Note on Windows versions!

(1)

T-110.6220:

Windows OS with an Antivirus Perspective

Antti Tikkanen, F-Secure Corporation

(2)

October 11, 2007 Page 2

Agenda

1. Applications on Windows 2. Processes and threads 3. Windows architecture 4. System mechanisms

5. Management mechanisms 6. Memory management 7. Security mechanisms 8. File systems

9. I/O System and drivers

10. Windows API for malware analysts 11. Case study: rootkits on Windows

(3)

Note on Windows versions!

• Much of this presentation will include details specific to Windows XP!

• Vista includes many changes and new security features like

• Address space randomization (ASLR)

• Integrity levels

• User account control (UAC)

• I don’t have time to go into these, sorry!

(4)

Applications on Windows

(5)

Windows Executables

• Common filename extensions hint the type of an executable

• EXE

• An executable program, anything from a DOS executable to 32-bit PE executables

• DLL

• Dynamic-link library, exports functions using a numeric ordinal (and optionally, a name)

• .OCX files are ActiveX controls, basically just DLL’s

• SYS

• A device driver loaded to kernel space

• OBJ

• An object file created by a compiler, used as input to the linker

• All of the above follow the PE/COFF file format specification

(6)

PE/COFF File Format

• Windows executables and object files follow the Portable Executable (PE) specification

• Based on UNIX COFF (Common Object File Format)

• Full specification available online *)

• More on this in the Reverse Engineering lectures

*) http://www.microsoft.com/whdc/system/platform/firmware/PECOFF.mspx

(7)

Windows API

• The Windows API (aka. Win32 API) is the set of core usermode interfaces to the OS

• Exposed by several DLL’s (kernel32, user32, gdi32)

• Can be logically divided in to subcategories

• Administration and management

• Task scheduler, WMI, …

• Diagnostics

• Event logging, debugging, …

• Graphics and multimedia

• Networking

• Winsock, …

• Security

• System services

• Processes, threads, registry, file systems

• Windows UI

• See full documentation on MSDN

• http://msdn2.microsoft.com/en-us/library/default.aspx

(8)

Processes and threads

(9)

Processes

• Process is an abstraction of a running program

• Process consists of following essential components:

• A private virtual address space

• An executable program

• A list of open handles to resources allocated by the operating system

• An access token, which uniquely identifies the owner, security groups, and privileges associated with the process

• A process ID

• One or more threads

(10)

Threads

• Thread is an entity scheduled for execution on the CPU

• Thread consists of following essential components:

• The CPU state

• Two stacks, one for kernel-mode and one for user-mode

• Thread-Local Storage (TLS), a private storage area that can be used by subsystems, run-time libraries, and DLLs

• A thread ID

• An access token, which uniquely identifies the owner, security groups,

and privileges associated with the thread

(11)

Processes and threads

(12)

What happens when a process is created?

1. Image file is opened and read 2. Process object is created

3. The initial thread is created (stack, context and object) 4. Windows subsystem is notified of a new process

5. Initial thread executes (unless process was created as suspended)

6. In the context of new thread, the new process initialization is completed (DLL’s are loaded)

(13)

TEB & PEB

• TEB = Thread environment block

• One for each thread, contains information about things like exception handlers, stack etc

• Easily found using the fs segment (offset 0x18 has self-pointer)

• mov eax, fs:[18]

• PEB = Process environment block

• One for each process, contains information about loaded modules, OS version etc

• TEB has a pointer to PEB at offset 0x30

• When analyzing code, you need to know about TEB and PEB

• Enumerating modules (PEB.Ldr)

• Checking if a debugger is present (PEB.BeingDebugged)

• Installing an exception handler (TEB.NtTib.ExceptionList)

• …

(14)

Example: checking for a debugger

; Call IsDebuggerPresent()

call [IsDebuggerPresent]

test eax, eax

; Do the same by checking PEB

mov eax, large fs:18h ; Offset 18h has self-pointer to TEB mov eax, [eax+30h] ; Offset 30h has pointer to PEB

movzx eax, byte ptr [eax+2] ; PEB.BeingDebugged test eax, eax

(15)

Example: installing an exception handler

; Install a SEH exception handler

push offset_my_handler ; pointer to our handler

push fs:[0] ; pointer to old exception record mov fs:[0], esp ; update TEB.NtTib.ExceptionList

(16)

Architecture

(17)

Windows architecture

(18)

Important system processes

• Smss.exe

• Session Manager, the first process to run at boot time

• Csrss.exe

• Windows subsystem process (client-server runtime process)

