Windows for Reverse EngineersOS Internals

CS-E4330 - Special Course in Information Security

Reverse Engineering Malware

Course 2017

System Mechanisms

Service Dispatching

Service Dispatching

Memory Management

Memory Manager

• Each process sees a large and contiguous private virtual address space

• This virtual address space is known as virtual memory

• As virtual memory can exceed the available physical memory

• The memory manager has two important tasks• Mapping the access to virtual memory into physical memory

• Paging contents of the memory to disk as physical memory runs out; and paging the data back into the memory when needed

Virtual Memory

• Every process has its own virtual address space

• Virtual memory provides a logical view of the memory that might not correspond to its physical layout

• By default, only the lower half can be used by the process for its own private storage

• The OS takes the upper half for its own protected memory utilization

• The memory mappings of the lower half is changed to match the virtual address space of the next process to be run at every context switch

Virtual Memory

Source: https://msdn.microsoft.com/windows/hardware/drivers/gettingstarted/virtual-address-spaces

32-bit Windows virtual address spaceVirtual address spaces between user mode applications

Virtual Memory

Source: https://msdn.microsoft.com/windows/hardware/drivers/gettingstarted/virtual-address-spaces

64-bit Windows virtual address space System dynamic memory allocation pools

Processes and Threads

Process

• A process is an abstraction of a running program

• A process consists of the following essential components:• A private virtual address space

• An executable program (“the base image”)

• A private list of open handles to resources allocated by the operating system

• An access token, which uniquely identifies the owner, security groups, and privileges associated with the process

• A process ID

• One or more threads

• Important structures: EPROCESS (kernel mode) and PEB (user mode)

Thread

• A thread is an entity scheduled for execution on the CPU

• A thread consists of the following essential components:• The CPU state

• Two stacks, one for kernel mode and one for user mode

• Thread-Local Storage (TLS), a private storage area that can be used by certain Windows subsystems, run-time libraries, and DLLs

• A thread ID

• An access token, which uniquely identifies the owner, security groups, and privileges associated with the thread

• Important structures: ETHREAD (kernel mode) and TEB (user mode)

Processes and Threads

Applications on Windows

PE - Portable Executable Format

• Object and executables files follow the PE (Portable Executable) file format

• Full specification available online• PECOFF.mspx

• Use a hex editor (HT) or specialized PE viewer (PE Explorer) to explore it

• File extensions commonly used by executables:• EXE, DLL and SYS

PE Format: http://www.microsoft.com/whdc/system/platform/firmware/PECOFF.mspx

Native API

• Undocumented user mode interface to OS functionality

• One layer below the Windows API

• Some low-level functionality is only in the Native API

• See “Windows NT/2000 Native API Reference” by Nebbettor for further reference

Windows API

• Windows API is the OS interface for applications

• Exposed by a set of system libraries: kernel32.dll, user32.dll, …

• Windows 7 and above refactored the system libraries (kernelbase.dll)

• Several subcategories• Administration and management (WMI, …)• Diagnostics (event logging, …)• Networking• Security• System services (access to processes, threads, registry…)

• MSDN is the best source of information for Windows APIs reference

MSDN: https://msdn.microsoft.com

WOW64

• 32-bit process running on Windows 64-bit OS

• Win32 API emulation

• Implemented as a set of user mode DLLs, with kernel support

WOW64 - File System Redirection

• Folder \Windows\System32 stores native 64-bit file images• Calls from 32-bit code are redirected to \Windows\SysWOW64

• Some subdirectories are excluded for compatibility• %windir%\system32\drivers\etc and %windir%\system32\spool

• %windir%\system32\catroot and %windir%\system32\catroot2

• %windir%\system32\logfiles and %windir%\system32\driverstore

• Other common folders are handled via environment variables• 64-bit: %ProgramFiles% -> ”C:\Program Files”

• 32-bit: %ProgramFiles% -> ”C:\Program Files(x86)”

