tasks 1. Mapping access to virtual memory into physical memory 2. Paging contents of memory to disk as physical memory runs out; and paging the data back into memory when needed October 11, 2007 Page 26 Virtual memory • Every process has its own virtual address space • Virtual memory provides a logical view of the memory that might not correspond to its physical layout • Paging is the process of transferring memory contents to and from the disk • Virtual memory can exceed available physical memory October 11, 2007 Page 27 Virtual memory (x86) • Flat 32-bit address space, total of 4GB virtual memory • By default, only the lower half can be used by a process for its private storage because the OS takes the upper half for its own protected OS memory utilization. • The memory mappings of the lower half is changed to match the virtual address space of the currently running process October 11, 2007 Page 28 Management mechanisms Registry • A directory that contains all settings and configuration data for the OS and other software • Think of it as a huge .INI file • Basic concepts: hive, key, value • Also contains in-memory volatile data • Current HW configuration, ... • Hives are just files, most under SystemRoot%\System32\Config\ October 11, 2007 Page 30 Registry hive format October 11, 2007 Page 31 Registry roots • HKEY_LOCAL_MACHINE • System-related information • HKEY_USERS • User-specific information for all accounts • HKEY_CURRENT_USER • User-specific info for current user, links to HKEY_USERS • HKEY_CLASSES_ROOT • File associations and COM registration, links to HKLM\Software\Classes • HKEY_PERFORMANCE_DATA • Performance data • HKEY_CURRENT_CONFIG • Current hardware profile, links to HKLM\System\CurrentControlSet\Hardware Profiles\Current October 11, 2007 Page 32 Registry and malware Malware typically wants to survive a reboot • The registry is the most common place to do this • Hundreds of launchpoints • HKLM\Software\Microsoft\Windows\CurrentVersion\Run:MyApp • HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe:Debugger Malware also wants to change (security) settings for other components • Windows Firewall, IE extensions and settings, Windows File Protection, … The registry is also a great source for forensic data, for example: • HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist October 11, 2007 Page 33 Services • Services are background processes that usually perform a specific task and require no user-interaction • For example, Automatic Updates • Controlled by the Service Control Manager (SCM), services.exe • Configuration data under HKLM\System\CurrentControlSet\Services • Different types of services • Kernel drivers • Separate process • Shared process (hosted by svchost.exe) October 11, 2007 Page 34 Hands on: services • Which process is hosting the “Automatic Updates” service? • What file implements the service? October 11, 2007 Page 35 Services and malware • You should be able to identify three kinds of components • Programs that control services (SCP’s, service control programs) • Services • Drivers • Imports are a giveaway: • SCP’s: OpenSCManager, CreateService, StartService, ... • Services: StartServiceCtrlDispatcher, RegisterServiceCtrlHandler • Drivers: • Optional header subsystem: Native (1) • No imports from usermode libraries October 11, 2007 Page 36 Hands on: services and drivers • Let’s look at c:\windows\system32\smss.exe. • Is it a service? • An application that controls a service? • A driver? • Something else? October 11, 2007 Page 37 File systems Windows File System Formats • Windows supports the following file system formats • CDFS • read-only filesystem for CD’s • UDF • for DVD’s, read-only support • FAT12, FAT16, FAT32 • older format • NTFS • native file system format October 11, 2007 Page 39 NTFS • Designed to improve perfomance and reliability over FAT • Interesting NTFS Features • Disk quotas • Encrypting File System (EFS) • Multiple data streams • Hard links and junction points • Unicode-based naming October 11, 2007 Page 40 Security mechanisms Security components Security Reference Monitor (SRM) • • Performs the access checks, generates audit messages Local security authority subsystem (LSASS) • • LSASS.EXE, enforces local security policy Security Accounts Manager (SAM) • • Manages database of local accounts Active Directory (AD) • • Directory service for objects in a domain Winlogon • • Responds to SAS, manages logon sessions GINA • • Obtains the username and password (or smartcard PIN) October 11, 2007 Page 42 