Internals - vjj root page

Windows System Internals
struktura OS
(Windows 7)
13.4.2016
vjj
1
kernel
•
•
•
•
•
•
•
The kernel is contained in the files below (as specified in
the book Windows Internals):
Ntoskrnl.exe - Executive and kernel
Ntkrnlpa.exe (32-bit systems only) - Executive and kernel
with support for Physical Address Extension (PAE), which
allows addressing of up to 64 GB of physical memory
Hal.dll - Hardware abstraction layer
Win32k.sys - Kernel-mode part of the Windows subsystem
Ntdll.dll - Internal support functions and system service
dispatch stubs to executive functions
Kernel32.dll, Advapi32.dll, User32.dll, Gdi32.dll - Core
Windows subsystem DLLs
13.4.2016
vjj
2
System support
processes
Service
processes
Environment
subsystems
Applications
Kernel32.dll, Advapi32.dll, User32.dll, GDI32.dll, COM.dll
SysEnter SysCall
Ntdll.dll
LRPC
Ntoskrnl.exe
Win32k.sys
Windowing and graphics
Win32
System service dispatcher
Executive
User
Kernel
GDI
Drivers
Graphic device drivers
Hal.dll
Hardware abstraction layer (HAL)
13.4.2016
vjj
3
System support processes
Service processes
SCMan.exe
Service control manager
Svchost.exe
Lsass.exe
Local Security Authentication Server
Winmgmt.exe
Applications
Environment subsystems
User applications
Winlogon.exe
Logon Process
Smss.exe
Session manager
Spooler
Task Manager
Services.exe
Windows Explorer
Subsystem DLLs
POSIX
PSXSS.exe
OS/2
OS2SS.exe
Win32
Csrss.exe
Kernel32.dll, Advapi32.dll, User32.dll, GDI32.dll
Ntdll.dll
SysEnter / SysCall
System threads
Ntoskrnl.exe
Executive
System service dispatcher
Executive support
WDM WMI
routines
Configuration
manager
(registry)
Processes and
threads
Object manager
Virtual
memory
Security
reference
monitor
Power
manager
Plug and Play
manager
File system
cache
I/O Manager
Local procedure call
RTL
Win32k.sys
Windowing and graphics
Win32
User
GDI
Kernel (Process Manager, Interrupt / Exception Dispatcher, Multiprocessor Synchronization)
Device and file system drivers
Graphic device drivers
Hal.dll
13.4.2016
Hardware abstraction layer (HAL)
vjj
4
Csrss.exe
Win32
subsystem
Aplikace
GDI32.dll
User32.dll
AdvAPI32.dll
RPCRT4.dll
Kernel32.dll
NTdll.dll
ring 3
SysEnter
LRPC
ring 0
Win32k.sys
13.4.2016
NTOSKrnl.exe
vjj
5
Csrss.exe
• Win32 subsystém
•
•
•
•
Client-Server Runtime Subsystem
•
různé funkce
okna textových konsolí
vytváření a rušení procesů a vláken
část podpory pro VDM (16-bit Virtual DOS Machine)
procesy
•
•
•
•
13.4.2016
GetTempFile
DefineDosDevice
ExitWindowsEx
...
vjj
7
Subsystem DLLs
• User32.dll
GDI32.dll
Kernel32.dll
Advapi32.dll
...
13.4.2016
vjj
8
Ntdll.dll
•
System service dispatch stubs
• více než 200 Native API funkcí
(Nt... / Zw..., např. NtCreateFile, NtSetEvent, ...)
•
•
stubs – SysCall (x64) / SysEnter (x32) / Int 2E (dříve) – volání
stejně pojmenované funkce z jádra Windows (Ntoskrnl.exe)
Internal support functions
• C runtime library
• heap manager
• Win32 subsystem process communication functions
• Windows Run-time library routines (Rtl...)
