Upload
0esmon0
View
218
Download
0
Embed Size (px)
Citation preview
8/9/2019 2006 01 DC214 WinsysInternals
1/37
Introduction toIntroduction to
Windows SystemWindows System
Internals part IInternals part I
bybyTim SheltonTim SheltonBlack SecurityBlack Security
[email protected]@blacksecurity.org
8/9/2019 2006 01 DC214 WinsysInternals
2/37
OutlineOutline
Brief History of the Windows OperatingBrief History of the Windows OperatingSystemsSystems
nicode !"plainednicode !"plained #egistry Basics#egistry Basics
Windows Ser$ices %ser$ices.e"e&Windows Ser$ices %ser$ices.e"e&
Startup ' Shutdown (roceduresStartup ' Shutdown (rocedures
)'*)'*
8/9/2019 2006 01 DC214 WinsysInternals
3/37
Windows HistoryWindows History
O$er$iewO$er$iew +icrosoft formed its team of ,- de$elopers+icrosoft formed its team of ,- de$elopersin o$ember /011in o$ember /011
2 core de$elopers wrote key components2 core de$elopers wrote key components
Began a dream to write an *d$ancedBegan a dream to write an *d$ancedOperating SystemOperating System
3esigned for 3esktops and Ser$ers3esigned for 3esktops and Ser$ers
Secure4 scalable +ulti5(rocessor designSecure4 scalable +ulti5(rocessor design *ll new code base*ll new code base
8/9/2019 2006 01 DC214 WinsysInternals
4/37
Windows HistoryWindows History
O$er$iew 6ont.O$er$iew 6ont.+icrosoft announced its commitment to+icrosoft announced its commitment torigorous disciplinerigorous discipline
3e$elopers are re7uired detailed3e$elopers are re7uired detaileddocumentationdocumentation
3e$elopers are re7uired peer code re$iew3e$elopers are re7uired peer code re$iew
3e$elopers are re7uired to unit test their3e$elopers are re7uired to unit test theircode..code..
8/9/2019 2006 01 DC214 WinsysInternals
5/37
Windows HistoryWindows History
O$er$iew 6ont.O$er$iew 6ont.(ast 8 (ersonal 6omputing4 /95:, bits4(ast 8 (ersonal 6omputing4 /95:, bits4Windows 0" code base4 ob;ecti$e< bringingWindows 0" code base4 ob;ecti$e< bringingcomputers to the consumer.computers to the consumer.=eatures 8 usability and compatibility=eatures 8 usability and compatibility
(resent 8 !nterprise 6omputing4 :,>92 bits4(resent 8 !nterprise 6omputing4 :,>92 bits4T code base4 solid architectural foundation4T code base4 solid architectural foundation4ob;ecti$e< reliability4 performance4 and toob;ecti$e< reliability4 performance4 and tomeed the demands for Ser$er (rocessing.meed the demands for Ser$er (rocessing.
=uture 8 +anaged 6ode %.!T =ramework&4=uture 8 +anaged 6ode %.!T =ramework&4ob;ecti$e< World 3omination %go ?gure&ob;ecti$e< World 3omination %go ?gure&Aonghorn.Aonghorn.
8/9/2019 2006 01 DC214 WinsysInternals
6/37
6ommitment of the T6ommitment of the T
*rchitecture*rchitecture#eliability 8 6rash proof Operating System#eliability 8 6rash proof Operating SystemSecurity 8 Built into design from day one.Security 8 Built into design from day one.
(ortability 8 +ulti5processor support4(ortability 8 +ulti5processor support4a$oiding non5portable solutions4 e"iblea$oiding non5portable solutions4 e"iblehardware abstraction Aayerhardware abstraction Aayer
+odularity 8 Space to grow and needs to be+odularity 8 Space to grow and needs to be
ful?lled.ful?lled.(erformance 8 +icrosoft is willing to sacri?ce(erformance 8 +icrosoft is willing to sacri?ceperformance for all of the abo$e.performance for all of the abo$e.
