logging in or signing up Windows Vista Kernel Security EN Spidermann Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 1268 Category: Product Traini.. License: All Rights Reserved Like it (0) Dislike it (0) Added: June 19, 2007 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript Slide1: Matthieu Suiche | andlt; matt@msuiche.net andgt; | www.msuiche.net Kernel Security Who am I?: Who am I? High school student Website/Blog: www.msuiche.net Microsoft Student Partner (MSP) Security Fanatics ! Reverse Engineering Vulnerabilities Analyse Malicious Binary Research Security Tools Programming Core System Security Research TinyKRNL Project Kernel Developer (ATAPI) Agenda: Agenda Kernel Hooking, why ? Patchguard Code Integrity Signed Drivers Windows Vista (32 bits Kernel) SSDT KIDT MSR Windows Vista (64 bits Kernel) SSDT KIDT MSR Kernel Hooking, Why ?: Kernel Hooking, Why ? Mainly from rootkits ! Modification of system table like SDT Functions NtCreateProcess, NtSystemInformation, ... Modification of internal stuctures PsLoadedModuleList Modification of IDT to manage external debugger Modification of the 0x2E interrupt to hook syscalls (Win2K) Modification of MSR registers to hook syscalls (WinXP, Win2k3, WinVista) Modification of system functions prolog Patchguard: Patchguard Authors : Windows Core Team First implementation in Windows XP x64 Cf. Analysis of Matt Miller andamp; Ken Johnson (Win2k3) Checking of system tables and critical sections. Functions IDT GDT SDT Processus list MSRs 25, Octobre 2006 – Authentium 8, Novembre 2006 – Windows Vista RTM Code Integrity (CI.DLL): Code Integrity (CI.DLL) Authors : Windows DRM Team Windows Vista Innovation Numerous steps A bootloader checks the ntoskrnl, HAL, and boot drivers authenticity. Checks the ntoskrnl import table Deleting or patching of CI.DLL =andgt; Cannot boot ! Note : WINLOAD.EXE checks NTOSKRNL.EXE authenticity while booting Enabled before patchguard Can be disabled by user while booting. Signed Drivers (KMD): Signed Drivers (KMD) Goal : Prevent from rootkits and malicious drivers. Mandatory on Windows Vista 64bits Signed by a certificate Can be disabled by user while booting (BOOT.INI) July 2006 – J. Rutkowska / BlackHat Three steps attack Eat the full physical memory Access granted to the pagination file (pagefile.sys) from a direct access to the HDD (\\.\PHYSICALDRIVE0) Modify a loaded driver (e.g. NULL.sys) Another step using hardware virtualization. Pacifica (AMD SVM extensions) / Vanderpool (Vt-x) Pagefile attack fixed with Windows Vista RC2 Kernel must go on !Kernel must go on !Inside my brain is breaking, ...: Kernel must go on ! Kernel must go on ! Inside my brain is breaking, ... Windows Vista 32 bits System Service Descriptor Table: System Service Descriptor Table Goal : Find the SSDT The public method from '90210' still be usable. KeServiceDescriptorTable still be exportable KiServiceTable initialized in KiInitSystem() mov ds:_KeServiceDescriptorTable, offset _KiServiceTable Import ntoskrnl as a dll Import KeServiceDescriptorTable List all references to find its xref Check these opcodes to be 'mov [mem32], imm32' Then we get a pointer like the following scheme PVOID KiServiceTable[KiServiceLimit] Interrupt Descriptor Table: Interrupt Descriptor Table Goal : Find the IDT Still to be the same thing Proof of concept : IDTGuard 0.1 Release on December 10 2006 Look for the exported function KiSystemStartup() GetMachineBootPointers() function returns pointer to IDT, GDT and LDT NTOSKRNL set up instructions Adding of pointer to IDT in KPCR.IDT (+0x38) Copy theorical address from INIT section. mov edi, [ebp+IdtEntry] mov esi, offset INIT.IdtRawOffset mov ecx, 2048 shr ecx, 2 rep movsd Some of these instructions are modified by HAL.DLL (KPCR), and some others are pointers to KINTERRUPT structure. Memento : Sysenter !: Memento : Sysenter ! KiFastSystemCall proc near mov edx, esp sysenter KiFastSystemCall endp Model Specific Registers: Model Specific Registers Opcodes : SYSENTER / SYSRET Three MSRs Initialization: IA32_SYSENTER_ESP Kernel-land stack pointer IA32_SYSENTER_CS