Introduction to Introduction to Windows System Windows System Internals part IInternals part I

bybyTim SheltonTim Shelton

Black SecurityBlack Security

redsand@blacksecurity.orgredsand@blacksecurity.org

OutlineOutline

Brief History of the Windows Operating Brief History of the Windows Operating SystemsSystems

Unicode ExplainedUnicode Explained Registry BasicsRegistry Basics Windows Services (services.exe)Windows Services (services.exe) Startup & Shutdown ProceduresStartup & Shutdown Procedures Q&AQ&A

Windows History Windows History OverviewOverview

Microsoft formed its team of 20 developers Microsoft formed its team of 20 developers in November 1988in November 1988

4 core developers wrote key components4 core developers wrote key components Began a dream to write an Advanced Began a dream to write an Advanced

Operating SystemOperating System Designed for Desktops and ServersDesigned for Desktops and Servers Secure, scalable Multi-Processor designSecure, scalable Multi-Processor design All new code baseAll new code base

Windows History Windows History Overview Cont.Overview Cont.

Microsoft announced its commitment to Microsoft announced its commitment to rigorous disciplinerigorous discipline Developers are required detailed Developers are required detailed documentationdocumentation Developers are required peer code reviewDevelopers are required peer code review Developers are required to unit test their Developers are required to unit test their code..code..

Windows History Windows History Overview Cont.Overview Cont. Past – Personal Computing, 16-32 bits, Past – Personal Computing, 16-32 bits,

Windows 9x code base, objective: bringing Windows 9x code base, objective: bringing computers to the consumer.computers to the consumer.Features – usability and compatibilityFeatures – usability and compatibility Present – Enterprise Computing, 32/64 bits, Present – Enterprise Computing, 32/64 bits, NT code base, solid architectural foundation, NT code base, solid architectural foundation, objective: reliability, performance, and to objective: reliability, performance, and to meed the demands for Server Processing.meed the demands for Server Processing. Future – Managed Code (.NET Framework), Future – Managed Code (.NET Framework), objective: World Domination (go figure!) objective: World Domination (go figure!) Longhorn.Longhorn.

Commitment of the NT Commitment of the NT ArchitectureArchitecture

Reliability – Crash proof Operating SystemReliability – Crash proof Operating System Security – Built into design from day one.Security – Built into design from day one. Portability – Multi-processor support, Portability – Multi-processor support, avoiding non-portable solutions, flexible avoiding non-portable solutions, flexible hardware abstraction Layerhardware abstraction Layer Modularity – Space to grow and needs to be Modularity – Space to grow and needs to be fulfilled.fulfilled. Performance – Microsoft is willing to sacrifice Performance – Microsoft is willing to sacrifice performance for all of the above.performance for all of the above.

Common Windows Common Windows Internal ToolsInternal Tools File Monitor – [filemon] File Monitor – [filemon] www.sysinternals.comwww.sysinternals.com

List DLLs loaded within specific process' virtual List DLLs loaded within specific process' virtual address space – [listdlls] address space – [listdlls] www.sysinternals.comwww.sysinternals.com Kernel Debuggers [windbg, kd] Platform SDK and Kernel Debuggers [windbg, kd] Platform SDK and Windows SDKWindows SDK Live Kernel Debugging [livekd] Live Kernel Debugging [livekd] www.sysinternals.comwww.sysinternals.com Object Viewer – [winobj] Object Viewer – [winobj] www.sysinternals.comwww.sysinternals.com Process Explorer – [procexp] replacement for Process Explorer – [procexp] replacement for taskmgr and much more! taskmgr and much more! www.sysinternals.comwww.sysinternals.com And More! Visit the Platform SDK or And More! Visit the Platform SDK or www.sysinternals.comwww.sysinternals.com

Add text output/ screen shots here and Add text output/ screen shots here and next few slidesnext few slides

Unicode and Language Unicode and Language IndependenceIndependence

Most internal text strings are stored and Most internal text strings are stored and processed as 16-bit Unicode characters.processed as 16-bit Unicode characters. Unicode is an international character set Unicode is an international character set standard that defines unique 2byte values standard that defines unique 2byte values (maximum 65536 characters) for most of the (maximum 65536 characters) for most of the world's known character sets.world's known character sets. References: References: www.unicode.orgwww.unicode.org Or MSDN Or MSDN DocumentationDocumentation

Unicode and Language Unicode and Language Independence Cont.Independence Cont.

