Windows for Reverse EngineersOS Internals
CS-E4330 - Special Course in Information Security
Reverse Engineering Malware
Course 2017
System Mechanisms
Service Dispatching
Service Dispatching
Memory Management
Memory Manager
• Each process sees a large and contiguous private virtual address space
• This virtual address space is known as virtual memory
• As virtual memory can exceed the available physical memory
• The memory manager has two important tasks• Mapping the access to virtual memory into physical memory
• Paging contents of the memory to disk as physical memory runs out; and paging the data back into the memory when needed
Virtual Memory
• Every process has its own virtual address space
• Virtual memory provides a logical view of the memory that might not correspond to its physical layout
• By default, only the lower half can be used by the process for its own private storage
• The OS takes the upper half for its own protected memory utilization
• The memory mappings of the lower half is changed to match the virtual address space of the next process to be run at every context switch
Virtual Memory
Source: https://msdn.microsoft.com/windows/hardware/drivers/gettingstarted/virtual-address-spaces
32-bit Windows virtual address spaceVirtual address spaces between user mode applications
Virtual Memory
Source: https://msdn.microsoft.com/windows/hardware/drivers/gettingstarted/virtual-address-spaces
64-bit Windows virtual address space System dynamic memory allocation pools
Processes and Threads
Process
• A process is an abstraction of a running program
• A process consists of the following essential components:• A private virtual address space
• An executable program (“the base image”)
• A private list of open handles to resources allocated by the operating system
• An access token, which uniquely identifies the owner, security groups, and privileges associated with the process
• A process ID
• One or more threads
• Important structures: EPROCESS (kernel mode) and PEB (user mode)
Thread
• A thread is an entity scheduled for execution on the CPU
• A thread consists of the following essential components:• The CPU state
• Two stacks, one for kernel mode and one for user mode
• Thread-Local Storage (TLS), a private storage area that can be used by certain Windows subsystems, run-time libraries, and DLLs
• A thread ID
• An access token, which uniquely identifies the owner, security groups, and privileges associated with the thread
• Important structures: ETHREAD (kernel mode) and TEB (user mode)
Processes and Threads
Applications on Windows
PE - Portable Executable Format
• Object and executables files follow the PE (Portable Executable) file format
• Full specification available online• PECOFF.mspx
• Use a hex editor (HT) or specialized PE viewer (PE Explorer) to explore it
• File extensions commonly used by executables:• EXE, DLL and SYS
PE Format: http://www.microsoft.com/whdc/system/platform/firmware/PECOFF.mspx
Native API
• Undocumented user mode interface to OS functionality
• One layer below the Windows API
• Some low-level functionality is only in the Native API
• See “Windows NT/2000 Native API Reference” by Nebbettor for further reference
Windows API
• Windows API is the OS interface for applications
• Exposed by a set of system libraries: kernel32.dll, user32.dll, …
• Windows 7 and above refactored the system libraries (kernelbase.dll)
• Several subcategories• Administration and management (WMI, …)• Diagnostics (event logging, …)• Networking• Security• System services (access to processes, threads, registry…)
• MSDN is the best source of information for Windows APIs reference
MSDN: https://msdn.microsoft.com
WOW64
• 32-bit process running on Windows 64-bit OS
• Win32 API emulation
• Implemented as a set of user mode DLLs, with kernel support
WOW64 - File System Redirection
• Folder \Windows\System32 stores native 64-bit file images• Calls from 32-bit code are redirected to \Windows\SysWOW64
• Some subdirectories are excluded for compatibility• %windir%\system32\drivers\etc and %windir%\system32\spool
• %windir%\system32\catroot and %windir%\system32\catroot2
• %windir%\system32\logfiles and %windir%\system32\driverstore
• Other common folders are handled via environment variables• 64-bit: %ProgramFiles% -> ”C:\Program Files”
• 32-bit: %ProgramFiles% -> ”C:\Program Files(x86)”
• Automatic redirections can be controlled per thread by using certain APIs• APIs: Wow64DisableWow64FsRedirection, Wow64RevertWow64FsRedirection
File System Redirector: https://msdn.microsoft.com/en-us/library/windows/desktop/aa384187(v=vs.85).aspx
WOW64 - Registry Redirection
• Two separate logical views of the Windows Registry are provided
• Some Registry keys are redirected and others are shared
• The Wow6432Node key is a special key use by the OS to support the physical redirection for 32-bit processes• HKEY_LOCAL_MACHINE\Software -> HKEY_LOCAL_MACHINE\Software\Wow6432Node
• Accessing one or another view can be controlled with certain APIs
• APIs: RegOpenKeyEx, RegDeleteKeyEx, RegCreateKeyEx
• Flags: KEY_WOW64_64KEY, KEY_WOW64_32KEY
Registry Redirector: https://msdn.microsoft.com/en-us/library/windows/desktop/aa384232(v=vs.85).aspx
Management Mechanisms
Windows Registry
• A tree that contains all settings and configuration data for the OS and other applications
• Basic concepts: hive, key, value
• Contains in-memory volatile data• Current HW configuration, ...