CS register data for kernel land IA32_SYSENTER_EIP Kernel-land entrypoint KiLoadFastSyscallMachineSpecificRegisters() WRMSR(IA32_SYSENTER_CS, 0x08, NULL); WRMSR(IA32_SYSENTER_EIP, KiFastCallEntry, NULL); WRMSR(IA32_SYSENTER_ESP, Unknow.u1988, NULL); A signature for find these opcodes can be easy builded. We have a serie of three WRMSR FUNCTION calls. Conclusion 32 bits: Conclusion 32 bits Same internal scheme as previous Windows version. (Windows 2000, XP, 2003) Previous rootkit prevention tools should continue to work. T. Chew Keong - SDTRestore v0.2 M. Suiche – IDTGuard v0.1 (without \dev\(k)mem trick) M. Russinovich – Rootkit Revealer v1.71 J. Rutkowska - System Virginity Verifier (SVV) v2.3 Another one bites the dustHey, I’m gonna get you too: Another one bites the dust Hey, I’m gonna get you too Windows Vista 64 bits System Service Descriptor Table: System Service Descriptor Table KeServiceDescriptorTable where are you? Doesn’t exported but still present in ALMOSTRO section INIT.KiInitSystem() lea rax, KiServiceTable mov cs:KeServiceDescriptorTable, rax KiServiceTable still present in '.text section A bigger signature is needed Manual location of KiInitSystem() is needed Be Rather to use a 64 bits LDE (LDE = Length Disassembly Engine) Interrupt Descriptor Table: Interrupt Descriptor Table KiSystemStartup() GS Segment register initialization (GS_BASE) Copy of IDT Base into [GsBase+0x38] KiInitializeBootStructures() xor r10, r10 lea r12, (INIT.KiInterruptInitTable+8) lea r9, KxUnexpectedInterrupt0 Copy interrupts from NTOSKRNL 0 to 19 and some others Easier to find than SSDT Can become a critical target for rootkit Memento : Syscall !: Memento : Syscall ! Ntxxxxxxxxxxxxx proc near mov r10, rcx ; Ntxxxxxxxxxxxxx mov eax, FunctionID syscall retn Ntxxxxxxxxxxxxx endp Syscall / Sysexit: Syscall / Sysexit IA32_LSTAR (0xC0000082) KiSystemCall64 IA32_CSTAR (0xC0000083) KiSystemCall32 KiInitializeBootStructures() lea rax, KiSystemCall32 mov ecx, 0C0000083h mov rdx, rax ; CSTAR shr rdx, 20h wrmsr lea rax, KiSystemCall64 mov ecx, 0C0000082h ; LSTAR mov rdx, rax shr rdx, 20h wrmsr Conclusion : MSRs Initialization is very easy to locate cause of the wrmsr opcode. This is a macro used by MS Programmers and not a function like in the 32bits version. Conclusion 64 bits: Conclusion 64 bits A Non Microsoft Patchguard for 64bits? Any research about it Am writting an article about this one. Note : WoW (Windows-on-Windows) emulation continues to use 0x2E interrupt (ntdll.dll) Références: Références Matthew Conover (2006), Windows Vista Kernel Mode Security http://www.symantec.com/avcenter/reference/Windows_Vista_Kernel_Mode_Security.pdf Matthieu Suiche (Décembre 2006) IDTGuard v0.1 PublicBuild http://www.msuiche.net/?p=9 Joanna Rutkowska (Juillet/Aout 2006), Subverting Vista Kernel http://invisiblethings.org/papers/joanna%20rutkowska%20-%20subverting%20vista%20kernel.ppt Mark Russinovich (Novembre 2006), RootkitRevealer 1.7.1 http://www.microsoft.com/technet/sysinternals/utilities/RootkitRevealer.mspx Joanna Rutkowska (2006) 'System Virginity Verifier' http://www.invisiblethings.org/papers/rutkowska_bhfederal2006.ppt Authentium (Octobre 2006), Microsoft Patchguard http://blogs.authentium.com/sharp/?p=12 Matt Miller, Ken Johnson (Décembre, 2005) Bypassing Patchguard on Windows x64 http://www.uninformed.org/?v=3andamp;a=3 Protected-Mode Exceptions and Interrupts (5-3) IA-32 Intel Architecture Software Developer's Manual. System Programming Guide Microsoft (Janvier 2006), 'Digital Signatures for Kernel Modules on x64-based Systems Running Windows Vista' http://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-d599bac8184a/x64KMSigning.doc Microsoft (Avril 2005), 'Benefits of Microsoft Windows x64 Editions' http://download.microsoft.com/download/D/A/A/DAA7245D-E01D-46A4-AB70-3A95ED3F6934/Windowsx64BenefitsWP.doc M. Conover (Mars 2006), 'Analysis of the Windows Vista Security Model' http://www.symantec.com/avcenter/reference/Windows_Vista_Security_Model_Analysis.pdf Slide21: Questions and Answers You do not have the permission to view this presentation. In order to view it, please contact the author of the presentation.