• user-mode asynchronous procedure call (APC) dispatcher
• exception dispatcher
13.4.2016
vjj
9
Win32k.sys
• správce oken (Window Manager)
•
•
•
•
řídí zobrazování oken
řídí výstup na obrazovku
spravuje vstup z klávesnice, od myši, . . .
předává uživatelské zprávy aplikacím
• Graphics Device Interface (GDI)
•
knihovna funkcí pro zařízení s grafickým výstupem
•
13.4.2016
obsahuje funkce pro text, čárové a bitmapové kreslení a pro manipulaci
s grafikou
vjj
10
NTOSKrnl.exe
•
•
System service dispatcher
Executive – horní vrstva NTOSKrnl.exe
•
System Services - exportované funkce - většinu z nich lze
volat z uživatelského módu (API funkce)
exportované a dokumentované funkce
•
•
•
•
•
•
Windows Driver Kit (WDK)
exportované ale nedokumentované funkce
neexportované funkce jejichž názvy jsou ale definovány
jako globální symboly
interní funkce jednotlivých modulů, které nejsou
definovány jako globální symboly
Kernel – dolní vrstva NTOSKrnl.exe
13.4.2016
vjj
11
Windows System Internals
"long winding road"
ring 3 -> ring 0
13.4.2016
vjj
12
ring 3 -> ring 0
• syscall / sysenter / interrupt
ring 0 -> ring 3
• callgate
ring 3 <-> ring 3
• lrpc
13.4.2016
vjj
13
interrupt
mov eax, sys_call_number
lea edx, [esp+4]
int 0x2E
13.4.2016
vjj
14
sysenter
mov eax, sys_call_number
mov edx,
address_of_ntdll_KiFastSystemCall
call edx
retn 8
mov edx, esp
sysenter
retn
13.4.2016
vjj
15
x64
13.4.2016
vjj
16
syscall
mov r10, rcx
mov eax, sys_call_number
syscall
retn
13.4.2016
vjj
17
?????
• jaká je ale celá cesta od zavolání Win32 API
funkce v aplikaci,
např. DeviceIoControl,
k její implementaci někde v jádře ?
• jakým způsobem přitom dochází k přechodu
z ringu 3 na ring 0?
13.4.2016
vjj
18
Dependency Walker
• > depends.exe
• Kernel32.dll v. 6.1.7601.18409 (W7 SP1 x64)
preferred base:
virtual size:
0x78D20000
0x0011F000
• DeviceIoControl
Entry Point:
0x00015C80
preferred base + Entry Point = 0x78D35C80
13.4.2016
vjj
19
API -> kernel
•
•
Windows Debugger - WinDbg - attached to a process
•
myTEST64.exe:
•
•
•
kernel32.dll:
KERNELBASE.dll:
ntdll.dll:
wWinMain
DeviceIoCtrl
DeviceIoControl
DeviceIoControl
ZwDeviceIoControlFile
Kernel Debugger - LiveKd + WinDbg
•
13.4.2016
ntoskrnl.dll:
KiSystemCall64
NtDeviceIoControlFile
vjj
20
Visual Studio
• myTEST64.cpp
• DeviceIoControl
• right mouse button -> View Call Hierarchy
•
•
13.4.2016
wWinMain
DeviceIoControl
vjj
21
WinDbg
• run myTEST64.exe
• run WinDbg (x64)
•
•
•
13.4.2016
File | Source File Path...
File | Symbol File Path...
File | Attach to a Process...
vjj
22
display all loaded and unloaded modules
> lm
start
end
module name
00000000`76ef0000
00000000`76ff0000
00000000`77110000
00000001`3fbd0000
00000000`76fea000
00000000`7710f000
00000000`772b9000
00000001`3fcfe000
USER32
KERNEL32
ntdll
myTEST64
• kernel32.dll start address 76ff0000
Depends.exe states its base address as 78D20000
ASLR ?
DeviceIoControl entry point:
76ff0000 + 00015C80 = 77005C80
13.4.2016
vjj
23
myTEST64
> ln wWinMain
(00000001`3fbf1330) myTEST64!wWinMain
Exact matches:
myTEST64!wWinMain
(struct HINSTANCE__ *,
struct HINSTANCE__ *,
wchar_t *,
int)
13.4.2016
vjj
24
myTEST64.exe
> u myTEST64!wWinMain
...
00000001`3fbf13e4
call
qword ptr
[myTEST64!_imp_DeviceIoControl]
...
13.4.2016
vjj
25
myTEST64.exe
> d DeviceIoCtrl!_imp_DeviceIoControl
00000001`3fbfe290
13.4.2016
80 5c 00 77 00 00 00 00
vjj
26
endianess
• Jonathan Swift: "Gulliver's Travels"
certain people prefer to eat their hard boiled
eggs from the little end first (thus, little endian),
while others prefer to eat from the big end (thus,
big endians)
this leads to various wars.