Because most applications use 8-bit ANSI Because most applications use 8-bit ANSI character sets, Windows functions that accept character sets, Windows functions that accept string parameters have two entry points: a string parameters have two entry points: a Unicode and an ANSI version. Ex: Unicode and an ANSI version. Ex: CreateProcessA and CreateProcessW (found in CreateProcessA and CreateProcessW (found in kernel32.dll)kernel32.dll) Lesson learned: Use Unicode for multi-Lesson learned: Use Unicode for multi-lingual support.lingual support.

Windows RegistryWindows Registry Hives located in %SystemRoot%\Config\ Hives located in %SystemRoot%\Config\ A Hive is a logical file system within a flat A Hive is a logical file system within a flat file. file.

Keys == directoriesKeys == directoriesValues == filesValues == files

Registry is a collection of “Hives”.Registry is a collection of “Hives”. A Hive contains a collection of “Bins”.A Hive contains a collection of “Bins”. A Bin contains a collection of “Cells”.A Bin contains a collection of “Cells”. Each Cell is a unit of allocation containing Each Cell is a unit of allocation containing raw dataraw data

Windows Registry Cont.Windows Registry Cont.

Below are a few Example NT API’s available Below are a few Example NT API’s available for managing the Windows Registry:for managing the Windows Registry:

NtEnumerateValueKey(KHANDLE, int);NtEnumerateValueKey(KHANDLE, int);NtQueryValueKey(KHANDLE, VarName);NtQueryValueKey(KHANDLE, VarName);NtLoadKey(KHANDLE, HiveFileName);NtLoadKey(KHANDLE, HiveFileName);… more found in Advapi32.dll… more found in Advapi32.dll

Windows Registry Cont.Windows Registry Cont. A Hive is a file (two if you count the .LOG) A Hive is a file (two if you count the .LOG) - Primary: holds the actual hive data- Primary: holds the actual hive data- .LOG: used when flushing the hive - .LOG: used when flushing the hive (crash recovery) (crash recovery)

Storage Mapping Types:Storage Mapping Types:- Stable: maps to the hive file- Stable: maps to the hive file- Volatile: mapped into paged pool of - Volatile: mapped into paged pool of

memory, memory, lost after reboot. lost after reboot.

Primary file grows in 256k increments to Primary file grows in 256k increments to prevent fragmentation. First page (4k) is the prevent fragmentation. First page (4k) is the registry header, followed by chained Binsregistry header, followed by chained Bins

Windows Registry Cont.Windows Registry Cont.

A Cell is the unit of storage allocation within a Hive. A Cell is the unit of storage allocation within a Hive. Always 8-byte aligned.Always 8-byte aligned. Always reuse free cells if one with the same or greater Always reuse free cells if one with the same or greater exists.exists.

If size is bigger, then split it and re-enlist in free cell table.If size is bigger, then split it and re-enlist in free cell table.

Windows Registry Cont.Windows Registry Cont.

Keys, Values, Security Descriptors, Indexes, Keys, Values, Security Descriptors, Indexes, etc. are all made up of Cells.etc. are all made up of Cells. Retrieving a value within a Key might Retrieving a value within a Key might involve several faults spread across the Hive involve several faults spread across the Hive file.file.

- Solution: Registry Hive Caching (Win2k), - Solution: Registry Hive Caching (Win2k), locality locality enforcement (XP/.NET) to help with enforcement (XP/.NET) to help with performance.performance.

Registry: Hive FlushRegistry: Hive Flush Most “expensive” operation, called externally Most “expensive” operation, called externally by NtFlushKey/RegFlushKey, or anytime a value is by NtFlushKey/RegFlushKey, or anytime a value is written to the Hive. (SetValue, DeleteValue, written to the Hive. (SetValue, DeleteValue, CreateKey, DeleteKey, etc). Automatic Flush at CreateKey, DeleteKey, etc). Automatic Flush at Shutdown/RebootShutdown/Reboot “ “Lazy Flush” waits 5 seconds after write then Lazy Flush” waits 5 seconds after write then walks the list of Hives looking for Cells marked as walks the list of Hives looking for Cells marked as ‘Dirty’. Ignores Hives marked as NO_LAZY_FLUSH.‘Dirty’. Ignores Hives marked as NO_LAZY_FLUSH. During Flush, registry is marked as read-onlyDuring Flush, registry is marked as read-only No data is written to the Hive File until the Flush No data is written to the Hive File until the Flush is completed. This may lead to a possible loss of is completed. This may lead to a possible loss of data.data.

