whips1.0 internals
TRANSCRIPT
![Page 1: Whips1.0 Internals](https://reader031.vdocuments.mx/reader031/viewer/2022013118/555c4463d8b42a0b038b509b/html5/thumbnails/1.jpg)
Sapienza University of RomeComputer Science Department
Bruno Vavalà - Whips 1.0 Beta 1
Sicurezza dei Dati e delle Reti 2008/2009Prof. Luigi V. Mancini
Student
Bruno Vavalà([email protected])
Supervisor
Roberto Battistoni([email protected])
![Page 2: Whips1.0 Internals](https://reader031.vdocuments.mx/reader031/viewer/2022013118/555c4463d8b42a0b038b509b/html5/thumbnails/2.jpg)
Our GoalsWe want to:
Introduce and recall some important system security concepts
Explain a little deeper how the Windows architecture works, what are the security issues and how they can be (almost) solved, even in a not so documented environment, showing 2very powerful techniques
Highlight: the difference between our solution and Winpooch; the improvements we made with respect to the precedentversion of WHIPS
Show how we made WHIPS: the concept, the development, itsalgorithms and data structures
Discuss about the future of Windows and WHIPS
Bruno Vavalà - Whips 1.0 Beta 2
![Page 3: Whips1.0 Internals](https://reader031.vdocuments.mx/reader031/viewer/2022013118/555c4463d8b42a0b038b509b/html5/thumbnails/3.jpg)
Reference Monitor
Always-invoked
Non-bypassable
Tamper-resistant
Verifiable
Bruno Vavalà - Whips 1.0 Beta 3
![Page 4: Whips1.0 Internals](https://reader031.vdocuments.mx/reader031/viewer/2022013118/555c4463d8b42a0b038b509b/html5/thumbnails/4.jpg)
Windows Architecture
Bruno Vavalà - Whips 1.0 Beta 4
![Page 5: Whips1.0 Internals](https://reader031.vdocuments.mx/reader031/viewer/2022013118/555c4463d8b42a0b038b509b/html5/thumbnails/5.jpg)
System Calls
Win32 and Syscall Api
SSDT Protection
Syscall Invocation
KiSystemService
SystemService
Dispatch/ParameterTable
Nt vs. Zw
Ntdll.dll and Ntoskrnl.exe
Bruno Vavalà - Whips 1.0 Beta 5
![Page 6: Whips1.0 Internals](https://reader031.vdocuments.mx/reader031/viewer/2022013118/555c4463d8b42a0b038b509b/html5/thumbnails/6.jpg)
Trap and Interrupt Masking
Bruno Vavalà - Whips 1.0 Beta 6
Restrictions on code running at DispatchLevel
The first 3 IRQL are software interrupts, the others are hardware interrupts
![Page 7: Whips1.0 Internals](https://reader031.vdocuments.mx/reader031/viewer/2022013118/555c4463d8b42a0b038b509b/html5/thumbnails/7.jpg)
System Memory Pools
They are all system spacevirtual addresses
System Page Table Entries
Non-paged pool
No page fault
Paged pool
Page fault possible
Memory Manager Fault Handler
Bruno Vavalà - Whips 1.0 Beta 7
![Page 8: Whips1.0 Internals](https://reader031.vdocuments.mx/reader031/viewer/2022013118/555c4463d8b42a0b038b509b/html5/thumbnails/8.jpg)
System Call Interposition
Syscall hooking(Russinovich et al.)
SSDT update
Bruno Vavalà - Whips 1.0 Beta 8
![Page 9: Whips1.0 Internals](https://reader031.vdocuments.mx/reader031/viewer/2022013118/555c4463d8b42a0b038b509b/html5/thumbnails/9.jpg)
Detours
Binary Interception SSDT untouched
Trampoline Function Assembly modifications Instruction saving Unconditional jump
Bruno Vavalà - Whips 1.0 Beta 9
![Page 10: Whips1.0 Internals](https://reader031.vdocuments.mx/reader031/viewer/2022013118/555c4463d8b42a0b038b509b/html5/thumbnails/10.jpg)
Winpooch
Watchdog for Windows
Real-time virus protection
Detours
Hard-coded (Nt)syscallspointers (Windows versiondependent)
Stub saving
Bruno Vavalà - Whips 1.0 Beta 10
![Page 11: Whips1.0 Internals](https://reader031.vdocuments.mx/reader031/viewer/2022013118/555c4463d8b42a0b038b509b/html5/thumbnails/11.jpg)
WHIPS Concept
ReferenceMonitor
Windows Module
Syscall hooking
Bruno Vavalà - Whips 1.0 Beta 11
![Page 12: Whips1.0 Internals](https://reader031.vdocuments.mx/reader031/viewer/2022013118/555c4463d8b42a0b038b509b/html5/thumbnails/12.jpg)
Hard-Coded Syscall FREEDOM Previous version
Winpooch
Portability
The disassembler role
Pedasm
“C:\windows\system32\SCIndexes.sci”
Security Issues
Always-opened handles
Bruno Vavalà - Whips 1.0 Beta 12
![Page 13: Whips1.0 Internals](https://reader031.vdocuments.mx/reader031/viewer/2022013118/555c4463d8b42a0b038b509b/html5/thumbnails/13.jpg)
WHIPS Overview
Windows Driver Developed in C with the Windows
Driver Kit (available for free at www.microsoft.com)
Boot-time loading
Windows Service Developed under the Microsoft .NET
2.0 framework in C# Driver Loading “The man in the middle”
Agent Application Developed under the Microsoft .NET
2.0 framework in C# Communication
Bruno Vavalà - Whips 1.0 Beta 13
whips.sourceforge.net