13.4.2016
vjj
27
Kernel32.dll
> u 77005c80
kernel32!DeviceIoControlImplementation
...
00000000`77005cfa call
kernel32!DeviceIoControl
...
13.4.2016
vjj
28
Kernel32.dll
> ln
Kernel32!DeviceIoControl
(00000000`77675c74)
kernel32!DeviceIoControl
Exact matches:
kernel32!DeviceIoControl
> u kernel32!DeviceIoControl
00000000`77675c74 jmp qword ptr
[kernel32!_imp_DeviceIoControl]
> d kernel32!_imp_DeviceIoControl
00000000`776fd688
80 9a ef fc fe 07 00 00
> u 000007fe`fcef9a80
13.4.2016
vjj
29
KERNELBASE.dll
> u 000007fe`fcef9a80
KERNELBASE!DeviceIoControl:
...
000007fe`fcef9af3 call
qword ptr
[KERNELBASE!_imp_NtDeviceIoControlFile]
...
> d KERNELBASE!_imp_NtDeviceIoControlFile
000007fe`fcf3b148
20 13 16 77 00 00 00 00
> u 77161320
13.4.2016
vjj
30
ntdll.dll
ntdll!ZwDeviceIoControlFile:
00000000`77161320 4c8bd1
mov
r10,rcx
00000000`77161323 b804000000
mov
eax,4
00000000`77161328 0f05
syscall
00000000`7716132a c3
ret
13.4.2016
vjj
31
?????
• kde mám pokračovat ?
tj. kde je kód ringu 0 reagující na SysCall?
13.4.2016
vjj
32
Intel: syscall
•
For SYSCALL, the processor saves RFLAGS into R11 and
the RIP of the next instruction into RCX;
•
it then gets the privilege-level 0 target instruction and
stack pointer from:
•
Target code segment — Reads a non-NULL selector from IA32_STAR[47:32].
MSR index C0000081
•
Target instruction — Reads a 64-bit canonical address from IA32_LSTAR.
IA32_LSTAR model specific register points to "KiSystemCall64" NT kernel
routine.
MSR index C0000082
•
•
Stack segment — Computed by adding 8 to the value in IA32_STAR[47:32].
13.4.2016
System flags — The processor sets RFLAGS to the logical-AND of its current
value with the complement of the value in the IA32_FMASK MSR.
MSR index C0000084
vjj
33
target instruction
• WinDbg
> rdmsr C0000082
• WinDbg
> ln KiSystemCall64
13.4.2016
vjj
34
livekd
• download from Windows Sysinternals
Marc Russinovich
•>
livekd -w
runs WinDbg instead of "kd"
•>
livekd -w -m
creates a mirror dump and starts WinDbg on it
13.4.2016
vjj
35
ntoskrnl - KiSystemCall64
> ln KiSystemCall64
(fffff800`034d5bc0)
nt!KiSystemCall64
Exact matches:
nt!KiSystemCall64 (<no parameter info>)
> u nt!KiSystemCall64
nt!KiSystemCall64:
...
13.4.2016
vjj
36
KiSystemService
...
nt!KiSystemServiceStart:
mov
edi,eax
shr
edi,7
and
edi,20h
and
eax,0FFFh
13.4.2016
vjj
37
KiSystemService
nt!KiSystemServiceRepeat:
lea
r10,[nt!KeServiceDescriptorTable]
lea
r11,[nt!KeServiceDescriptorTableShadow]
test dword ptr [rbx+100h],80h
cmovne
r10,r11
cmp
eax,dword ptr [rdi+r10+10h]
jae
nt!KiSystemServiceExit+0x1a7
mov
r10,qword ptr [rdi+r10]
movsxd
r11,dword ptr [r10+rax*4]
mov
rax,r11
sar
r11,4
add
r10,r11
...
call
13.4.2016
r10
vjj
38
Service Table
> ln nt!KiServiceTable
(fffff800`034d1800)
nt!KiServiceTable
|
Exact matches:
nt!KiServiceTable (<no parameter info>)
> dd nt!KiServiceTable
04134b00 02f5e200 fff6f000 02e8f205
031ce706 03136605 02ba5501 02b41b00
> ln nt!KiServiceTable+(031ce706>>4)
(fffff800`037ee670)
nt!NtDeviceIoControlFile
|
Exact matches:
nt!NtDeviceIoControlFile (<no parameter info>)
13.4.2016
vjj
39