Introduction to Windows System Internals part I - PowerPoint PPT Presentation

1 / 37
About This Presentation
Title:

Introduction to Windows System Internals part I

Description:

Microsoft formed its team of 20 developers in November 1988 ... Longhorn. Commitment of the NT Architecture. Reliability Crash proof Operating System ... – PowerPoint PPT presentation

Number of Views:68
Avg rating:3.0/5.0
Slides: 38
Provided by: dc214D
Category:

less

Transcript and Presenter's Notes

Title: Introduction to Windows System Internals part I


1
Introduction to Windows System Internals part I
  • by
  • Tim Shelton
  • Black Security
  • redsand_at_blacksecurity.org

2
Outline
  • Brief History of the Windows Operating Systems
  • Unicode Explained
  • Registry Basics
  • Windows Services (services.exe)
  • Startup Shutdown Procedures
  • QA

3
Windows History Overview
  • Microsoft formed its team of 20 developers in
    November 1988
  • 4 core developers wrote key components
  • Began a dream to write an Advanced Operating
    System
  • Designed for Desktops and Servers
  • Secure, scalable Multi-Processor design
  • All new code base

4
Windows History Overview Cont.
  • Microsoft announced its commitment to rigorous
    discipline
  • Developers are required detailed documentation
  • Developers are required peer code review
  • Developers are required to unit test their code..

5
Windows History Overview Cont.
  • Past Personal Computing, 16-32 bits, Windows
    9x code base, objective bringing computers to
    the consumer.Features usability and
    compatibility
  • Present Enterprise Computing, 32/64 bits, NT
    code base, solid architectural foundation,
    objective reliability, performance, and to meed
    the demands for Server Processing.
  • Future Managed Code (.NET Framework),
    objective World Domination (go figure!)
    Longhorn.

6
Commitment of the NT Architecture
  • Reliability Crash proof Operating System
  • Security Built into design from day one.
  • Portability Multi-processor support, avoiding
    non-portable solutions, flexible hardware
    abstraction Layer
  • Modularity Space to grow and needs to be
    fulfilled.
  • Performance Microsoft is willing to sacrifice
    performance for all of the above.

7
Common Windows Internal Tools
  • File Monitor filemon www.sysinternals.com
  • List DLLs loaded within specific process'
    virtual address space listdlls
    www.sysinternals.com
  • Kernel Debuggers windbg, kd Platform SDK and
    Windows SDK
  • Live Kernel Debugging livekd
    www.sysinternals.com
  • Object Viewer winobj www.sysinternals.com
  • Process Explorer procexp replacement for
    taskmgr and much more! www.sysinternals.com
  • And More! Visit the Platform SDK or
    www.sysinternals.com

8
  • Add text output/ screen shots here and next few
    slides

9
(No Transcript)
10
Unicode and Language Independence
  • Most internal text strings are stored and
    processed as 16-bit Unicode characters.
  • Unicode is an international character set
    standard that defines unique 2byte values
    (maximum 65536 characters) for most of the
    world's known character sets.
  • References www.unicode.org Or MSDN Documentation

11
Unicode and Language Independence Cont.
  • Because most applications use 8-bit ANSI
    character sets, Windows functions that accept
    string parameters have two entry points a
    Unicode and an ANSI version. Ex CreateProcessA
    and CreateProcessW (found in kernel32.dll)
  • Lesson learned Use Unicode for multi-lingual
    support.

12
Windows Registry
  • Hives located in SystemRoot\Config\
  • A Hive is a logical file system within a flat
    file. Keys directories Values files
  • Registry is a collection of Hives.
  • A Hive contains a collection of Bins.
  • A Bin contains a collection of Cells.
  • Each Cell is a unit of allocation containing raw
    data

13
Windows Registry Cont.
  • Below are a few Example NT APIs available for
    managing the Windows Registry NtEnumerateValueKe
    y(KHANDLE, int) NtQueryValueKey(KHANDLE,
    VarName) NtLoadKey(KHANDLE, HiveFileName)
    more found in Advapi32.dll

14
Windows Registry Cont.
  • A Hive is a file (two if you count the .LOG) -
    Primary holds the actual hive data - .LOG used
    when flushing the hive (crash recovery)
  • Storage Mapping Types - Stable maps to the
    hive file - Volatile mapped into paged pool of
    memory, lost after reboot.
  • Primary file grows in 256k increments to prevent
    fragmentation. First page (4k) is the registry
    header, followed by chained Bins

15
Windows Registry Cont.
  • A Cell is the unit of storage allocation within
    a Hive.
  • Always 8-byte aligned.
  • Always reuse free cells if one with the same or
    greater exists.
  • If size is bigger, then split it and re-enlist
    in free cell table.