• Hives are just files• %SystemRoot%\System32\Config\
• To explore the Windows Registry use Regedit.exe
Registry Hive
Registry Roots
• HKEY_LOCAL_MACHINE• System-related information
• HKEY_USERS• User-specific information for all accounts
• HKEY_CURRENT_USER• User-specific info for current user, links to HKEY_USERS
• HKEY_CLASSES_ROOT• File associations and COM registration, links to HKLM\Software\Classes
• HKEY_CURRENT_CONFIG• Current hardware profile, links to HKLM\System\CurrentControlSet\Hardware Profiles\Current
Services
• Services are background processes which usually perform a specific task and require no user-interaction• Automatic Updates, Remote Desktop Configuration,…
• Controlled by the Service Control Manager (SCM), run under services.exe
• Registry key HKLM\System\CurrentControlSet\Services
• Different types of services are provided by different components• Kernel drivers
• Separate process
• Shared process (svchost.exe)
File Systems
File System Formats
• Some of the most common Windows file system formats are:• FAT32
• Limited to 4GB file size
• exFAT• Optimized for flash drives with support for larger disks and file sizes
• NTFS• The native Windows file system format
NTFS
• Designed to improve performance, security and reliability over FAT
• 21 years old and still the Windows standard today
• NTFS features• Disk quotas
• Encrypting File System (EFS)
• Multiple data streams
• Unicode-based naming
• Enhanced Compression and Recovery
I/O Subsystem
The Subsystem
• A set of kernel components which manage the applications access to hardware (physical) and software (logical or virtual) devices• I/O Manager• Device drivers• Plug and Play Manager• Power Manager• Hardware Abstraction Layer (HAL)
• Key concepts• Driver• Device• I/O requests
Source: https://blogs.msdn.microsoft.com/microsoft_press/2012/10/01/new-book-windows-internals-sixth-edition-part-2/
I/O Manager
• The core of the I/O subsystem
• Provides a framework for other components to have device independent I/O services
• Responsible for dispatching the service requests to the appropriate device drivers
• Packet-driven (IRPs, I/O request packets)
• Handles creation and destruction of IRPs
• Offers an uniform interface for drivers that handle IRPs
Source: https://blogs.msdn.microsoft.com/microsoft_press/2012/10/01/new-book-windows-internals-sixth-edition-part-2/
Device Drivers
• Drivers are loadable kernel mode components
• Code in drivers gets executed in different contexts• In the user mode thread that initiated a given I/O request• In a system thread running in kernel mode• To handle an interrupt (any thread)
• Different types• File system drivers• Protocol drivers• Hardware drivers• Layered drivers• User mode drivers
Source: https://blogs.msdn.microsoft.com/microsoft_press/2012/10/01/new-book-windows-internals-sixth-edition-part-2/
Top Related