590 likes | 603 Views
by Tim Shelton Black Security redsand@blacksecurity.org. Introduction to Windows System Internals part II. Windows Subsystems API Breakdown The API Layers User-land and Kernel-land Processes, Threads, and Jobs Virtual Memory Manager. Outline.
E N D
by Tim Shelton Black Security redsand@blacksecurity.org Introduction to Windows System Internals part II
Windows Subsystems API Breakdown The API Layers User-land and Kernel-land Processes, Threads, and Jobs Virtual Memory Manager Outline
Is the Windows NT structure considered a “microkernel”? No! A microkernel is a type of kernel in which the principal operating system components (such as memory manager, process manager, and I/O manager) run as separate processes in their own separated address space. EX: Carnegie Mellon University’s Mach (OSX) operating kernel. Shares address space with rest of kernel components Windows Subsystem
3 Basic Types of User-Mode Processes Fixed processes ie: logon process, session manager Service Processes – runs independently of user logons. ie: Task Scheduler, Spooler service. Environment Subsystem Windows, POSIX, and OS/2 Windows Subsystem
Windows NT Layer Environment Subsystems System & Service Processes User Apps OS/2 POSIX Win32 Subsystem DLL User Kernel Executive Win32 User/GDI Device Drivers Kernel Hardware Abstraction Layer (HAL)
Each Subsystem Contains Subsystem Service Process (csrss) Subsystem API library e.g. kernel32, advapi32, gdi32, ntdll Hooks in CreateProcess code Pseudo Subsystems ex: LSASS and CLR Windows Subsystem
3 Different Implimentations Application’s Container (Libraries) Separate Containers (Services) Central, Universally Shared Container (kernel) Services & Kernel
Disadvantages of Kernel Less Flexible Single sysentry mechanism Inter-operation requires shared abstractions Access controls limited (ACLS) Kernel
Services have natural advantage Filtering and refinement of operations provides finer-grained access control Easy to provide alternative abstractions Seperated in their own protected private address space Services
Executive Execution Layer Kernel Execution Layer Execution Layers
Executive Execution Layer Upper Layers of Operating System Provides “generic operating system” functions Creating/deleting processes and threads Memory management I/O Interprocess communication Security Executive Execution Layer
Windows NT Layer Environment Subsystems System & Service Processes User Apps OS/2 POSIX Win32 Subsystem DLL User Kernel Executive Win32 User/GDI Device Drivers Kernel Hardware Abstraction Layer (HAL)
Almost completely portable C code. (bits of object oriented c++ and asm) Private internal O/S structure Runs in kernel ("privileged", ring 0) mode Many interfaces to executive O/S services undocumented Executive Execution Layer
Lower Layers of O/S Processor dependant functions (x86 vs. alpha vs. embedded etc) Processor independant functions closely associated with processor dependant functions Executive Execution Layer
Kernel Execution Layer Private internal O/S structure Heart and Soul of O/S Executes in kernel mode API not documented! Accessed indirectly via subsystem APIs Kernel Execution Layer
User Kernel Registry Replicator Alerter Event Log Win32 POSIX OS/2 Windows NT Subsystem Session Mgr WinLogon System Processes Services User Apps Environment Subsystems Interface DLL Subsystem DLL Executive Services API I/O System Security Monitor Win32 GDI Object Services Memory Mgmt Processes/ Threads File Systems Object Management Device Drivers Kernel Exec. RTL Hardware Abstraction Layer (HAL) I/O Devices DMA/Bus Control Cache Control Clocks/ Timers Privileged Architecture Interrupt Dispatch
Reasons for Kernel Code Execution Requests from user mode (system calls) Via system service dispatch mechanism (dispatcher) Kernel-mode code runs in context of requesting thread Kernel Execution Layer
User Kernel Registry Replicator Alerter Event Log Win32 POSIX OS/2 Windows NT Subsystem Session Mgr WinLogon System Processes Services User Apps Environment Subsystems Interface DLL Subsystem DLL Executive Services API I/O System Security Monitor Win32 GDI Object Services Memory Mgmt Processes/ Threads File Systems Object Management Device Drivers Kernel Exec. RTL Hardware Abstraction Layer (HAL) I/O Devices DMA/Bus Control Cache Control Clocks/ Timers Privileged Architecture Interrupt Dispatch