Registry: Loading the Registry: Loading the HiveHive Loaded at boot time by Boot Loader (NTLDR) Loaded at boot time by Boot Loader (NTLDR)

and the kernel (ntoskrnl.exe)and the kernel (ntoskrnl.exe) Explicitly loaded by calling NtLoadKey/RegLoad Explicitly loaded by calling NtLoadKey/RegLoad KeyKey

- This requires ‘Restore’ security privileges.- This requires ‘Restore’ security privileges. Files are opened in “exclusive” mode; and kept Files are opened in “exclusive” mode; and kept open by the kernel.open by the kernel. Read Primary header and verify checksums, if Read Primary header and verify checksums, if failed:failed:

- Physical integrity check, walk entire Hive - Physical integrity check, walk entire Hive and and check each individual cellcheck each individual cell

- Logical integrity check, walk the tree check - Logical integrity check, walk the tree check every every key/value.key/value.

Registry: Hives Registry: Hives LocationsLocations Two distinct User hives per account. Located in Two distinct User hives per account. Located in

%USERPROFILE%%USERPROFILE%- NTUSER.DAT: Mounted under HKEY_USERS\- NTUSER.DAT: Mounted under HKEY_USERS\

SIDSID roaming enabled (if roaming profiles are roaming enabled (if roaming profiles are

used)used)- UsrClass.DAT: local (no roaming)- UsrClass.DAT: local (no roaming)

Special hives similar to above; always loaded:Special hives similar to above; always loaded:- S-1-5-18: SYSTEM account- S-1-5-18: SYSTEM account- S-1-5-19: Local Service- S-1-5-19: Local Service- S-1-5-20: Network Service - S-1-5-20: Network Service

Registry: ReviewRegistry: Review

Registry is intended to maintain configuration Registry is intended to maintain configuration data.data. Stored in a special, highly tuned flat file.Stored in a special, highly tuned flat file. Native APIs can be found within Advapi32Native APIs can be found within Advapi32 Used by the kernel, drivers, internal system, Used by the kernel, drivers, internal system, applications, security, policies, and more…applications, security, policies, and more…

Services ExplainedServices Explained

What are services?What are services? Processes that run without the need for an Processes that run without the need for an interactive logon.interactive logon. This is the Windows equivalent of the UNIX This is the Windows equivalent of the UNIX daemon.daemon.

NT ServicesNT Services Started early during boot process by Started early during boot process by winlogon.exewinlogon.exe Responsible for enforcing service load order Responsible for enforcing service load order and dependencies.and dependencies. Starts all service processes marked for load Starts all service processes marked for load on boot.on boot. Manages all service processes Manages all service processes

- Only allows access to service via API - Only allows access to service via API - Access guarded by use of access checks.- Access guarded by use of access checks.

Can be configured to run under any account Can be configured to run under any account (such as LocalSystem).(such as LocalSystem).

NT ServicesNT Services Examples of common services:Examples of common services:

- spoolsv.exe (Print Spooler running as - spoolsv.exe (Print Spooler running as LocalSystem only)LocalSystem only)

- svchost.exe (Generic host, any account)- svchost.exe (Generic host, any account)- services.exe (Eventlog, Plug ‘n Play - services.exe (Eventlog, Plug ‘n Play

running as NT Authority\SYSTEM privileges.)running as NT Authority\SYSTEM privileges.) Services register with both a Service Name Services register with both a Service Name and a Service Description.and a Service Description.