• Automatic redirections can be controlled per thread by using certain APIs• APIs: Wow64DisableWow64FsRedirection, Wow64RevertWow64FsRedirection

File System Redirector: https://msdn.microsoft.com/en-us/library/windows/desktop/aa384187(v=vs.85).aspx

WOW64 - Registry Redirection

• Two separate logical views of the Windows Registry are provided

• Some Registry keys are redirected and others are shared

• The Wow6432Node key is a special key use by the OS to support the physical redirection for 32-bit processes• HKEY_LOCAL_MACHINE\Software -> HKEY_LOCAL_MACHINE\Software\Wow6432Node

• Accessing one or another view can be controlled with certain APIs

• APIs: RegOpenKeyEx, RegDeleteKeyEx, RegCreateKeyEx

• Flags: KEY_WOW64_64KEY, KEY_WOW64_32KEY

Registry Redirector: https://msdn.microsoft.com/en-us/library/windows/desktop/aa384232(v=vs.85).aspx

Management Mechanisms

Windows Registry

• A tree that contains all settings and configuration data for the OS and other applications

• Basic concepts: hive, key, value

• Contains in-memory volatile data• Current HW configuration, ...

• Hives are just files• %SystemRoot%\System32\Config\

• To explore the Windows Registry use Regedit.exe

Registry Hive

Registry Roots

• HKEY_LOCAL_MACHINE• System-related information

• HKEY_USERS• User-specific information for all accounts

• HKEY_CURRENT_USER• User-specific info for current user, links to HKEY_USERS

• HKEY_CLASSES_ROOT• File associations and COM registration, links to HKLM\Software\Classes

• HKEY_CURRENT_CONFIG• Current hardware profile, links to HKLM\System\CurrentControlSet\Hardware Profiles\Current

Services

• Services are background processes which usually perform a specific task and require no user-interaction• Automatic Updates, Remote Desktop Configuration,…

• Controlled by the Service Control Manager (SCM), run under services.exe

• Registry key HKLM\System\CurrentControlSet\Services

• Different types of services are provided by different components• Kernel drivers

• Separate process

• Shared process (svchost.exe)

File Systems

File System Formats

• Some of the most common Windows file system formats are:• FAT32

• Limited to 4GB file size

• exFAT• Optimized for flash drives with support for larger disks and file sizes

• NTFS• The native Windows file system format

NTFS

• Designed to improve performance, security and reliability over FAT

• 21 years old and still the Windows standard today

• NTFS features• Disk quotas

• Encrypting File System (EFS)

• Multiple data streams

• Unicode-based naming

• Enhanced Compression and Recovery

I/O Subsystem

The Subsystem

• A set of kernel components which manage the applications access to hardware (physical) and software (logical or virtual) devices• I/O Manager• Device drivers• Plug and Play Manager• Power Manager• Hardware Abstraction Layer (HAL)

• Key concepts• Driver• Device• I/O requests

Source: https://blogs.msdn.microsoft.com/microsoft_press/2012/10/01/new-book-windows-internals-sixth-edition-part-2/

I/O Manager

• The core of the I/O subsystem

• Provides a framework for other components to have device independent I/O services

• Responsible for dispatching the service requests to the appropriate device drivers

• Packet-driven (IRPs, I/O request packets)

• Handles creation and destruction of IRPs

• Offers an uniform interface for drivers that handle IRPs

Source: https://blogs.msdn.microsoft.com/microsoft_press/2012/10/01/new-book-windows-internals-sixth-edition-part-2/

Device Drivers

• Drivers are loadable kernel mode components

• Code in drivers gets executed in different contexts• In the user mode thread that initiated a given I/O request• In a system thread running in kernel mode• To handle an interrupt (any thread)

• Different types• File system drivers• Protocol drivers• Hardware drivers• Layered drivers• User mode drivers

Source: https://blogs.msdn.microsoft.com/microsoft_press/2012/10/01/new-book-windows-internals-sixth-edition-part-2/