Reasons for Kernel Code Execution Interrupts from external devices Interrupts (like all traps) are handled in kernel mode NT-supplied interrupt dispatcher invokes interrupt service routiner ISR runs in context of interrupted thread ("arbitrary thread context") ISR requests execution of "DPC routine", which also runs in kernel mode Kernel Execution Layer
Reasons for Kernel Code Execution Dedicated kernel-mode threads Some threads in system stay in kernel mode at all times (mostly "System" process) Scheduled, preempted, etc., like any other threads Kernel Execution Layer
Subroutine library for kernel and device drivers Seperates Kernel and Executive from platform-specific details Presents uniform model of I/O hardware interface to drivers Hardware Abstraction Layer
Windows NT Layer Environment Subsystems System & Service Processes User Apps OS/2 POSIX Win32 Subsystem DLL User Kernel Executive Win32 User/GDI Device Drivers Kernel Hardware Abstraction Layer (HAL)
HAL abstracts System timers, cache coherency & flushing SMP support, Hardware interrupt priorities HAL implements functions in both Executive and Kernel Layers Hardware Abstraction Layer
Process Layout Each Process Has Its Own: Virtual address space Program Global Storage Heap Storage Threads' stacks Processes, Threads & Jobs
Process Layout - Continued Processes cannot corrupt each others address space by mistake (sort of!) CreateRemoteThread Injection Working set physical memory "owned" by process Processes
Process Layout - Continued Access token includes security identifiers (objects) Handle Table for Win32 kernel objects Resources available to all threads in process Resources separate and protected between processes Processes
Each Thread has: Stack local variable storage, call frames, etc. Instance of top-level function Scheduling state Wait, Ready, and Running states Kernel Thread Priority Execution Threads
Each Thread has: Current access mode user-land kernel-land Saved CPU state of not Running Access token optional - overrides process token if present Threads
Processes Continued Container for address space and threads Associated User-mode Process Environment Block (PEB) Primary Access Token (objects) Quota, Debug port, Handle Table (objects) Processes
Processes Continued Unique process ID Process Object Queued Job List Global Process List Session list MM structures like WorkingSet, VAD tree, AWE etc Processes
Threads Continued Fundamental schedulable entity on system Represented by ETHREAD (includes KTHREAD) Queued to Process (both E & K thread) IRP List Impersonation Access Token Unique Thread ID Threads
Threads Continued Associated User-mode Thread Environment Block (TEB) User-mode stack Kernel-mode stack Process Control Block (in KTHREAD) for cpu state when not running Holds Ready, or Waiting status Threads
Each Job contains: Container for multiple processes Queued Global Job List Processes and Jobs in Job Set Security token filters and job token Completion ports Counters, limits etc Jobs
How Do We Allocate Memory? Virtual Memory Manager User Land Memory Manager Kernel Land Memory Manager Virtual Memory Manager
Allocating User Memory Space Virtual Memory Manager Handles 4gb flat of VA space (IA32) Manages process address space Handles pagefaults Manages process working sets Virtual Memory Manager
Allocating User Memory Space Virtual Memory Manager continued… Manages physical memory Provides memory-mapped files Allows pages shared between processes Structure for I/O subsystem and device drivers Supports file system cache manager Virtual Memory Manager
Allocating User Memory Space Virtual Memory Manager Internal API NtCreatePagingFile() NtAllocateVirtualMemory() NtFreeVirtualMemory() NtQueryVirtualMemory() NtProtectVirtualMemory() Virtual Memory Manager
Allocating User Memory Space Virtual Memory Manager Pagefault NtLockVirtualMemory NtUnlockVirtualMemory NtReadVirtualMemory NtWriteVirtualMemory (OMG!! Thread Injection Tangent) NtFlushVirtualMemory Virtual Memory Manager
One way to copy some code to another process's address space and then execute it in the context of this process involves the use of remote threads and the WriteProcessMemory API. Basically you copy the code to the remote process directly now - via WriteProcessMemory - and start its execution with CreateRemoteThread. Remote Thread Injection Tangent