2006 01 DC214 WinsysInternals

8/9/2019 2006 01 DC214 WinsysInternals

1/37

Introduction toIntroduction to

Windows SystemWindows System

Internals part IInternals part I

bybyTim SheltonTim SheltonBlack SecurityBlack Security

[email protected]@blacksecurity.org


2/37

OutlineOutline

Brief History of the Windows OperatingBrief History of the Windows OperatingSystemsSystems

nicode !"plainednicode !"plained #egistry Basics#egistry Basics

Windows Ser$ices %ser$ices.e"e&Windows Ser$ices %ser$ices.e"e&

Startup ' Shutdown (roceduresStartup ' Shutdown (rocedures

)'*)'*


3/37

Windows HistoryWindows History

O$er$iewO$er$iew +icrosoft formed its team of ,- de$elopers+icrosoft formed its team of ,- de$elopersin o$ember /011in o$ember /011

2 core de$elopers wrote key components2 core de$elopers wrote key components

Began a dream to write an *d$ancedBegan a dream to write an *d$ancedOperating SystemOperating System

3esigned for 3esktops and Ser$ers3esigned for 3esktops and Ser$ers

Secure4 scalable +ulti5(rocessor designSecure4 scalable +ulti5(rocessor design *ll new code base*ll new code base


4/37


O$er$iew 6ont.O$er$iew 6ont.+icrosoft announced its commitment to+icrosoft announced its commitment torigorous disciplinerigorous discipline

3e$elopers are re7uired detailed3e$elopers are re7uired detaileddocumentationdocumentation

3e$elopers are re7uired peer code re$iew3e$elopers are re7uired peer code re$iew

3e$elopers are re7uired to unit test their3e$elopers are re7uired to unit test theircode..code..


5/37


O$er$iew 6ont.O$er$iew 6ont.(ast 8 (ersonal 6omputing4 /95:, bits4(ast 8 (ersonal 6omputing4 /95:, bits4Windows 0" code base4 ob;ecti$e< bringingWindows 0" code base4 ob;ecti$e< bringingcomputers to the consumer.computers to the consumer.=eatures 8 usability and compatibility=eatures 8 usability and compatibility

(resent 8 !nterprise 6omputing4 :,>92 bits4(resent 8 !nterprise 6omputing4 :,>92 bits4T code base4 solid architectural foundation4T code base4 solid architectural foundation4ob;ecti$e< reliability4 performance4 and toob;ecti$e< reliability4 performance4 and tomeed the demands for Ser$er (rocessing.meed the demands for Ser$er (rocessing.

=uture 8 +anaged 6ode %.!T =ramework&4=uture 8 +anaged 6ode %.!T =ramework&4ob;ecti$e< World 3omination %go ?gure&ob;ecti$e< World 3omination %go ?gure&Aonghorn.Aonghorn.


6/37

6ommitment of the T6ommitment of the T

*rchitecture*rchitecture#eliability 8 6rash proof Operating System#eliability 8 6rash proof Operating SystemSecurity 8 Built into design from day one.Security 8 Built into design from day one.

(ortability 8 +ulti5processor support4(ortability 8 +ulti5processor support4a$oiding non5portable solutions4 e"iblea$oiding non5portable solutions4 e"iblehardware abstraction Aayerhardware abstraction Aayer

+odularity 8 Space to grow and needs to be+odularity 8 Space to grow and needs to be

ful?lled.ful?lled.(erformance 8 +icrosoft is willing to sacri?ce(erformance 8 +icrosoft is willing to sacri?ceperformance for all of the abo$e.performance for all of the abo$e.


7/37

6ommon Windows6ommon Windows

Internal ToolsInternal Tools

=ile +onitor 8 C?lemonD=ile +onitor 8 C?lemonD www.sysinternals.comwww.sysinternals.comAist 3AAs loaded within speci?c processE $irtualAist 3AAs loaded within speci?c processE $irtualaddress space 8 ClistdllsDaddress space 8 ClistdllsD www.sysinternals.comwww.sysinternals.com

Fernel 3ebuggers Cwindbg4 kdD (latform S3F andFernel 3ebuggers Cwindbg4 kdD (latform S3F andWindows S3FWindows S3F

Ai$e Fernel 3ebugging Cli$ekdDAi$e Fernel 3ebugging Cli$ekdDwww.sysinternals.comwww.sysinternals.com

Ob;ect Giewer 8 Cwinob;DOb;ect Giewer 8 Cwinob;D www.sysinternals.comwww.sysinternals.com

(rocess !"plorer 8 Cproce"pD replacement for(rocess !"plorer 8 Cproce"pD replacement for

taskmgr and much moretaskmgr and much more www.sysinternals.comwww.sysinternals.com

