1 / 59

Introduction to Windows System Internals part II

by Tim Shelton Black Security redsand@blacksecurity.org. Introduction to Windows System Internals part II. Windows Subsystems API Breakdown The API Layers User-land and Kernel-land Processes, Threads, and Jobs Virtual Memory Manager. Outline.

danyl
Télécharger la présentation

Introduction to Windows System Internals part II

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. by Tim Shelton Black Security redsand@blacksecurity.org Introduction to Windows System Internals part II

  2. Windows Subsystems API Breakdown The API Layers User-land and Kernel-land Processes, Threads, and Jobs Virtual Memory Manager Outline

  3. Is the Windows NT structure considered a “microkernel”? No! A microkernel is a type of kernel in which the principal operating system components (such as memory manager, process manager, and I/O manager) run as separate processes in their own separated address space. EX: Carnegie Mellon University’s Mach (OSX) operating kernel. Shares address space with rest of kernel components Windows Subsystem

  4. 3 Basic Types of User-Mode Processes Fixed processes ie: logon process, session manager Service Processes – runs independently of user logons. ie: Task Scheduler, Spooler service. Environment Subsystem Windows, POSIX, and OS/2 Windows Subsystem

  5. Windows NT Layer Environment Subsystems System & Service Processes User Apps OS/2 POSIX Win32 Subsystem DLL User Kernel Executive Win32 User/GDI Device Drivers Kernel Hardware Abstraction Layer (HAL)

  6. Each Subsystem Contains Subsystem Service Process (csrss) Subsystem API library e.g. kernel32, advapi32, gdi32, ntdll Hooks in CreateProcess code Pseudo Subsystems ex: LSASS and CLR Windows Subsystem

  7. 3 Different Implimentations Application’s Container (Libraries) Separate Containers (Services) Central, Universally Shared Container (kernel) Services & Kernel

  8. Disadvantages of Kernel Less Flexible Single sysentry mechanism Inter-operation requires shared abstractions Access controls limited (ACLS) Kernel

  9. Services have natural advantage Filtering and refinement of operations provides finer-grained access control Easy to provide alternative abstractions Seperated in their own protected private address space Services

  10. Executive Execution Layer Kernel Execution Layer Execution Layers

  11. Executive Execution Layer Upper Layers of Operating System Provides “generic operating system” functions Creating/deleting processes and threads Memory management I/O Interprocess communication Security Executive Execution Layer

  12. Windows NT Layer Environment Subsystems System & Service Processes User Apps OS/2 POSIX Win32 Subsystem DLL User Kernel Executive Win32 User/GDI Device Drivers Kernel Hardware Abstraction Layer (HAL)

  13. Almost completely portable C code. (bits of object oriented c++ and asm) Private internal O/S structure Runs in kernel ("privileged", ring 0) mode Many interfaces to executive O/S services undocumented Executive Execution Layer

  14. Lower Layers of O/S Processor dependant functions (x86 vs. alpha vs. embedded etc) Processor independant functions closely associated with processor dependant functions Executive Execution Layer

  15. Kernel Execution Layer Private internal O/S structure Heart and Soul of O/S Executes in kernel mode API not documented! Accessed indirectly via subsystem APIs Kernel Execution Layer

  16. User Kernel Registry Replicator Alerter Event Log Win32 POSIX OS/2 Windows NT Subsystem Session Mgr WinLogon System Processes Services User Apps Environment Subsystems Interface DLL Subsystem DLL Executive Services API I/O System Security Monitor Win32 GDI Object Services Memory Mgmt Processes/ Threads File Systems Object Management Device Drivers Kernel Exec. RTL Hardware Abstraction Layer (HAL) I/O Devices DMA/Bus Control Cache Control Clocks/ Timers Privileged Architecture Interrupt Dispatch

  17. Reasons for Kernel Code Execution Requests from user mode (system calls) Via system service dispatch mechanism (dispatcher) Kernel-mode code runs in context of requesting thread Kernel Execution Layer

  18. User Kernel Registry Replicator Alerter Event Log Win32 POSIX OS/2 Windows NT Subsystem Session Mgr WinLogon System Processes Services User Apps Environment Subsystems Interface DLL Subsystem DLL Executive Services API I/O System Security Monitor Win32 GDI Object Services Memory Mgmt Processes/ Threads File Systems Object Management Device Drivers Kernel Exec. RTL Hardware Abstraction Layer (HAL) I/O Devices DMA/Bus Control Cache Control Clocks/ Timers Privileged Architecture Interrupt Dispatch