8/9/2019 2006 01 DC214 WinsysInternals
7/37
6ommon Windows6ommon Windows
Internal ToolsInternal Tools
=ile +onitor 8 C?lemonD=ile +onitor 8 C?lemonD www.sysinternals.comwww.sysinternals.comAist 3AAs loaded within speci?c processE $irtualAist 3AAs loaded within speci?c processE $irtualaddress space 8 ClistdllsDaddress space 8 ClistdllsD www.sysinternals.comwww.sysinternals.com
Fernel 3ebuggers Cwindbg4 kdD (latform S3F andFernel 3ebuggers Cwindbg4 kdD (latform S3F andWindows S3FWindows S3F
Ai$e Fernel 3ebugging Cli$ekdDAi$e Fernel 3ebugging Cli$ekdDwww.sysinternals.comwww.sysinternals.com
Ob;ect Giewer 8 Cwinob;DOb;ect Giewer 8 Cwinob;D www.sysinternals.comwww.sysinternals.com
(rocess !"plorer 8 Cproce"pD replacement for(rocess !"plorer 8 Cproce"pD replacement for
taskmgr and much moretaskmgr and much more www.sysinternals.comwww.sysinternals.com
*nd +ore Gisit the (latform S3F or*nd +ore Gisit the (latform S3F or
www.sysinternals.comwww.sysinternals.com
http://www.sysinternals.com/http://www.sysinternals.com/http://www.sysinternals.com/http://www.sysinternals.com/http://www.sysinternals.com/http://www.sysinternals.com/http://www.sysinternals.com/http://www.sysinternals.com/http://www.sysinternals.com/http://www.sysinternals.com/http://www.sysinternals.com/http://www.sysinternals.com/http://www.sysinternals.com/http://www.sysinternals.com/http://www.sysinternals.com/http://www.sysinternals.com/http://www.sysinternals.com/http://www.sysinternals.com/http://www.sysinternals.com/http://www.sysinternals.com/http://www.sysinternals.com/8/9/2019 2006 01 DC214 WinsysInternals
8/37
*dd te"t output> screen shots here and*dd te"t output> screen shots here andne"t few slidesne"t few slides
8/9/2019 2006 01 DC214 WinsysInternals
9/37
8/9/2019 2006 01 DC214 WinsysInternals
10/37
nicode and Aanguagenicode and Aanguage
IndependenceIndependence+ost internal te"t strings are stored and+ost internal te"t strings are stored andprocessed as /95bit nicode characters.processed as /95bit nicode characters.
nicode is an international character setnicode is an international character setstandard that de?nes uni7ue ,byte $aluesstandard that de?nes uni7ue ,byte $alues%ma"imum 9:9 characters& for most of the%ma"imum 9:9 characters& for most of theworldEs known character sets.worldEs known character sets.
#eferences
8/9/2019 2006 01 DC214 WinsysInternals
11/37
nicode and Aanguagenicode and Aanguage
Independence 6ont.Independence 6ont.Because most applications use 15bit *SIBecause most applications use 15bit *SIcharacter sets4 Windows functions that acceptcharacter sets4 Windows functions that acceptstring parameters ha$e two entry points< astring parameters ha$e two entry points< anicode and an *SI $ersion. !"
8/9/2019 2006 01 DC214 WinsysInternals
12/37
8/9/2019 2006 01 DC214 WinsysInternals
13/37
Windows #egistry 6ont.Windows #egistry 6ont.
Below are a few !"ample T *(INs a$ailableBelow are a few !"ample T *(INs a$ailablefor managing the Windows #egistry
8/9/2019 2006 01 DC214 WinsysInternals
14/37
Windows #egistry 6ont.Windows #egistry 6ont.* Hi$e is a ?le %two if you count the .AOQ&* Hi$e is a ?le %two if you count the .AOQ&
5 (rimary< holds the actual hi$e data5 (rimary< holds the actual hi$e data5 .AOQ< used when ushing the hi$e5 .AOQ< used when ushing the hi$e%crash reco$ery&%crash reco$ery&
Storage +apping Types
8/9/2019 2006 01 DC214 WinsysInternals
15/37
Windows #egistry 6ont.Windows #egistry 6ont.
