Applications on Windows

Malware Analysis and Antivirus Technologies:

Windows Operating System

Lecture Agenda

1. Applications on Windows 2. Processes and Threads 3. Windows Architecture 4. System Mechanisms

5. Management Mechanisms 6. Memory Management

6. Memory Management 7. File Systems

8. Security Mechanisms 9. Driver Basics

Applications on Windows

Applications on Windows

Executable Format

• Object files and executables follow the PE (Portable Executable) file format

• Full specification available online

• http://www.microsoft.com/whdc/system/platform/

firmware/PECOFF.mspx

• More on this in Reverse Engineering III

Windows Executables

• Filename extension hints to the executable type

• EXE = executable application, anything from a DOS executable to 64-bit Windows applications

• DLL = Dynamic link library, a set of callable routines compiled together as a loadable file

• SYS = Driver

• OBJ = Object file, input to the linker

• Note that Windows does not really care much about the file extension

• You can execute britneyspears.jpg just fine!

• All of these follow the PE specification

Windows API

• Windows API (aka. Win32 API) is the interface to the operating system for applications

• Exposed by a set of system libraries: kernel32.dll, user32.dll, …

• Several subcategories

• Administration and management (WMI, …)

• Diagnostics (event logging, …)

• Diagnostics (event logging, …)

• Networking

• Security

• System services (processes, threads, registry…)

• MSDN is the reverse engineers best friend for Windows binaries

Native API

• Undocumented interface to OS functionality

• One level below Windows API

• Some low-level functionality only available through Native API

• Examples of interesting functions

• NtSetSystemInformation

• NtQuerySystemInformation

• NtQuerySystemInformation

• NtQueryDirectoryFile

• See “Windows NT/2000 Native API Reference”

by Nebbett

Windows Architecture

Windows Architecture

Simplified Windows Architecture

System Support Processes

Service Processes

User Applications

Environment Subsystems

Subsystem DLL’s NTDLL.DLL NTDLL.DLL

Executive

Kernel Device Drivers

Windowing &

Graphics

System Mechanisms

System Mechanisms

Kernel-mode & user-mode

System-space (Ring 0) 0xFFFFFFFF

Int 0x2e /

User-space (Ring 3) User-space

(Ring 3) User-space

(Ring 3) 0x00000000

Int 0x2e / Sysenter

System Service Dispatching

Call NtReadFile Dismiss interrupt

Read the file Return to caller

Interrupt Nt!

KiSystemService Nt!

NtReadFile

Call NtReadFile Return to caller

Sysenter Return to caller

Kernel32.dll!

ReadFile Ntdll.dll!

NtReadFile

System Service Dispatching

System Service Dispatching

Processes & Threads

Processes & Threads

Processes

• Abstraction of an executing program

• A process has

• A private virtual address space (user-mode address space)

• A base image (the main executable)

• A set of open handles to OS resources

• An access token (“who is this process, what can it do”)

• An access token (“who is this process, what can it do”)

• A process ID (PID)

• One or more threads

• Job = A group of processes that can be managed as a unit

Protected Processes (Vista and later)

• By default, a process with a token containing the debug privilege can obtain any access to all other processes

• Admins should have control over the machine, right…

• To support playback of high-quality digital content, Vista introduced Protected Processes

• Determined by a flag in the EPROCESS structure of the kernel process object

object

• Process image file must be signed with a special certificate

• Protected processes cannot be manipulated from other processes

• Can be terminated, though

• Examples: audiodg.exe, werfault.exe

Threads

• A thread is what gets scheduled for execution on the CPU

• A thread has

• A context (the state of execution)

• A list of exception handlers

• Two stacks, one for user-mode and one for kernel-mode

• A thread ID (TID)

• A thread ID (TID)

• An access token

• Thread-Local Storage (TLS), a per-thread storage area

• Fiber = Manually scheduled unit of execution, shares the context of its owning thread

Processes & Threads

Case Study: FU Rootkit

• The FU rootkit hides processes by unlinking them from the kernels process list

• Why do those processes still get execution time?

Case Study: DLL Injection

• A technique to run code in the context of another process by forcing it to load a DLL

• Motivation

1. Stealth: no extra processes in process list 2. Data capture using API hooks

3. Making reverse engineering more difficult 4. Avoiding HIPS features

• Various ways to accomplish DLL injection on Windows

• Registry: AppInit_DLLs

• Using remote threads

• SetWindowsHookEx

What does this code do?

TEB & PEB

• TEB = Thread Environment Block

• Container for thread-specific things like the exception handler list, stack pointer, …

• Windows uses the fs segment to store it (offset 0x18 has pointer to self)

• mov eax, fs[18]

• PEB = Process Environment Block

• Container for process-specific things like the list of loaded modules

• TEB has a pointer to PEB at offset 0x30

• Important when reversing code that

• Enumerates loaded modules (Peb.Ldr)

• Checks for an attached debugger (PEB.BeingDebugged)

Example: Checking For a Debugger

; Call IsDebuggerPresent()

call [IsDebuggerPresent]

test eax, eax

; Do the same by checking PEB

mov eax, large fs:18h ; Offset 18h has self-pointer to TEB mov eax, large fs:18h ; Offset 18h has self-pointer to TEB mov eax, [eax+30h] ; Offset 30h has pointer to PEB

movzx eax, byte ptr [eax+2] ; PEB.BeingDebugged test eax, eax

Example: Installing an Exception Handler

; Install a SEH exception handler

push offset_my_handler ; pointer to our handler push fs:[0] ; pointer to old exception record mov fs:[0], esp ; update TEB.NtTib.ExceptionList