*nd +ore Gisit the (latform S3F or*nd +ore Gisit the (latform S3F or

www.sysinternals.comwww.sysinternals.com
http://www.sysinternals.com/http://www.sysinternals.com/http://www.sysinternals.com/http://www.sysinternals.com/http://www.sysinternals.com/http://www.sysinternals.com/http://www.sysinternals.com/http://www.sysinternals.com/http://www.sysinternals.com/http://www.sysinternals.com/http://www.sysinternals.com/http://www.sysinternals.com/http://www.sysinternals.com/http://www.sysinternals.com/http://www.sysinternals.com/http://www.sysinternals.com/http://www.sysinternals.com/http://www.sysinternals.com/http://www.sysinternals.com/http://www.sysinternals.com/http://www.sysinternals.com/


8/37

*dd te"t output> screen shots here and*dd te"t output> screen shots here andne"t few slidesne"t few slides


9/37


10/37

nicode and Aanguagenicode and Aanguage

IndependenceIndependence+ost internal te"t strings are stored and+ost internal te"t strings are stored andprocessed as /95bit nicode characters.processed as /95bit nicode characters.

nicode is an international character setnicode is an international character setstandard that de?nes uni7ue ,byte $aluesstandard that de?nes uni7ue ,byte $alues%ma"imum 9:9 characters& for most of the%ma"imum 9:9 characters& for most of theworldEs known character sets.worldEs known character sets.

#eferences


11/37

nicode and Aanguagenicode and Aanguage

Independence 6ont.Independence 6ont.Because most applications use 15bit *SIBecause most applications use 15bit *SIcharacter sets4 Windows functions that acceptcharacter sets4 Windows functions that acceptstring parameters ha$e two entry points< astring parameters ha$e two entry points< anicode and an *SI $ersion. !"


12/37


13/37

Windows #egistry 6ont.Windows #egistry 6ont.

Below are a few !"ample T *(INs a$ailableBelow are a few !"ample T *(INs a$ailablefor managing the Windows #egistry


14/37

Windows #egistry 6ont.Windows #egistry 6ont.* Hi$e is a ?le %two if you count the .AOQ&* Hi$e is a ?le %two if you count the .AOQ&

5 (rimary< holds the actual hi$e data5 (rimary< holds the actual hi$e data5 .AOQ< used when ushing the hi$e5 .AOQ< used when ushing the hi$e%crash reco$ery&%crash reco$ery&

Storage +apping Types


15/37


* 6ell is the unit of storage allocation within a Hi$e.* 6ell is the unit of storage allocation within a Hi$e.

*lways 15byte aligned.*lways 15byte aligned.

*lways reuse free cells if one with the same or greater*lways reuse free cells if one with the same or greatere"ists.e"ists.

If siRe is bigger4 then split it and re5enlist in free cell table.If siRe is bigger4 then split it and re5enlist in free cell table.


16/37


17/37


Feys4 Galues4 Security 3escriptors4 Inde"es4Feys4 Galues4 Security 3escriptors4 Inde"es4etc. are all made up of 6ells.etc. are all made up of 6ells.

#etrie$ing a $alue within a Fey might#etrie$ing a $alue within a Fey mightin$ol$e se$eral faults spread across the Hi$ein$ol$e se$eral faults spread across the Hi$e?le.?le.

5 Solution< #egistry Hi$e 6aching %Win,k&45 Solution< #egistry Hi$e 6aching %Win,k&4

localitylocality enforcement %(>.!T& to help withenforcement %(>.!T& to help withperformance.performance.


18/37

#egistry< Hi$e =lush#egistry< Hi$e =lush

+ost Le"pensi$eM operation4 called e"ternally+ost Le"pensi$eM operation4 called e"ternally

by t=lushFey>#eg=lushFey4 or anytime a $alue isby t=lushFey>#eg=lushFey4 or anytime a $alue iswritten to the Hi$e. %SetGalue4 3eleteGalue4written to the Hi$e. %SetGalue4 3eleteGalue46reateFey4 3eleteFey4 etc&. *utomatic =lush at6reateFey4 3eleteFey4 etc&. *utomatic =lush atShutdown>#ebootShutdown>#eboot

LLAaRy =lushM waits seconds after write thenAaRy =lushM waits seconds after write thenwalks the list of Hi$es looking for 6ells marked aswalks the list of Hi$es looking for 6ells marked as3irtyN. Ignores Hi$es marked as OUA*VU=ASH.3irtyN. Ignores Hi$es marked as OUA*VU=ASH.

3uring =lush4 registry is marked as read5only3uring =lush4 registry is marked as read5only

o data is written to the Hi$e =ile until the =lusho data is written to the Hi$e =ile until the =lushis completed. This may lead to a possible loss ofis completed. This may lead to a possible loss ofdata.data.


