13.4.2016 vjj 1 Windows System Internals struktura OS (Windows 7)
13.4.2016 vjj 2 kernel The kernel is contained in the files below (as specified in the book Windows Internals): Ntoskrnl.exe - Executive and kernel Ntkrnlpa.exe (32-bit systems only) - Executive and kernel with support for Physical Address Extension (PAE), which allows addressing of up to 64 GB of physical memory Hal.dll - Hardware abstraction layer Win32k.sys - Kernel-mode part of the Windows subsystem Ntdll.dll - Internal support functions and system service dispatch stubs to executive functions Kernel32.dll, Advapi32.dll, User32.dll, Gdi32.dll - Core Windows subsystem DLLs
13.4.2016 vjj 3 System support processes Service processes Applications Environment subsystems Kernel32.dll, Advapi32.dll, User32.dll, GDI32.dll, COM.dll SysEnter SysCall Ntdll.dll LRPC Ntoskrnl.exe System service dispatcher Executive Kernel Drivers Win32k.sys Windowing and graphics Win32 User GDI Graphic device drivers Hal.dll Hardware abstraction layer (HAL)
13.4.2016 vjj 4 System support processes Service processes Applications Environment subsystems SCMan.exe Service control manager Lsass.exe Local Security Authentication Server Winlogon.exe Logon Process Smss.exe Session manager Svchost.exe Winmgmt.exe Spooler Services.exe User applications Task Manager POSIX OS/2 PSXSS.exe OS2SS.exe Windows Explorer Win32 Csrss.exe Subsystem DLLs Kernel32.dll, Advapi32.dll, User32.dll, GDI32.dll Ntdll.dll System threads Ntoskrnl.exe Executive SysEnter / SysCall System service dispatcher I/O Manager File system cache Plug and Play manager Power manager Security reference monitor Virtual memory Processes and threads Configuration manager (registry) WDM WMI routines Win32k.sys Windowing and graphics Win32 User Local procedure call Object manager Executive support RTL GDI Kernel (Process Manager, Interrupt / Exception Dispatcher, Multiprocessor Synchronization) Device and file system drivers Graphic device drivers Hal.dll Hardware abstraction layer (HAL)
13.4.2016 vjj 5 Aplikace GDI32.dll User32.dll AdvAPI32.dll RPCRT4.dll Csrss.exe Win32 subsystem Kernel32.dll NTdll.dll ring 3 ring 0 Win32k.sys SysEnter NTOSKrnl.exe LRPC
Win32 subsystém Csrss.exe Client-Server Runtime Subsystem okna textových konsolí vytváření a rušení procesů a vláken část podpory pro VDM (16-bit Virtual DOS Machine) procesy různé funkce GetTempFile DefineDosDevice ExitWindowsEx... 13.4.2016 vjj 7
13.4.2016 vjj 8 User32.dll GDI32.dll Kernel32.dll Advapi32.dll... Subsystem DLLs
Ntdll.dll System service dispatch stubs více než 200 Native API funkcí (Nt... / Zw..., např. NtCreateFile, NtSetEvent,...) stubs SysCall (x64) / SysEnter (x32) / Int 2E (dříve) volání stejně pojmenované funkce z jádra Windows (Ntoskrnl.exe) Internal support functions C runtime library heap manager Win32 subsystem process communication functions Windows Run-time library routines (Rtl...) user-mode asynchronous procedure call (APC) dispatcher exception dispatcher 13.4.2016 vjj 9
13.4.2016 vjj 10 Win32k.sys správce oken (Window Manager) řídí zobrazování oken řídí výstup na obrazovku spravuje vstup z klávesnice, od myši,... předává uživatelské zprávy aplikacím Graphics Device Interface (GDI) knihovna funkcí pro zařízení s grafickým výstupem obsahuje funkce pro text, čárové a bitmapové kreslení a pro manipulaci s grafikou