• Winlogon.exe

• Handles interactive logons

• Services.exe

• The service control manager, starts and stops services

• Svchost.exe

• Service host process for shared services

• Lsass.exe

• Local Security Authentication Server, verifies user credentials

• Userinit.exe

• The process that initiates a user session

(19)

Native API

• Undocumented interface to core OS functionality, exposed by Ntdll.dll

• Used by OS native processes (smss.exe, csrss.exe)

• .. but also by malware to access certain OS features

• .. and by rootkits to modify system behaviour

• Examples of interesting functions

• NtSetSystemInformation

• NtQuerySystemInformation

• NtQueryDirectoryFile

• You should not use the Native API in your applications

without a good reason (it may and will change without notice)

• See “Windows NT/2000 Native API Reference”

(Nebbett)

(20)

System mechanisms

(21)

Kernel mode vs. user mode

• Windows supports two processor modes

• User mode (ring 3)

• Kernel mode (ring 0)

• Code running in kernel mode can access all memory

• Pages in system space are not accessible to user-mode code

• Controlled transition from user mode to

kernel mode (32-bit memory layout with default

configuration)

(22)

System Service Dispatching

(23)

System Service Dispatching

(24)

System Service Dispatching

(25)

Memory management

(26)

Memory manager

Each process sees a large and contiguous private address space The memory manager has two important tasks

1. Mapping access to virtual memory into physical memory

2. Paging contents of memory to disk as physical memory runs out;

and paging the data back into memory when needed

(27)

Virtual memory

• Every process has its own virtual address space

• Virtual memory provides a logical view of the memory that might not correspond to its physical layout

• Paging is the process of transferring memory contents to and from the disk

• Virtual memory can exceed available physical memory

(28)

Virtual memory (x86)

• Flat 32-bit address space, total of 4GB virtual memory

• By default, only the lower half can be used by a process for its private storage because the OS takes the upper half for its own protected OS memory utilization.

• The memory mappings of the lower half is changed to match the virtual address space of the currently running process

(29)

Management mechanisms

(30)

Registry

• A directory that contains all settings and configuration data for the OS and other software

• Think of it as a huge .INI file

• Basic concepts: hive, key, value

• Also contains in-memory volatile data

• Current HW configuration, ...

• Hives are just files, most under SystemRoot%\System32\Config\

(31)

Registry hive format

(32)

Registry roots

• HKEY_LOCAL_MACHINE

• System-related information

• HKEY_USERS

• User-specific information for all accounts

• HKEY_CURRENT_USER

• User-specific info for current user, links to HKEY_USERS

• HKEY_CLASSES_ROOT

• File associations and COM registration, links to HKLM\Software\Classes

• HKEY_PERFORMANCE_DATA

• Performance data

• HKEY_CURRENT_CONFIG

• Current hardware profile, links to HKLM\System\CurrentControlSet\Hardware Profiles\Current

(33)

Registry and malware

Malware typically wants to survive a reboot

• The registry is the most common place to do this

• Hundreds of launchpoints

• HKLM\Software\Microsoft\Windows\CurrentVersion\Run:MyApp

• HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe:Debugger

Malware also wants to change (security) settings for other components

• Windows Firewall, IE extensions and settings, Windows File Protection, … The registry is also a great source for forensic data, for example:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist

(34)

Services

• Services are background processes that usually perform a specific task and require no user-interaction

• For example, Automatic Updates

• Controlled by the Service Control Manager (SCM), services.exe

• Configuration data under HKLM\System\CurrentControlSet\Services

• Different types of services

• Kernel drivers

• Separate process

• Shared process (hosted by svchost.exe)

(35)

Hands on: services

• Which process is hosting the “Automatic Updates” service?

• What file implements the service?

(36)

Services and malware

• You should be able to identify three kinds of components

• Programs that control services (SCP’s, service control programs)

• Services

• Drivers

• Imports are a giveaway:

• SCP’s: OpenSCManager, CreateService, StartService, ...

• Services: StartServiceCtrlDispatcher, RegisterServiceCtrlHandler

• Drivers:

• Optional header subsystem: Native (1)

• No imports from usermode libraries

(37)

Hands on: services and drivers

• Let’s look at c:\windows\system32\smss.exe.

• Is it a service?

• An application that controls a service?

• A driver?

• Something else?