Objects and how to protect them • Almost everything is an object (file, process, thread, desktop, ...) • Basic concepts • Security Identifier (SID) is a unique ID for any actor • “S-1-5-21-525843606-2469437151-111719316-1006” • A token identifies the security context of a process • “Member of Administrators group, can shut down OS” • Security Descriptor specifies who can do what to an object • Owner • Discretionary Access Control List (DACL) • Privileges October 11, 2007 Page 43 Access check October 11, 2007 Page 44 I/O Subsystem I/O Subsystem • A set of components in the kernel that manage and provide access to hardware devices • I/O Manager • Plug and Play Manager • Power Manager • Key concepts • Driver • Device • I/O requests October 11, 2007 Page 46 I/O Manager • The core of the I/O system • Provides a framework for other components to have device independent I/O services. • Responsible for dispatching the service requests to the appropriate device drivers for further processing. • Packet-driven (IRP’s, I/O request packets) • Handles creation and destruction of IRP’s • Offers uniform interface for drivers that handle IRP’s October 11, 2007 Page 47 Device drivers • Drivers are loadable kernel-mode components • Code in drivers gets executed in different contexts: 1. In the user thread that initiated I/O 2. A system thread 3. As a result of an interrupt (any thread) • Different types: file system drivers, protocol drivers, hardware drivers • Layered driver model October 11, 2007 Page 48 Layered driver model October 11, 2007 Page 49 Driver example: How on-access scanning might work October 11, 2007 Page 50 Interesting elements of a driver 1. The initialization routine (DriverEntry) • The entry point of the driver • Sets up globals, ... 2. Add-device routine • For PnP drivers, called by the PnP manager when a new device for the driver appears 3. Dispatch routines • Main functionality (”read”, ”write”, ”close”) • In many cases the most interesting part October 11, 2007 Page 51 Windows API for malware analysts Processes and threads • CreateProcess, TerminateProcess • CreateThread, _beginthread • CreateRemoteThread • GetThreadContext, SetThreadContext • CreateToolhelp32Snapshot • Process32First, Process32Next • NtQueryInformationProcess • NtQueryInformationThread October 11, 2007 Page 53 Memory • ReadProcessMemory • WriteProcessMemory • VirtualAlloc • VirtualProtect October 11, 2007 Page 54 Files and registry • CreateFile • FindFirstFile, FindNextFile • RegOpenKey • RegCreateKey • RegEnumKey • RegEnumValue • ... and lots more October 11, 2007 Page 55 Services • OpenSCManager • CreateService • StartService • StartServiceCtrlDispatcher • RegisterServiceCtrlHandler October 11, 2007 Page 56 Miscellaneous • LoadLibrary • GetProcAddress • IsDebuggerPresent • DeviceIoControl • FindResource, LoadResource, LockResource • SetWindowsHook October 11, 2007 Page 57 What is a rootkit? • In the early 1990s rootkits used to be a set of tools that allowed root-level access to the system, hence the name • Back then, hiding malware was called "stealth" • Currently the word "rootkit" is used to describe an application that uses some kind of filtering for hiding things • This "rootkit" is actually feature - not a class of programs • Rootkits usually hide files, processes, network connections, and registry keys • So, the term "rootkit" has replaced "stealth" October 11, 2007 Page 58 API hooking • Hooking is a technique to instrument functions and extend or replace their functionality • For example, you want to know each time a program calls CreateFile() and strip write access from the caller • Many implementations, including • Hooking a function table (IAT, SSDT, IDT, …) • Inline hooking (patching the first code bytes of a function) • Hooking is used by rootkits to hide or protect objects October 11, 2007 Page 59 Rootkit techniques: hooking the handler table October 11, 2007 Page 60 Rootkit techniques: inline hooking October 11, 2007 Page 61 Rootkit techniques: in-memory data structure manipulation October 11, 2007 Page 62 Suggested tools & reading • Hex editors • HT (http://hte.sourceforge.net/) • Sysinternals tools (http://www.sysinternals.com) • Process Explorer • Autoruns • Process Monitor • The Art of Computer Virus Research and Defense • Chapter 3: Malicious Code Environments, from 3.1 through 3.6 • Chapter 12: Memory Scanning and Disinfection • Microsoft Windows Internals (M. Russinovich & D. Solomon) • New Vista edition out soon October 11, 2007 Page 63
© Copyright 2024 Paperzz