Win32 Overview - Dashboard - University of Illinois - Engineering Wiki

Shared by: hcj

Tags

Stats

views:: 0
posted:: 11/21/2012
language:: English
pages:: 27

Public Domain

Document Sample

							Win32 Overview

 Malware Analysis
    Fall 2011
          Reading Materials
• Microsoft Windows Internals
  – I’m using the 2005 version
• Reversing: Secrets of Reverse Engineering,
  Chapter 3
  – A summary of issues in the Windows Internals
    book
                 Win32 API
• Most people don’t program to Win32 API
  – Cumbersome interface
  – Use MFC or .NET
• For reverse engineering though, win32 is a
  good place to start.
              Win32 API elements
      Kernel32.dll
                                    Application
     Base API client
                                     Modules



       NTDLL.DLL       USER32.DLL            GDI32.DLL
       Native API       USER API              GDI API




  NTOSKRNL.EXE                         WIN32K.SYS
The Windows Kernel                    Win32 Kernel
                                     Implementation
                Win32 Libraries
• Native API implemented with
  – Ntdll.dll
• User32.dll and gdi32.dll in user space match
  with win32k.sys in the kernel
  – Implement GUI and historical windows interfaces
• Ntdll matches with ntoskrnl.exe in kernel
  – E.g., NtCreateFile in nt.dll and ZwCreateFile in
    ntoskrnl.exe
• DUMPBIN – shows export table of dlls
                          OS Objects
• OS works with objects
• Object Manager in kernel manages objects
   – Kernel code refers with ptr
   – User code refers with handle
   – Reference counting
• Common header of all objects
   –   Object name
   –   Object directory
   –   Security descriptor
   –   Quota charges
   –   Open handle count
   –   Open handles list
   –   Object type: reference to another object that describes the type
   –   Reference count
             Types of Objects
• Synchronization objects
  – Events, mutex, semaphores
• Section Object/memory mapped files
  – Used to load executable into process address
    space
  – Used for shared memory. Between processes.
    Between kernel and user space.
• File objects
• Process, thread, token objects
           Looking at objects
• SysInternals tool: WinObj
• Explore current objects in the system
          User and GDI objects
• User32 and GDI32 don’t use kernel objects
• Implement own global object tables
• In this case, handles are global across
  processes
  – Other processes may still not be able to access the
    object given the handle
         Processes and threads
• All execution is associated with threads
• Process is a container for threads, address
  space
• Each thread has two stacks
  – One for user space
  – One for kernel space
                Process Initialization
1.   Create process object and new address space. CreateProcess()
2.   CreateProcess() maps NTDLL.DLL and program executable into
     new address space
3.   CreateProcess() creates first thread and allocates stack space
4.   The process’ first thread is activated and starts running
     LdrpInitialize() from NTDLL.DLL
5.   LdrpInitialize() recursively traverses primary executable’s import
     tables and maps every required executable (dll)
6.   LdrpRunInitializeRoutines() initializes all loaded DLL’s. Calls DLL’s
     entry point with DLL_PROCESS_ATTACH constant
7.   Then LdrpInitialize() calls BaseProcessStart() from Kernel32.dll,
     which calls executables WinMain() entry point
            Context Switching
• OS is time sliced
• Most of the time thread relinquishes CPU by
  blocking
  – Block on IO
  – Block on event, e.g. WaitForMultipleObjects
• CPU registered are stored away on context
  switch and reset on next instance of thread
  execution
    Structured Exception Handling
• Hardware exceptions: e.g., page fault, divide by zero
• Software exceptions: e.g., throw from compiled
  program, WinAPI RaiseException function.
• OS distributes exceptions
   – KiUserExceptionDispatcher in ntdll
   – Compiler will generate code to deal with frame based
     exceptions (_except_handler3)
• Exception handler list associated with each thread
   – Stored in Thread Information Block (TIB)
   – FS segment register points to active thread’s TIB
           Handling exceptions
• For kernel generated exception
  – Execution dispatcher calls routine to find frame-based
    exception handler
• For user mode generated exception
  1. In kernel send exception to debug port (first)
  2. Move exception state to user mode stack. Look for
     frame-based handler
  3. In kernel send exception to debug port (second)
  4. In kernel send exception to exception port
     associated with thread’s process
  5. Kernel default handler
            Filter Device Drivers
• Device drivers are really a stack
   – Can insert additional filter drivers
   – Device communication flows through the filter drivers
     too
• Used to implement shim’s
   – Disk encryption
   – Network encryption
   – Network filtering
• Could be used to hide tracks once infiltrated
  system.
                Protection Rings
 • CS 15.4 – describes Multics implementation
 • Intel Pentium II Software Developer’s
   Manual: Volume 3. Sections 4.5 through 4.8
       • Diagrams fetched from earlier version
       • Current version at
         http://www.intel.com/content/www/us/en/pro
         cessors/architectures-software-developer-
         manuals.html


9/29/2010               Computer Security I           16
            Memory Protection Rings
• Originally in
  Multics
• In Intel arch
  since x386




9/29/2010            Computer Security I   17
                    Privilege Levels
• CPU enforces constraints on memory access and
  changes of control between different privilege levels
• Similar in spirit to Bell-LaPadula access control
  restrictions
• Hardware enforcement of division between user
  mode and kernel mode in operating systems
      – Simple malicious code cannot jump into kernel space




9/29/2010                    Computer Security I              18
               Data Access Rules
• Access allowed if
      – CPL <= DPL and RPL <= DPL




9/29/2010                Computer Security I   19
                  Data Access Rules
• Three players
      – Code segment has a current privilege level CPL
      – Operand segment selector has a requested privilege level
        RPL
      – Data Segment Descriptor for each memory includes a data
        privilege level DPL
• Segment is loaded if CPL <= DPL and RPL <= DPL
      – i.e. both CPL and RPL are from more privileged rings




9/29/2010                    Computer Security I               20
            Data Access Examples




9/29/2010          Computer Security I   21
              Direct Control Transfers
• For non-conforming code (the common case)
      – RPL <= CPL && CPL == DPL
      – Can only directly jump to code at same privilege level




9/29/2010                         Computer Security I            22
            Calling Through Gates



                                     DLP




9/29/2010          Computer Security I     23
             Call Gate Access Rules
• For Call
   – CPL <= CG DPL
   – RPL <= CG DPL
   – Dst CS DPL <= CPL
• Same for JMP but
   – Dst CS DPL == CPL




 9/29/2010               Computer Security I   24
            Call Gate Examples




9/29/2010         Computer Security I   25
                  Stack Switching
• Automatically performed when calling more
  privileged code
      – Prevents less privileged code from passing in short
        stack and crashing more privileged code
      – Each task has a stack defined for each privilege
        level




9/29/2010                 Computer Security I             26
                 Hardware Rings
• Only most basic features generally used
    – 2 rings
    – Installed base
• Time to adoption
    – Must wait for widespread system code, e.g.
      Windows NT




9/29/2010               Computer Security I        27