* 6ell is the unit of storage allocation within a Hi$e.* 6ell is the unit of storage allocation within a Hi$e.
*lways 15byte aligned.*lways 15byte aligned.
*lways reuse free cells if one with the same or greater*lways reuse free cells if one with the same or greatere"ists.e"ists.
If siRe is bigger4 then split it and re5enlist in free cell table.If siRe is bigger4 then split it and re5enlist in free cell table.
8/9/2019 2006 01 DC214 WinsysInternals
16/37
8/9/2019 2006 01 DC214 WinsysInternals
17/37
Windows #egistry 6ont.Windows #egistry 6ont.
Feys4 Galues4 Security 3escriptors4 Inde"es4Feys4 Galues4 Security 3escriptors4 Inde"es4etc. are all made up of 6ells.etc. are all made up of 6ells.
#etrie$ing a $alue within a Fey might#etrie$ing a $alue within a Fey mightin$ol$e se$eral faults spread across the Hi$ein$ol$e se$eral faults spread across the Hi$e?le.?le.
5 Solution< #egistry Hi$e 6aching %Win,k&45 Solution< #egistry Hi$e 6aching %Win,k&4
localitylocality enforcement %(>.!T& to help withenforcement %(>.!T& to help withperformance.performance.
8/9/2019 2006 01 DC214 WinsysInternals
18/37
#egistry< Hi$e =lush#egistry< Hi$e =lush
+ost Le"pensi$eM operation4 called e"ternally+ost Le"pensi$eM operation4 called e"ternally
by t=lushFey>#eg=lushFey4 or anytime a $alue isby t=lushFey>#eg=lushFey4 or anytime a $alue iswritten to the Hi$e. %SetGalue4 3eleteGalue4written to the Hi$e. %SetGalue4 3eleteGalue46reateFey4 3eleteFey4 etc&. *utomatic =lush at6reateFey4 3eleteFey4 etc&. *utomatic =lush atShutdown>#ebootShutdown>#eboot
LLAaRy =lushM waits seconds after write thenAaRy =lushM waits seconds after write thenwalks the list of Hi$es looking for 6ells marked aswalks the list of Hi$es looking for 6ells marked as3irtyN. Ignores Hi$es marked as OUA*VU=ASH.3irtyN. Ignores Hi$es marked as OUA*VU=ASH.
3uring =lush4 registry is marked as read5only3uring =lush4 registry is marked as read5only
o data is written to the Hi$e =ile until the =lusho data is written to the Hi$e =ile until the =lushis completed. This may lead to a possible loss ofis completed. This may lead to a possible loss ofdata.data.
8/9/2019 2006 01 DC214 WinsysInternals
19/37
#egistry< Aoading the#egistry< Aoading the
Hi$eHi$e
Aoaded at boot time by Boot Aoader %TA3#&Aoaded at boot time by Boot Aoader %TA3#&
and the kernel %ntoskrnl.e"e&and the kernel %ntoskrnl.e"e&!"plicitly loaded by calling tAoadFey>#egAoad!"plicitly loaded by calling tAoadFey>#egAoadFeyFey
5 This re7uires #estoreN security pri$ileges.5 This re7uires #estoreN security pri$ileges.
=iles are opened in Le"clusi$eM mode and kept=iles are opened in Le"clusi$eM mode and keptopen by the kernel.open by the kernel.
#ead (rimary header and $erify checksums4 if#ead (rimary header and $erify checksums4 iffailed
8/9/2019 2006 01 DC214 WinsysInternals
20/37
#egistry< Hi$es#egistry< Hi$es
AocationsAocationsTwo distinct ser hi$es per account. Aocated inTwo distinct ser hi$es per account. Aocated inS!#(#O=IA!S!#(#O=IA!