16
(No Transcript)
17
Windows Registry Cont.
  • Keys, Values, Security Descriptors, Indexes,
    etc. are all made up of Cells.
  • Retrieving a value within a Key might involve
    several faults spread across the Hive file. -
    Solution Registry Hive Caching (Win2k), locality
    enforcement (XP/.NET) to help with performance.

18
Registry Hive Flush
  • Most expensive operation, called externally by
    NtFlushKey/RegFlushKey, or anytime a value is
    written to the Hive. (SetValue, DeleteValue,
    CreateKey, DeleteKey, etc). Automatic Flush at
    Shutdown/Reboot
  • Lazy Flush waits 5 seconds after write then
    walks the list of Hives looking for Cells marked
    as Dirty. Ignores Hives marked as
    NO_LAZY_FLUSH.
  • During Flush, registry is marked as read-only
  • No data is written to the Hive File until the
    Flush is completed. This may lead to a possible
    loss of data.

19
Registry Loading the Hive
  • Loaded at boot time by Boot Loader (NTLDR) and
    the kernel (ntoskrnl.exe)
  • Explicitly loaded by calling NtLoadKey/RegLoad
    Key - This requires Restore security
    privileges.
  • Files are opened in exclusive mode and kept
    open by the kernel.
  • Read Primary header and verify checksums, if
    failed - Physical integrity check, walk entire
    Hive and check each individual cell - Logical
    integrity check, walk the tree check every
    key/value.

20
Registry Hives Locations
  • Two distinct User hives per account. Located in
    USERPROFILE - NTUSER.DAT Mounted under
    HKEY_USERS\SID roaming enabled (if roaming
    profiles are used) - UsrClass.DAT local (no
    roaming)
  • Special hives similar to above always
    loaded - S-1-5-18 SYSTEM account - S-1-5-19
    Local Service - S-1-5-20 Network Service

21
Registry Review
  • Registry is intended to maintain configuration
    data.
  • Stored in a special, highly tuned flat file.
  • Native APIs can be found within Advapi32
  • Used by the kernel, drivers, internal system,
    applications, security, policies, and more

22
Services Explained
  • What are services?
  • Processes that run without the need for an
    interactive logon.
  • This is the Windows equivalent of the UNIX
    daemon.

23
NT Services
  • Started early during boot process by
    winlogon.exe
  • Responsible for enforcing service load order and
    dependencies.
  • Starts all service processes marked for load on
    boot.
  • Manages all service processes - Only allows
    access to service via API - Access guarded by
    use of access checks.
  • Can be configured to run under any account (such
    as LocalSystem).

24
NT Services
  • Examples of common services - spoolsv.exe
    (Print Spooler running as LocalSystem only) -
    svchost.exe (Generic host, any account) -
    services.exe (Eventlog, Plug n Play running as
    NT Authority\SYSTEM privileges.)
  • Services register with both a Service Name and a
    Service Description. - ex ALG vs. Application
    Layer Gateway Service

25
NT Services
  • Configuration HKLM\SYSTEM\CurrentControlSet\Serv
    ices
  • Follows the Service Programming Model -
    Requires ServiceMain and Handler (Ex) - Multiple
    services within each process must implement its
    own ServiceMain
  • If service is its own executable, it must call
    StartServiceCtrlDispatcher in WinMain which will
    in turn call ServiceMain.

26
svchost.exe
  • Individual services can be configured to run
    within svchost.exe - Initialized within
    configuration during Service Creation -
    SystemRoot\system32\svchost.exe k ltservice
    namegt - svchost Service list is static, instance
    must be added to HKLM\Software\Microsoft\Windows
    \Svchost
  • When svchost begins, it will read the list of
    services and setup a generic ServiceMain routine.