Memory Management

Memory Management

Memory Manager

• Each process on Windows sees a large, continuous address space

• The memory manager has two important tasks

1. Mapping access to virtual memory into physical memory

2. Paging contents of virtual memory to disk as physical memory runs out, and paging data back to memory when it’s needed

Virtual Memory

• Each process has private, virtual address space

• Paging = the process of transferring memory contents to and from disk

• Amount of virtual memory can exceed physical memory

Virtual Memory (x86)

• Total of 4 GB virtual memory

• By default, only lower 2 GB accessible from user-mode

• Upper 2 GB reserved for kernel-mode and shared between all processes

Management Mechanisms

Management Mechanisms

Registry

• A directory for storing settings and configuration data for the Operating System and applications

• Think of it as a huge .ini file

• Basic concepts

• Hive

• Key

• Key

• Value

• Hives are just files, most under

%SystemRoot%\System32\Config

Registry Hive Format

Registry Root Keys

• HKEY_LOCAL_MACHINE (HKLM)

• System-wide information

• HKEY_USERS (HKU)

• User-specific settings for all accounts

• HKEY_CURRENT_USER (HKCU)

• A link to the current user under HKEY_USERS

• A link to the current user under HKEY_USERS

• HKEY_CLASSES_ROOT (HKCR)

• File associations and COM registration, links to HKLM\Software\Classes

• HKEY_PERFORMANCE_DATA

• HKEY_CURRENT_CONFIG

• Current HW profile, links to HKLM\System\CurrentControlSet\Hardware

Registry and Malware

• Malware wants to survive a reboot

• Registry is the most common way of starting after reboot

• Hundreds of “launchpoints”

• HKLM\Software\Microsoft\Windows\CurrentVersion\Run:MyApp

• HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe:Debugger

Options\explorer.exe:Debugger

• Malware also wants to change (security) settings for other components

• Windows Firewall, IE extensions and settings, Windows File Protection, …

• The registry is also a great source for forensic data, for example:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache

Services

• Services are background processes that usually perform a specific task and require no user-interaction

• For example, Automatic Updates

• Controlled by the Service Control Manager (SCM), services.exe

• Configuration data under HKLM\System\CurrentControlSet\Services

• Different types of services

• Different types of services

• Kernel drivers

• Separate process

• Shared process (hosted by svchost.exe)

Demo: Services

1. Which process is hosting the “Automatic Updates” service?

2. What file implements the service?

DEMO

File Systems

File Systems

Windows File System Formats

• CDFS (cdfs.sys)

• CD-ROM filesystem, considered legacy

• UDF (udfs.sys)

• Universal Disk Format, the standardized format for optical storage

• FAT12, FAT16, FAT32 (fastfat.sys)

• Legacy filesystem, mostly replaced by NTFS

• Legacy filesystem, mostly replaced by NTFS

• exFAT (aka. FAT64)

• Adds functionality on top of FAT (file size limit increase, ACL’s)

• NTFS

NTFS

• Native file system for Windows

• Support for advanced features

• ACL’s on files and directories

• Alternate Data Streams

• Disk quotas

• Sparse files

• Sparse files

• Compression and encryption

• Soft and hard links

• Transactional semantics

Demo: Alternate Data Streams

DEMO

Security Mechanisms

Security Mechanisms

Security & Objects

• Almost everything on Windows is an object

• Process, thread, desktop, mutex, …

• Basic concepts

• Security Identifier (SID) is a unique ID for any actor

• “S-1-5-21-525843606-2469437151-111719316-1006” = DOMAIN\user123

• A token identifies the security context of a process

• A token identifies the security context of a process

• “Member of Administrators group, can shut down OS”

• Security Descriptor specifies who can do what to an object

• Owner

• Discretionary Access Control List (DACL)

Access Check

The Windows Security Model & Exploits

• Especially in later Windows versions (Vista, Windows 7), extensions to the security model can be used to isolate less trustworthy applications to prevent permanent changes to the system

• Protected Mode Internet Explorer, Adobe Reader X, Google Chrome

• A process is isolated from the rest of the system with several mechanisms

• Restricted tokens

• See CreateRestrictedToken() on MSDN

• See CreateRestrictedToken() on MSDN

• Job objects

• CreateJobObject(), AssignToJobObject(), SetInformationJobObject()

• Integrity Levels

• Security descriptors and tokens are assigned an Integrity Level

Adobe Reader X

Adobe Reader X Broker

Driver Basics

Driver Basics

Driver Basics

• Drivers are loadable kernel-mode components

• Code in drivers gets executed in different contexts:

1. In the user thread that initiated I/O 2. A system thread

3. As a result of an interrupt (any thread)

• Different types of drivers: file system drivers, protocol drivers, hardware

• Different types of drivers: file system drivers, protocol drivers, hardware drivers

• Layered driver model

Layered Driver Model

Reverse Engineering Drivers

• Interesting elements

1. Initialization routine (DriverEntry)

• The entrypoint of a driver

• NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath)

• Sets up global variables, initializes dispatch function table

2. Dispatch routines

• Main functionality of most drivers (“read”, “write”, “close”)

• In many cases the interesting stuff is here

• DRIVER_OBJECT.MajorFunction[IRP_MJ_MAXIMUM_FUNCTION+1]

3. Add-device routine

Suggested Material

• Sysinternals tools

• Process Monitor

• Process Explorer

• Autoruns

• The Art of Computer Virus Research and Defense

• Chapter 3: Malicious Code Environments, from 3.1 through 3.6

• Chapter 12: Memory Scanning and Disinfection

• Windows Internals, 5^th edition