Windows Vista Kernel Security EN Spidermann Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 1268 Category: Product Traini.. License: All Rights Reserved Like it (0) Dislike it (0) Added: June 19, 2007 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript Slide1: Matthieu Suiche | andlt; matt@msuiche.net andgt; | www.msuiche.net Kernel Security Who am I?: Who am I? High school student Website/Blog: www.msuiche.net Microsoft Student Partner (MSP) Security Fanatics ! Reverse Engineering Vulnerabilities Analyse Malicious Binary Research Security Tools Programming Core System Security Research TinyKRNL Project Kernel Developer (ATAPI) Agenda: Agenda Kernel Hooking, why ? Patchguard Code Integrity Signed Drivers Windows Vista (32 bits Kernel) SSDT KIDT MSR Windows Vista (64 bits Kernel) SSDT KIDT MSR Kernel Hooking, Why ?: Kernel Hooking, Why ? Mainly from rootkits ! Modification of system table like SDT Functions NtCreateProcess, NtSystemInformation, ... Modification of internal stuctures PsLoadedModuleList Modification of IDT to manage external debugger Modification of the 0x2E interrupt to hook syscalls (Win2K) Modification of MSR registers to hook syscalls (WinXP, Win2k3, WinVista) Modification of system functions prolog Patchguard: Patchguard Authors : Windows Core Team First implementation in Windows XP x64 Cf. Analysis of Matt Miller andamp; Ken Johnson (Win2k3) Checking of system tables and critical sections. Functions IDT GDT SDT Processus list MSRs 25, Octobre 2006 – Authentium 8, Novembre 2006 – Windows Vista RTM Code Integrity (CI.DLL): Code Integrity (CI.DLL) Authors : Windows DRM Team Windows Vista Innovation Numerous steps A bootloader checks the ntoskrnl, HAL, and boot drivers authenticity. Checks the ntoskrnl import table Deleting or patching of CI.DLL =andgt; Cannot boot ! Note : WINLOAD.EXE checks NTOSKRNL.EXE authenticity while booting Enabled before patchguard Can be disabled by user while booting. Signed Drivers (KMD): Signed Drivers (KMD) Goal : Prevent from rootkits and malicious drivers. Mandatory on Windows Vista 64bits Signed by a certificate Can be disabled by user while booting (BOOT.INI) July 2006 – J. Rutkowska / BlackHat Three steps attack Eat the full physical memory Access granted to the pagination file (pagefile.sys) from a direct access to the HDD (\\.\PHYSICALDRIVE0) Modify a loaded driver (e.g. NULL.sys) Another step using hardware virtualization. Pacifica (AMD SVM extensions) / Vanderpool (Vt-x) Pagefile attack fixed with Windows Vista RC2 Kernel must go on !Kernel must go on !Inside my brain is breaking, ...: Kernel must go on ! Kernel must go on ! Inside my brain is breaking, ... Windows Vista 32 bits System Service Descriptor Table: System Service Descriptor Table Goal : Find the SSDT The public method from '90210' still be usable. KeServiceDescriptorTable still be exportable KiServiceTable initialized in KiInitSystem() mov ds:_KeServiceDescriptorTable, offset _KiServiceTable Import ntoskrnl as a dll Import KeServiceDescriptorTable List all references to find its xref Check these opcodes to be 'mov [mem32], imm32' Then we get a pointer like the following scheme PVOID KiServiceTable[KiServiceLimit] Interrupt Descriptor Table: Interrupt Descriptor Table Goal : Find the IDT Still to be the same thing Proof of concept : IDTGuard 0.1 Release on December 10 2006 Look for the exported function KiSystemStartup() GetMachineBootPointers() function returns pointer to IDT, GDT and LDT NTOSKRNL set up instructions Adding of pointer to IDT in KPCR.IDT (+0x38) Copy theorical address from INIT section. mov edi, [ebp+IdtEntry] mov esi, offset INIT.IdtRawOffset mov ecx, 2048 shr ecx, 2 rep movsd Some of these instructions are modified by HAL.DLL (KPCR), and some others are pointers to KINTERRUPT structure. Memento : Sysenter !: Memento : Sysenter ! KiFastSystemCall proc near mov edx, esp sysenter KiFastSystemCall endp Model Specific Registers: Model Specific Registers Opcodes : SYSENTER / SYSRET Three MSRs Initialization: IA32_SYSENTER_ESP Kernel-land stack pointer IA32_SYSENTER_CS CS register data for kernel land IA32_SYSENTER_EIP Kernel-land entrypoint KiLoadFastSyscallMachineSpecificRegisters() WRMSR(IA32_SYSENTER_CS, 0x08, NULL); WRMSR(IA32_SYSENTER_EIP, KiFastCallEntry, NULL); WRMSR(IA32_SYSENTER_ESP, Unknow.u1988, NULL); A signature for find these opcodes can be easy builded. We have a serie of three WRMSR FUNCTION calls. Conclusion 32 bits: Conclusion 32 bits Same internal scheme as previous Windows version. (Windows 2000, XP, 2003) Previous rootkit prevention tools should continue to work. T. Chew Keong - SDTRestore v0.2 M. Suiche – IDTGuard v0.1 (without \dev\(k)mem trick) M. Russinovich – Rootkit Revealer v1.71 J. Rutkowska - System Virginity Verifier (SVV) v2.3 Another one bites the dustHey, I’m gonna get you too: Another one bites the dust Hey, I’m gonna get you too Windows Vista 64 bits System Service Descriptor Table: System Service Descriptor Table KeServiceDescriptorTable where are you? Doesn’t exported but still present in ALMOSTRO section INIT.KiInitSystem() lea rax, KiServiceTable mov cs:KeServiceDescriptorTable, rax KiServiceTable still present in '.text section A bigger signature is needed Manual location of KiInitSystem() is needed Be Rather to use a 64 bits LDE (LDE = Length Disassembly Engine) Interrupt Descriptor Table: Interrupt Descriptor Table KiSystemStartup() GS Segment register initialization (GS_BASE) Copy of IDT Base into [GsBase+0x38] KiInitializeBootStructures() xor r10, r10 lea r12, (INIT.KiInterruptInitTable+8) lea r9, KxUnexpectedInterrupt0 Copy interrupts from NTOSKRNL 0 to 19 and some others Easier to find than SSDT Can become a critical target for rootkit Memento : Syscall !: Memento : Syscall ! Ntxxxxxxxxxxxxx proc near mov r10, rcx ; Ntxxxxxxxxxxxxx mov eax, FunctionID syscall retn Ntxxxxxxxxxxxxx endp Syscall / Sysexit: Syscall / Sysexit IA32_LSTAR (0xC0000082) KiSystemCall64 IA32_CSTAR (0xC0000083) KiSystemCall32 KiInitializeBootStructures() lea rax, KiSystemCall32 mov ecx, 0C0000083h mov rdx, rax ; CSTAR shr rdx, 20h wrmsr lea rax, KiSystemCall64 mov ecx, 0C0000082h ; LSTAR mov rdx, rax shr rdx, 20h wrmsr Conclusion : MSRs Initialization is very easy to locate cause of the wrmsr opcode. This is a macro used by MS Programmers and not a function like in the 32bits version. Conclusion 64 bits: Conclusion 64 bits A Non Microsoft Patchguard for 64bits? Any research about it Am writting an article about this one. Note : WoW (Windows-on-Windows) emulation continues to use 0x2E interrupt (ntdll.dll) Références: Références Matthew Conover (2006), Windows Vista Kernel Mode Security http://www.symantec.com/avcenter/reference/Windows_Vista_Kernel_Mode_Security.pdf Matthieu Suiche (Décembre 2006) IDTGuard v0.1 PublicBuild http://www.msuiche.net/?p=9 Joanna Rutkowska (Juillet/Aout 2006), Subverting Vista Kernel http://invisiblethings.org/papers/joanna%20rutkowska%20-%20subverting%20vista%20kernel.ppt Mark Russinovich (Novembre 2006), RootkitRevealer 1.7.1 http://www.microsoft.com/technet/sysinternals/utilities/RootkitRevealer.mspx Joanna Rutkowska (2006) 'System Virginity Verifier' http://www.invisiblethings.org/papers/rutkowska_bhfederal2006.ppt Authentium (Octobre 2006), Microsoft Patchguard http://blogs.authentium.com/sharp/?p=12 Matt Miller, Ken Johnson (Décembre, 2005) Bypassing Patchguard on Windows x64 http://www.uninformed.org/?v=3andamp;a=3 Protected-Mode Exceptions and Interrupts (5-3) IA-32 Intel Architecture Software Developer's Manual. System Programming Guide Microsoft (Janvier 2006), 'Digital Signatures for Kernel Modules on x64-based Systems Running Windows Vista' http://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-d599bac8184a/x64KMSigning.doc Microsoft (Avril 2005), 'Benefits of Microsoft Windows x64 Editions' http://download.microsoft.com/download/D/A/A/DAA7245D-E01D-46A4-AB70-3A95ED3F6934/Windowsx64BenefitsWP.doc M. Conover (Mars 2006), 'Analysis of the Windows Vista Security Model' http://www.symantec.com/avcenter/reference/Windows_Vista_Security_Model_Analysis.pdf Slide21: Questions and Answers