27
Startup Procedure
  • Files Required for Successful Boot

28
Startup Procedure
  • Initially the Boot Sector will find and load
    Ntldr. Below are the steps of Ntldr
  • When NTLDR runs, it switches the processor into
    32-bit flat memory mode (until this point the
    computer was running in real mode (just like your
    old 8086 or 8088 CPU).
  • It then starts the appropriate mini-file system
    (e.g.FAT, NTFS), so that it can read the files
    from the disk.
  • It will then read the Boot.ini file, and display
    the boot menu on the screen.

29
Startup Procedure
  • Ntldr Continued
  • If an OS other than Windows 2000 is selected,
    NTLDR then loads the bootsect.dos file and passes
    control to it, which then boots the other OS.
  • If a Windows OS is selected, then NTLDR runs
    Ntdetect.com to gather information about the
    computer's hardware.
  • Hardware includes Computer ID, Video Adapter,
    Keyboard, etc. Computer ID
  • It is also in this step when you can choose to
    press F8 for troubleshooting and advanced startup
    options.

30
Startup Procedure
  • Ntoskrnl begins the first of two phases
  • Disable Interrupts
  • Calls KiSystemStartup -gt HalInitializeProcessor
    -gt KiInitializeKernel (per cpu)
  • Proceeds to call ExpInitializeExecutive which
    loads critical resource management interfaces.
    (Plug n Play, Security Monitor, Memory Manger)
  • Phase two begins
  • Ntoskrnl re-enables Interrupts and displays the
    Windows Boot Status Screen
  • Ntoskrnl loads the HARDWARE Registry hive
  • Ntoskrnl proceeds to initialize the necessary
    drivers

31
Startup Procedure
  • This step begins with the starting of the Session
    Manager (Smss.exe)
  • Smss, being a native application, can perform
    unique actions.
  • Creation of Security Tokens
  • Uses its own native API, unavailable to the rest
    of Windows
  • Smsss first task is initializing the rest of the
    Registry Hive
  • Smss then runs any programs defined in
    HKLM\SYSTEM\CurrentControlSet\Control\Session
    Manager\BootExecute
  • Smss loads the Windows Subsystem (Win32k.sys)
  • Smss then loads Csrss and Winlogon

32
Startup Procedure
  • Winlogin and Csrss
  • Winlogon then performs its startup steps such as
    creating the initial window station and desktop
    objects.
  • Winlogon then loads Msgina.dll (or replacement)
    to handle WlxLoggedOutSAS, displaying the
    standard Windows logon dialog box.
  • Winlogon creates the Service Control Manager
    (SCM) or services.exe
  • Loads all the necessary services marked for
    auto-start
  • Loads the Local Security Authentication Subsystem
    (Lsass)

33
Startup Procedure
  • Winlogin and Csrss
  • SCM deems boot success and updates Last Known
    Good Configuration located atHKLM\SYSTEM\Select\
    LastKnownGood to match \CurrentControlset

34
Startup Procedure
  • Post Authentication
  • Winlogon maps HKCU and sets the User Environment
    stored in HKCU\Environment
  • Msgina loads executables within
    HKLM\Software\Windows NT\CurrentVersion\WinLogon\U
    serinit
  • Userinit.exe processes user scripts and machine
    logon scripts
  • If group policy specified, user quota loaded
    (SystemDirectory\Proquota.exe)
  • Launches comma-seperated shell(s) specified in
    HKCU\Software\Microsoft\Windows
    NT\CurrentVersion\Winlogon\Shell (default is
    Explorer.exe)

35
Shutdown Procedure
  • ExitWindowsEx()
  • Csrss impersonates the caller and sends a Windows
    Message to a hidden window owned by Winlogon,
    telling it to shutdown
  • Csrss traverses through each user process
    informing it of its intentions.
  • Csrss calls ExitWindowsEx() once again within
    System space, informing csrss to kill any
    processes owned by SYSTEM.
  • Winlogon calls NtSetSystemPowerState
  • Sends shutdown I/O packets to all device drivers
    that have requested shutdown notification.
  • Winlogon then sets the power status to the
    required request. (Shutdown, Reboot)

36
Questions?
  • Now is the time to hit me with all you got!

37
Kill() Time()
  • Windows Shattr Attacks
  • Windows CreateRemoteThread Injection
  • DLL Detach Injection
Write a Comment
User Comments (0)
About PowerShow.com