5 TS!#.3*T< +ounted under5 TS!#.3*T< +ounted underHF!US!#SJSI3HF!US!#SJSI3
roaming enabled %if roaming pro?les areroaming enabled %if roaming pro?les areused&used&
5 sr6lass.3*T< local %no roaming&5 sr6lass.3*T< local %no roaming&
Special hi$es similar to abo$e always loaded
8/9/2019 2006 01 DC214 WinsysInternals
21/37
#egistry< #e$iew#egistry< #e$iew
#egistry is intended to maintain con?guration#egistry is intended to maintain con?gurationdata.data.
Stored in a special4 highly tuned at ?le.Stored in a special4 highly tuned at ?le.
ati$e *(Is can be found within *d$api:,ati$e *(Is can be found within *d$api:,
sed by the kernel4 dri$ers4 internal system4sed by the kernel4 dri$ers4 internal system4applications4 security4 policies4 and morePapplications4 security4 policies4 and moreP
8/9/2019 2006 01 DC214 WinsysInternals
22/37
Ser$ices !"plainedSer$ices !"plained
What are ser$icesXWhat are ser$icesX
(rocesses that run without the need for an(rocesses that run without the need for aninteracti$e logon.interacti$e logon.
This is the Windows e7ui$alent of the IThis is the Windows e7ui$alent of the Idaemon.daemon.
8/9/2019 2006 01 DC214 WinsysInternals
23/37
T Ser$icesT Ser$icesStarted early during boot process byStarted early during boot process bywinlogon.e"ewinlogon.e"e
#esponsible for enforcing ser$ice load order#esponsible for enforcing ser$ice load orderand dependencies.and dependencies.
Starts all ser$ice processes marked for loadStarts all ser$ice processes marked for loadon boot.on boot.
+anages all ser$ice processes+anages all ser$ice processes5 Only allows access to ser$ice $ia *(I5 Only allows access to ser$ice $ia *(I
5 *ccess guarded by use of access checks.5 *ccess guarded by use of access checks.6an be con?gured to run under any account6an be con?gured to run under any account%such as AocalSystem&.%such as AocalSystem&.
8/9/2019 2006 01 DC214 WinsysInternals
24/37
T Ser$icesT Ser$ices!"amples of common ser$ices
8/9/2019 2006 01 DC214 WinsysInternals
25/37
T Ser$icesT Ser$ices6on?guration
8/9/2019 2006 01 DC214 WinsysInternals
26/37
s$chost.e"es$chost.e"eIndi$idual ser$ices can be con?gured to runIndi$idual ser$ices can be con?gured to run
within s$chost.e"ewithin s$chost.e"e5 InitialiRed within con?guration during5 InitialiRed within con?guration during
Ser$ice 6reationSer$ice 6reation55 System#ootJsystem:,Js$chost.e"e 8k Yser$iceSystem#ootJsystem:,Js$chost.e"e 8k Yser$ice
nameZnameZ
5 s$chost Ser$ice list is static4 instance5 s$chost Ser$ice list is static4 instancemust bemust be added to
8/9/2019 2006 01 DC214 WinsysInternals
27/37
Startup (rocedureStartup (rocedure
=iles #e7uired for Successful Boot
8/9/2019 2006 01 DC214 WinsysInternals
28/37
Startup (rocedureStartup (rocedure
Initially the Boot Sector will ?nd and loadInitially the Boot Sector will ?nd and loadtldr. Below are the steps of tldr
8/9/2019 2006 01 DC214 WinsysInternals
29/37
Startup (rocedureStartup (rocedure
tldr 6ontinuedO packets to all de$ice dri$ers that ha$ere7uested shutdown noti?cation.re7uested shutdown noti?cation.
8 Winlogon then sets the power status to the re7uired re7uest.Winlogon then sets the power status to the re7uired re7uest.%Shutdown4 #eboot&%Shutdown4 #eboot&
8/9/2019 2006 01 DC214 WinsysInternals
36/37
)uestionsX)uestionsX
Now is the time to hit me with all you got!Now is the time to hit me with all you got!
8/9/2019 2006 01 DC214 WinsysInternals
37/37
Fill%& Time%&Fill%& Time%&
Windows Shattr AttacksWindows Shattr AttacksWindows CreateRemoteThread InjectionWindows CreateRemoteThread Injection
DLL Detach InjectionDLL Detach Injection