- ex: ALG vs. - ex: ALG vs. Application Layer Application Layer Gateway ServiceGateway Service

NT ServicesNT Services Configuration: HKLM\SYSTEM\Configuration: HKLM\SYSTEM\CurrentControlSet\ServicesCurrentControlSet\Services Follows the Service Programming Model:Follows the Service Programming Model:

- Requires ServiceMain and Handler (Ex)- Requires ServiceMain and Handler (Ex)- Multiple services within each process - Multiple services within each process

must implement its own ServiceMainmust implement its own ServiceMain If service is its own executable, it must call If service is its own executable, it must call StartServiceCtrlDispatcherStartServiceCtrlDispatcher in WinMain in WinMain which will in turn call ServiceMain.which will in turn call ServiceMain.

svchost.exesvchost.exe Individual services can be configured to run Individual services can be configured to run within svchost.exewithin svchost.exe

- Initialized within configuration during - Initialized within configuration during Service CreationService Creation

- - %SystemRoot%\system32\svchost.exe –k <service %SystemRoot%\system32\svchost.exe –k <service name>name>

- svchost Service list is static, instance - svchost Service list is static, instance must be must be added to: added to: HKLM\Software\Microsoft\HKLM\Software\Microsoft\Windows\SvchostWindows\Svchost

When svchost begins, it will read the list of When svchost begins, it will read the list of services and setup a generic ServiceMain services and setup a generic ServiceMain routine.routine.

Startup ProcedureStartup ProcedureFiles Required for Successful Boot:Files Required for Successful Boot:

NTLDRNTLDR Boot LoaderBoot Loader

Boot.iniBoot.ini Boot ConfigurationBoot Configuration

Ntdetect.comNtdetect.com Detect Hardware for Detect Hardware for BootBoot

Ntoskrnl.exeNtoskrnl.exe Core Kernel binaryCore Kernel binary

SYSTEM Registry HiveSYSTEM Registry Hive System ConfigurationSystem Configuration

Device driversDevice drivers Hal Hardware SupportHal Hardware Support

Startup ProcedureStartup ProcedureInitially the Boot Sector will find and load Initially the Boot Sector will find and load Ntldr. Below are the steps of Ntldr:Ntldr. Below are the steps of Ntldr:

When NTLDR runs, it switches the processor into When NTLDR runs, it switches the processor into 32-bit flat memory mode (until this point the 32-bit flat memory mode (until this point the computer was running in real mode (just like your computer was running in real mode (just like your old 8086 or 8088 CPU).old 8086 or 8088 CPU).

It then starts the appropriate mini-file system It then starts the appropriate mini-file system (e.g.:FAT, NTFS), so that it can read the files from (e.g.:FAT, NTFS), so that it can read the files from the disk. the disk.

It will then read the Boot.ini file, and display the It will then read the Boot.ini file, and display the boot menu on the screen. boot menu on the screen.

Startup ProcedureStartup ProcedureNtldr Continued:Ntldr Continued:

If an OS other than Windows 2000 is selected, If an OS other than Windows 2000 is selected, NTLDR then loads the bootsect.dos file and NTLDR then loads the bootsect.dos file and passes control to it, which then boots the other passes control to it, which then boots the other OS. OS.

If a Windows OS is selected, then NTLDR runs If a Windows OS is selected, then NTLDR runs Ntdetect.com to gather information about the Ntdetect.com to gather information about the computer's hardware. computer's hardware. – Hardware includes: Computer ID, Video Adapter, Hardware includes: Computer ID, Video Adapter,

Keyboard, etc. Computer IDKeyboard, etc. Computer ID

It is also in this step when you can choose to It is also in this step when you can choose to press F8 for troubleshooting and advanced press F8 for troubleshooting and advanced startup options.startup options.

Startup ProcedureStartup ProcedureNtoskrnl begins the first of two phases:Ntoskrnl begins the first of two phases:

Disable InterruptsDisable Interrupts Calls KiSystemStartup -> HalInitializeProcessor -> Calls KiSystemStartup -> HalInitializeProcessor ->

KiInitializeKernel (per cpu)KiInitializeKernel (per cpu) Proceeds to call ExpInitializeExecutive which loads critical Proceeds to call ExpInitializeExecutive which loads critical

resource management interfaces. (Plug ‘n Play, Security resource management interfaces. (Plug ‘n Play, Security Monitor, Memory Manger)Monitor, Memory Manger)

Phase two begins:Phase two begins: Ntoskrnl re-enables Interrupts and displays the Windows Ntoskrnl re-enables Interrupts and displays the Windows

Boot Status ScreenBoot Status Screen Ntoskrnl loads the HARDWARE Registry hiveNtoskrnl loads the HARDWARE Registry hive Ntoskrnl proceeds to initialize the necessary driversNtoskrnl proceeds to initialize the necessary drivers