(38)

File systems

(39)

Windows File System Formats

• Windows supports the following file system formats

• CDFS

• read-only filesystem for CD’s

• UDF

• for DVD’s, read-only support

• FAT12, FAT16, FAT32

• older format

• NTFS

• native file system format

(40)

NTFS

• Designed to improve perfomance and reliability over FAT

• Interesting NTFS Features

• Disk quotas

• Encrypting File System (EFS)

• Multiple data streams

• Hard links and junction points

• Unicode-based naming

(41)

Security mechanisms

(42)

Security components

• Security Reference Monitor (SRM)

• Performs the access checks, generates audit messages

• Local security authority subsystem (LSASS)

• LSASS.EXE, enforces local security policy

• Security Accounts Manager (SAM)

• Manages database of local accounts

• Active Directory (AD)

• Directory service for objects in a domain

• Winlogon

• Responds to SAS, manages logon sessions

• GINA

• Obtains the username and password (or smartcard PIN)

(43)

Objects and how to protect them

• Almost everything is an object (file, process, thread, desktop, ...)

• Basic concepts

• Security Identifier (SID) is a unique ID for any actor

• “S-1-5-21-525843606-2469437151-111719316-1006”

• A token identifies the security context of a process

• “Member of Administrators group, can shut down OS”

• Security Descriptor specifies who can do what to an object

• Owner

• Discretionary Access Control List (DACL)

• Privileges

(44)

Access check

(45)

I/O Subsystem

(46)

I/O Subsystem

• A set of components in the kernel that manage and provide access to hardware devices

• I/O Manager

• Plug and Play Manager

• Power Manager

• Key concepts

• Driver

• Device

• I/O requests

(47)

I/O Manager

• The core of the I/O system

• Provides a framework for other components to have device independent I/O services.

• Responsible for dispatching the service requests to the appropriate device drivers for further processing.

• Packet-driven (IRP’s, I/O request packets)

• Handles creation and destruction of IRP’s

• Offers uniform interface for drivers that handle IRP’s

(48)

Device drivers

• Drivers are loadable kernel-mode components

• Code in drivers gets executed in different contexts:

1. In the user thread that initiated I/O 2. A system thread

3. As a result of an interrupt (any thread)

• Different types: file system drivers, protocol drivers, hardware drivers

• Layered driver model

(49)

Layered driver model

(50)

Driver example:

How on-access scanning might work

(51)

Interesting elements of a driver

1. The initialization routine (DriverEntry)

• The entry point of the driver

• Sets up globals, ...

2. Add-device routine

• For PnP drivers, called by the PnP manager when a new device for the driver appears

3. Dispatch routines

• Main functionality (”read”, ”write”, ”close”)

• In many cases the most interesting part

(52)

Windows API for malware

analysts

(53)

Processes and threads

• CreateProcess, TerminateProcess

• CreateThread, _beginthread

• CreateRemoteThread

• GetThreadContext, SetThreadContext

• CreateToolhelp32Snapshot

• Process32First, Process32Next

• NtQueryInformationProcess

• NtQueryInformationThread

(54)

Memory

• ReadProcessMemory

• WriteProcessMemory

• VirtualAlloc

• VirtualProtect

(55)

Files and registry

• CreateFile

• FindFirstFile, FindNextFile

• RegOpenKey

• RegCreateKey

• RegEnumKey

• RegEnumValue

• ... and lots more

(56)

Services

• OpenSCManager

• CreateService

• StartService

• StartServiceCtrlDispatcher

• RegisterServiceCtrlHandler

(57)

Miscellaneous

• LoadLibrary

• GetProcAddress

• IsDebuggerPresent

• DeviceIoControl

• FindResource, LoadResource, LockResource

• SetWindowsHook

(58)

What is a rootkit?

• In the early 1990s rootkits used to be a set of tools that allowed root-level access to the system, hence the name

• Back then, hiding malware was called "stealth"

• Currently the word "rootkit" is used to describe an application that uses some kind of filtering for hiding things

• This "rootkit" is actually feature - not a class of programs

• Rootkits usually hide files, processes, network connections, and registry keys

• So, the term "rootkit" has replaced "stealth"

(59)

API hooking

• Hooking is a technique to instrument functions and extend or replace their functionality

• For example, you want to know each time a program calls CreateFile() and strip write access from the caller

• Many implementations, including

• Hooking a function table (IAT, SSDT, IDT, …)

• Inline hooking (patching the first code bytes of a function)

• Hooking is used by rootkits to hide or protect objects

(60)

Rootkit techniques:

hooking the handler table

(61)

Rootkit techniques:

inline hooking

(62)

Rootkit techniques:

in-memory data structure manipulation

(63)

Suggested tools & reading

• Hex editors

• HT (http://hte.sourceforge.net/)

• Sysinternals tools (http://www.sysinternals.com)

• Process Explorer

• Autoruns

• Process Monitor

• The Art of Computer Virus Research and Defense

• Chapter 3: Malicious Code Environments, from 3.1 through 3.6

• Chapter 12: Memory Scanning and Disinfection

• Microsoft Windows Internals (M. Russinovich & D. Solomon)

• New Vista edition out soon