19/37

#egistry< Aoading the#egistry< Aoading the

Hi$eHi$e

Aoaded at boot time by Boot Aoader %TA3#&Aoaded at boot time by Boot Aoader %TA3#&

and the kernel %ntoskrnl.e"e&and the kernel %ntoskrnl.e"e&!"plicitly loaded by calling tAoadFey>#egAoad!"plicitly loaded by calling tAoadFey>#egAoadFeyFey

5 This re7uires #estoreN security pri$ileges.5 This re7uires #estoreN security pri$ileges.

=iles are opened in Le"clusi$eM mode and kept=iles are opened in Le"clusi$eM mode and keptopen by the kernel.open by the kernel.

#ead (rimary header and $erify checksums4 if#ead (rimary header and $erify checksums4 iffailed


20/37

#egistry< Hi$es#egistry< Hi$es

AocationsAocationsTwo distinct ser hi$es per account. Aocated inTwo distinct ser hi$es per account. Aocated inS!#(#O=IA!S!#(#O=IA!

5 TS!#.3*T< +ounted under5 TS!#.3*T< +ounted underHF!US!#SJSI3HF!US!#SJSI3

roaming enabled %if roaming pro?les areroaming enabled %if roaming pro?les areused&used&

5 sr6lass.3*T< local %no roaming&5 sr6lass.3*T< local %no roaming&

Special hi$es similar to abo$e always loaded


21/37

#egistry< #e$iew#egistry< #e$iew

#egistry is intended to maintain con?guration#egistry is intended to maintain con?gurationdata.data.

Stored in a special4 highly tuned at ?le.Stored in a special4 highly tuned at ?le.

ati$e *(Is can be found within *d$api:,ati$e *(Is can be found within *d$api:,

sed by the kernel4 dri$ers4 internal system4sed by the kernel4 dri$ers4 internal system4applications4 security4 policies4 and morePapplications4 security4 policies4 and moreP


22/37

Ser$ices !"plainedSer$ices !"plained

What are ser$icesXWhat are ser$icesX

(rocesses that run without the need for an(rocesses that run without the need for aninteracti$e logon.interacti$e logon.

This is the Windows e7ui$alent of the IThis is the Windows e7ui$alent of the Idaemon.daemon.


23/37

T Ser$icesT Ser$icesStarted early during boot process byStarted early during boot process bywinlogon.e"ewinlogon.e"e

#esponsible for enforcing ser$ice load order#esponsible for enforcing ser$ice load orderand dependencies.and dependencies.

Starts all ser$ice processes marked for loadStarts all ser$ice processes marked for loadon boot.on boot.

+anages all ser$ice processes+anages all ser$ice processes5 Only allows access to ser$ice $ia *(I5 Only allows access to ser$ice $ia *(I

5 *ccess guarded by use of access checks.5 *ccess guarded by use of access checks.6an be con?gured to run under any account6an be con?gured to run under any account%such as AocalSystem&.%such as AocalSystem&.


24/37

T Ser$icesT Ser$ices!"amples of common ser$ices


25/37

T Ser$icesT Ser$ices6on?guration


26/37

s$chost.e"es$chost.e"eIndi$idual ser$ices can be con?gured to runIndi$idual ser$ices can be con?gured to run

within s$chost.e"ewithin s$chost.e"e5 InitialiRed within con?guration during5 InitialiRed within con?guration during

Ser$ice 6reationSer$ice 6reation55 System#ootJsystem:,Js$chost.e"e 8k Yser$iceSystem#ootJsystem:,Js$chost.e"e 8k Yser$ice

nameZnameZ

5 s$chost Ser$ice list is static4 instance5 s$chost Ser$ice list is static4 instancemust bemust be added to


27/37

Startup (rocedureStartup (rocedure

=iles #e7uired for Successful Boot


28/37


Initially the Boot Sector will ?nd and loadInitially the Boot Sector will ?nd and loadtldr. Below are the steps of tldr


29/37


tldr 6ontinuedO packets to all de$ice dri$ers that ha$ere7uested shutdown noti?cation.re7uested shutdown noti?cation.

8 Winlogon then sets the power status to the re7uired re7uest.Winlogon then sets the power status to the re7uired re7uest.%Shutdown4 #eboot&%Shutdown4 #eboot&


36/37

)uestionsX)uestionsX

Now is the time to hit me with all you got!Now is the time to hit me with all you got!


37/37

Fill%& Time%&Fill%& Time%&

Windows Shattr AttacksWindows Shattr AttacksWindows CreateRemoteThread InjectionWindows CreateRemoteThread Injection

DLL Detach InjectionDLL Detach Injection

Documents

2006 01 DC214 WinsysInternals