13.4.2016 vjj 11 NTOSKrnl.exe System service dispatcher Executive horní vrstva NTOSKrnl.exe System Services - exportované funkce - většinu z nich lze volat z uživatelského módu (API funkce) exportované a dokumentované funkce Windows Driver Kit (WDK) exportované ale nedokumentované funkce neexportované funkce jejichž názvy jsou ale definovány jako globální symboly interní funkce jednotlivých modulů, které nejsou definovány jako globální symboly Kernel dolní vrstva NTOSKrnl.exe
13.4.2016 vjj 12 Windows System Internals "long winding road" ring 3 -> ring 0
13.4.2016 vjj 13 ring 3 -> ring 0 syscall / sysenter / interrupt callgate ring 0 -> ring 3 lrpc ring 3 <-> ring 3
13.4.2016 vjj 14 interrupt mov eax, sys_call_number lea edx, [esp+4] int 0x2E
13.4.2016 vjj 15 sysenter mov eax, sys_call_number mov edx, address_of_ntdll_kifastsystemcall call edx retn 8 mov edx, esp sysenter retn
x64 13.4.2016 vjj 16
13.4.2016 vjj 17 syscall mov r10, rcx mov eax, sys_call_number syscall retn
13.4.2016 vjj 18????? jaká je ale celá cesta od zavolání Win32 API funkce v aplikaci, např. DeviceIoControl, k její implementaci někde v jádře? jakým způsobem přitom dochází k přechodu z ringu 3 na ring 0?
13.4.2016 vjj 19 Dependency Walker > depends.exe Kernel32.dll v. 6.1.7601.18409 (W7 SP1 x64) preferred base: 0x78D20000 virtual size: 0x0011F000 DeviceIoControl Entry Point: 0x00015C80 preferred base + Entry Point = 0x78D35C80
13.4.2016 vjj 20 API -> kernel Windows Debugger - WinDbg - attached to a process mytest64.exe: kernel32.dll: KERNELBASE.dll: ntdll.dll: wwinmain DeviceIoCtrl DeviceIoControl DeviceIoControl ZwDeviceIoControlFile Kernel Debugger - LiveKd + WinDbg ntoskrnl.dll: KiSystemCall64 NtDeviceIoControlFile
13.4.2016 vjj 21 mytest64.cpp Visual Studio DeviceIoControl right mouse button -> View Call Hierarchy wwinmain DeviceIoControl
13.4.2016 vjj 22 run mytest64.exe WinDbg run WinDbg (x64) File Source File Path... File Symbol File Path... File Attach to a Process...
13.4.2016 vjj 23 > lm display all loaded and unloaded modules start end module name 00000000`76ef0000 00000000`76fea000 USER32 00000000`76ff0000 00000000`7710f000 KERNEL32 00000000`77110000 00000000`772b9000 ntdll 00000001`3fbd0000 00000001`3fcfe000 mytest64 kernel32.dll start address 76ff0000 Depends.exe states its base address as 78D20000 ASLR? DeviceIoControl entry point: 76ff0000 + 00015C80 = 77005C80
13.4.2016 vjj 24 mytest64 > ln wwinmain (00000001`3fbf1330) mytest64!wwinmain Exact matches: mytest64!wwinmain (struct HINSTANCE *, struct HINSTANCE *, wchar_t *, int)
13.4.2016 vjj 25 > u mytest64!wwinmain mytest64.exe... 00000001`3fbf13e4 call qword ptr... [mytest64!_imp_deviceiocontrol]
13.4.2016 vjj 26 mytest64.exe > d DeviceIoCtrl!_imp_DeviceIoControl 00000001`3fbfe290 80 5c 00 77 00 00 00 00
13.4.2016 vjj 27 endianess Jonathan Swift: "Gulliver's Travels" certain people prefer to eat their hard boiled eggs from the little end first (thus, little endian), while others prefer to eat from the big end (thus, big endians) this leads to various wars.