  19. Reasons for Kernel Code Execution Interrupts from external devices Interrupts (like all traps) are handled in kernel mode NT-supplied interrupt dispatcher invokes interrupt service routiner ISR runs in context of interrupted thread ("arbitrary thread context") ISR requests execution of "DPC routine", which also runs in kernel mode Kernel Execution Layer

  20. Reasons for Kernel Code Execution Dedicated kernel-mode threads Some threads in system stay in kernel mode at all times (mostly "System" process) Scheduled, preempted, etc., like any other threads Kernel Execution Layer

  21. Subroutine library for kernel and device drivers Seperates Kernel and Executive from platform-specific details Presents uniform model of I/O hardware interface to drivers Hardware Abstraction Layer

  22. Windows NT Layer Environment Subsystems System & Service Processes User Apps OS/2 POSIX Win32 Subsystem DLL User Kernel Executive Win32 User/GDI Device Drivers Kernel Hardware Abstraction Layer (HAL)

  23. HAL abstracts System timers, cache coherency & flushing SMP support, Hardware interrupt priorities HAL implements functions in both Executive and Kernel Layers Hardware Abstraction Layer

  24. Process Layout Each Process Has Its Own: Virtual address space Program Global Storage Heap Storage Threads' stacks Processes, Threads & Jobs

  25. Process Layout - Continued Processes cannot corrupt each others address space by mistake (sort of!) CreateRemoteThread Injection Working set physical memory "owned" by process Processes

  26. Process Layout - Continued Access token includes security identifiers (objects) Handle Table for Win32 kernel objects Resources available to all threads in process Resources separate and protected between processes Processes

  27. Each Thread has: Stack local variable storage, call frames, etc. Instance of top-level function Scheduling state Wait, Ready, and Running states Kernel Thread Priority Execution Threads

  28. Each Thread has: Current access mode user-land kernel-land Saved CPU state of not Running Access token optional - overrides process token if present Threads

  29. Processes Continued Container for address space and threads Associated User-mode Process Environment Block (PEB) Primary Access Token (objects) Quota, Debug port, Handle Table (objects) Processes

  30. Processes Continued Unique process ID Process Object Queued Job List Global Process List Session list MM structures like WorkingSet, VAD tree, AWE etc Processes

  31. Threads Continued Fundamental schedulable entity on system Represented by ETHREAD (includes KTHREAD) Queued to Process (both E & K thread) IRP List Impersonation Access Token Unique Thread ID Threads

  32. Threads Continued Associated User-mode Thread Environment Block (TEB) User-mode stack Kernel-mode stack Process Control Block (in KTHREAD) for cpu state when not running Holds Ready, or Waiting status Threads

  33. Each Job contains: Container for multiple processes Queued Global Job List Processes and Jobs in Job Set Security token filters and job token Completion ports Counters, limits etc Jobs

  34. How Do We Allocate Memory? Virtual Memory Manager User Land Memory Manager Kernel Land Memory Manager Virtual Memory Manager

  35. Allocating User Memory Space Virtual Memory Manager Handles 4gb flat of VA space (IA32) Manages process address space Handles pagefaults Manages process working sets Virtual Memory Manager

  36. Allocating User Memory Space Virtual Memory Manager continued… Manages physical memory Provides memory-mapped files Allows pages shared between processes Structure for I/O subsystem and device drivers Supports file system cache manager Virtual Memory Manager

  37. Allocating User Memory Space Virtual Memory Manager Internal API NtCreatePagingFile() NtAllocateVirtualMemory() NtFreeVirtualMemory() NtQueryVirtualMemory() NtProtectVirtualMemory() Virtual Memory Manager

  38. Allocating User Memory Space Virtual Memory Manager Pagefault NtLockVirtualMemory NtUnlockVirtualMemory NtReadVirtualMemory NtWriteVirtualMemory (OMG!! Thread Injection Tangent) NtFlushVirtualMemory Virtual Memory Manager

  39. One way to copy some code to another process's address space and then execute it in the context of this process involves the use of remote threads and the WriteProcessMemory API. Basically you copy the code to the remote process directly now - via WriteProcessMemory - and start its execution with CreateRemoteThread. Remote Thread Injection Tangent

More Related