Startup ProcedureStartup ProcedureThis step begins with the starting of the This step begins with the starting of the Session Manager (Smss.exe)Session Manager (Smss.exe)

Smss, being a native application, can perform Smss, being a native application, can perform unique actions.unique actions.– Creation of Security TokensCreation of Security Tokens– Uses its own native API, unavailable to the rest of Uses its own native API, unavailable to the rest of

WindowsWindows

Smss’s first task is initializing the rest of the Smss’s first task is initializing the rest of the Registry HiveRegistry Hive

Smss then runs any programs defined in Smss then runs any programs defined in HKLM\HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecuteSYSTEM\CurrentControlSet\Control\Session Manager\BootExecute

Smss loads the Windows Subsystem (Win32k.sys)Smss loads the Windows Subsystem (Win32k.sys) Smss then loads Csrss and WinlogonSmss then loads Csrss and Winlogon

Startup ProcedureStartup ProcedureWinlogin and CsrssWinlogin and Csrss

Winlogon then performs its startup steps such as Winlogon then performs its startup steps such as creating the initial window station and desktop creating the initial window station and desktop objects.objects.

Winlogon then loads Msgina.dll (or replacement) Winlogon then loads Msgina.dll (or replacement) to handle WlxLoggedOutSAS, displaying the to handle WlxLoggedOutSAS, displaying the standard Windows logon dialog box.standard Windows logon dialog box.

Winlogon creates the Service Control Manager Winlogon creates the Service Control Manager (SCM) or services.exe(SCM) or services.exe– Loads all the necessary services marked for auto-start Loads all the necessary services marked for auto-start – Loads the Local Security Authentication Subsystem Loads the Local Security Authentication Subsystem

(Lsass)(Lsass)

Startup ProcedureStartup Procedure

Winlogin and CsrssWinlogin and Csrss SCM deems boot success and updates SCM deems boot success and updates

“Last Known Good Configuration” located at“Last Known Good Configuration” located atHKLM\SYSTEM\Select\LastKnownGood to match \HKLM\SYSTEM\Select\LastKnownGood to match \CurrentControlsetCurrentControlset

Startup ProcedureStartup ProcedurePost AuthenticationPost Authentication

Winlogon: maps HKCU and sets the User Environment Winlogon: maps HKCU and sets the User Environment stored in HKCU\Environmentstored in HKCU\Environment

Msgina: loads executables within HKLM\Software\Windows Msgina: loads executables within HKLM\Software\Windows NT\CurrentVersion\WinLogon\UserinitNT\CurrentVersion\WinLogon\Userinit

Userinit.exe: processes user scripts and machine logon Userinit.exe: processes user scripts and machine logon scriptsscripts

If group policy specified, user quota loaded If group policy specified, user quota loaded (%SystemDirectory%\Proquota.exe)(%SystemDirectory%\Proquota.exe)

Launches comma-seperated shell(s) specified in HKCU\Launches comma-seperated shell(s) specified in HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (default is Explorer.exe)Shell (default is Explorer.exe)

Shutdown ProcedureShutdown ProcedureExitWindowsEx()ExitWindowsEx()

Csrss impersonates the caller and sends a Windows Csrss impersonates the caller and sends a Windows Message to a hidden window owned by Winlogon, telling it Message to a hidden window owned by Winlogon, telling it to shutdownto shutdown

Csrss traverses through each user process “informing” it of Csrss traverses through each user process “informing” it of its intentions.its intentions.

Csrss calls ExitWindowsEx() once again within System Csrss calls ExitWindowsEx() once again within System space, informing csrss to kill any processes owned by space, informing csrss to kill any processes owned by SYSTEM.SYSTEM.

Winlogon calls NtSetSystemPowerStateWinlogon calls NtSetSystemPowerState– Sends shutdown I/O packets to all device drivers that have Sends shutdown I/O packets to all device drivers that have

requested shutdown notification.requested shutdown notification.– Winlogon then sets the power status to the required request. Winlogon then sets the power status to the required request.

(Shutdown, Reboot)(Shutdown, Reboot)

Questions?Questions?

Now is the time to hit me with all you got!Now is the time to hit me with all you got!

Kill() Time()Kill() Time()

Windows Shattr AttacksWindows Shattr AttacksWindows CreateRemoteThread InjectionWindows CreateRemoteThread Injection

DLL Detach InjectionDLL Detach Injection