13.4.2016 vjj 28 Kernel32.dll > u 77005c80 kernel32!deviceiocontrolimplementation... 00000000`77005cfa call kernel32!deviceiocontrol...
13.4.2016 vjj 29 Kernel32.dll > ln Kernel32!DeviceIoControl (00000000`77675c74) kernel32!deviceiocontrol Exact matches: kernel32!deviceiocontrol > u kernel32!deviceiocontrol 00000000`77675c74 jmp qword ptr [kernel32!_imp_deviceiocontrol] > d kernel32!_imp_deviceiocontrol 00000000`776fd688 80 9a ef fc fe 07 00 00 > u 000007fe`fcef9a80
13.4.2016 vjj 30 > u 000007fe`fcef9a80 KERNELBASE.dll KERNELBASE!DeviceIoControl:... 000007fe`fcef9af3 call qword ptr [KERNELBASE!_imp_NtDeviceIoControlFile]... > d KERNELBASE!_imp_NtDeviceIoControlFile 000007fe`fcf3b148 20 13 16 77 00 00 00 00 > u 77161320
13.4.2016 vjj 31 ntdll.dll ntdll!zwdeviceiocontrolfile: 00000000`77161320 4c8bd1 mov r10,rcx 00000000`77161323 b804000000 mov eax,4 00000000`77161328 0f05 syscall 00000000`7716132a c3 ret
13.4.2016 vjj 32 kde mám pokračovat?????? tj. kde je kód ringu 0 reagující na SysCall?
Target code segment Reads a non-null selector from IA32_STAR[47:32]. MSR index C0000081 Target instruction Reads a 64-bit canonical address from IA32_LSTAR. IA32_LSTAR model specific register points to "KiSystemCall64" NT kernel routine. MSR index C0000082 Stack segment Computed by adding 8 to the value in IA32_STAR[47:32]. System flags The processor sets RFLAGS to the logical-and of its current value with the complement of the value in the IA32_FMASK MSR. MSR index C0000084 13.4.2016 vjj 33 Intel: syscall For SYSCALL, the processor saves RFLAGS into R11 and the RIP of the next instruction into RCX; it then gets the privilege-level 0 target instruction and stack pointer from:
13.4.2016 vjj 34 target instruction WinDbg > rdmsr C0000082 WinDbg > ln KiSystemCall64
13.4.2016 vjj 35 livekd download from Windows Sysinternals Marc Russinovich > livekd -w runs WinDbg instead of "kd" > livekd -w -m creates a mirror dump and starts WinDbg on it
13.4.2016 vjj 36 ntoskrnl - KiSystemCall64 > ln KiSystemCall64 (fffff800`034d5bc0) nt!kisystemcall64 Exact matches: nt!kisystemcall64 (<no parameter info>) > u nt!kisystemcall64 nt!kisystemcall64:...
13.4.2016 vjj 37 KiSystemService... nt!kisystemservicestart: mov edi,eax shr edi,7 and edi,20h and eax,0fffh
13.4.2016 vjj 38 KiSystemService nt!kisystemservicerepeat: lea r10,[nt!keservicedescriptortable] lea r11,[nt!keservicedescriptortableshadow] test dword ptr [rbx+100h],80h cmovne r10,r11 cmp eax,dword ptr [rdi+r10+10h] jae nt!kisystemserviceexit+0x1a7 mov r10,qword ptr [rdi+r10] movsxd r11,dword ptr [r10+rax*4] mov rax,r11 sar r11,4 add r10,r11... call r10
13.4.2016 vjj 39 > ln nt!kiservicetable Service Table (fffff800`034d1800) nt!kiservicetable Exact matches: nt!kiservicetable (<no parameter info>) > dd nt!kiservicetable 04134b00 02f5e200 fff6f000 02e8f205 031ce706 03136605 02ba5501 02b41b00 > ln nt!kiservicetable+(031ce706>>4) (fffff800`037ee670) nt!ntdeviceiocontrolfile Exact matches: nt!ntdeviceiocontrolfile (<no parameter info>)