![Page 14: Whips1.0 Internals](https://reader031.vdocuments.mx/reader031/viewer/2022013118/555c4463d8b42a0b038b509b/html5/thumbnails/14.jpg)
WHIPS Overview
Bruno Vavalà - Whips 1.0 Beta 14
![Page 15: Whips1.0 Internals](https://reader031.vdocuments.mx/reader031/viewer/2022013118/555c4463d8b42a0b038b509b/html5/thumbnails/15.jpg)
WHIPS Driver
Windows Driver Model
Kernel-mode activity Registering predefined routines
Installation Boot-time loading
Windows Registry entry
Driver Entry routine
Device creation “\\DosDevices\\WHIPS”
Major Function Setting Create, Close, DeviceControl
Bruno Vavalà - Whips 1.0 Beta 15
![Page 16: Whips1.0 Internals](https://reader031.vdocuments.mx/reader031/viewer/2022013118/555c4463d8b42a0b038b509b/html5/thumbnails/16.jpg)
I/O Flow Control
Bruno Vavalà - Whips 1.0 Beta 16
![Page 17: Whips1.0 Internals](https://reader031.vdocuments.mx/reader031/viewer/2022013118/555c4463d8b42a0b038b509b/html5/thumbnails/17.jpg)
I/O Request Packet
Kernel-mode WDM data structure
Communication buffer (by pointer)
DeviceIoControl
IOCTLs
IRP Completion
Asynchronous Procedure Call (APC)
CancelRoutine (noone must be lost)
Bruno Vavalà - Whips 1.0 Beta 17
![Page 18: Whips1.0 Internals](https://reader031.vdocuments.mx/reader031/viewer/2022013118/555c4463d8b42a0b038b509b/html5/thumbnails/18.jpg)
Syscall Hooking Pointer initialization
Service control message Syscall Index Set data
structures
SSDT Protection Memory mapping (MDL)
Control Register 0 (writeprotection) disabling
SSDT update with Interlockedoperation (multiprocessorsafe)
Bruno Vavalà - Whips 1.0 Beta 18
#define HOOK_SYSCALL(_Function, _Hook, _Orig ) \_Orig = (PVOID) InterlockedExchange( (PLONG)
&MappedSystemCallTable[SYSCALL_INDEX(_Function)], (LONG) _Hook)
![Page 19: Whips1.0 Internals](https://reader031.vdocuments.mx/reader031/viewer/2022013118/555c4463d8b42a0b038b509b/html5/thumbnails/19.jpg)
Syscall Wrappers How many
parameters has a syscall ?
One-to-Onecorrespondence
HookPacketstructure
ReferenceMonitorcall
Bruno Vavalà - Whips 1.0 Beta 19
![Page 20: Whips1.0 Internals](https://reader031.vdocuments.mx/reader031/viewer/2022013118/555c4463d8b42a0b038b509b/html5/thumbnails/20.jpg)
Whips Reference Monitor
Driver state
Log/Allow/Protectionmode
Process image pathretrieving
Logging
HookPacketSerialization
Drv2App Irp completion
ACD Checker
Bruno Vavalà - Whips 1.0 Beta 20
![Page 21: Whips1.0 Internals](https://reader031.vdocuments.mx/reader031/viewer/2022013118/555c4463d8b42a0b038b509b/html5/thumbnails/21.jpg)
Windows Processes
Executive Process Block structure
Query processinformations
Retrieving processexecutable image path
Bruno Vavalà - Whips 1.0 Beta 21
![Page 22: Whips1.0 Internals](https://reader031.vdocuments.mx/reader031/viewer/2022013118/555c4463d8b42a0b038b509b/html5/thumbnails/22.jpg)
ACD
Bruno Vavalà - Whips 1.0 Beta 22
Non-pagedmemory usage
ACD Setting
Serialization
CheckHook String
comparisonwith dynamic-programming
FHFU policy
ActionType Implicit_Log
Implicit_Deny
![Page 23: Whips1.0 Internals](https://reader031.vdocuments.mx/reader031/viewer/2022013118/555c4463d8b42a0b038b509b/html5/thumbnails/23.jpg)
WHIPS Service
Installation
(MS.NET)InstallUtil.exe
Windows Registry entry
Automatic starting
LocalSystem account
ServiceBase Class
Bruno Vavalà - Whips 1.0 Beta 23
Using System.ServiceProcess;
Public class WHIPSService : ServiceBase {
public WHIPSService() {
this.ServiceName = “WhipsService”;
this.CanStop = true;
}
public static void main() {
ServiceBase.Run(new WHIPSService());
}
}
![Page 24: Whips1.0 Internals](https://reader031.vdocuments.mx/reader031/viewer/2022013118/555c4463d8b42a0b038b509b/html5/thumbnails/24.jpg)
Service Initialization
EventLogger
Driver (un)installation and loading
Communication Manager
Driver initialization
Syscall index set
Exclusive access
Acd set
Shared-read access
Bruno Vavalà - Whips 1.0 Beta 24
![Page 25: Whips1.0 Internals](https://reader031.vdocuments.mx/reader031/viewer/2022013118/555c4463d8b42a0b038b509b/html5/thumbnails/25.jpg)
Device Opening
The device is a file
IO Manager call
Object Manager call
Device objectsecurity attributes
Bruno Vavalà - Whips 1.0 Beta 25
![Page 26: Whips1.0 Internals](https://reader031.vdocuments.mx/reader031/viewer/2022013118/555c4463d8b42a0b038b509b/html5/thumbnails/26.jpg)
Service Proxy
Like a reference monitor
Game management
App2Drv/Drv2App IRPs
Overlapped(Asynchronous IO)
Pipe Manager
Communication events
Bruno Vavalà - Whips 1.0 Beta 26
![Page 27: Whips1.0 Internals](https://reader031.vdocuments.mx/reader031/viewer/2022013118/555c4463d8b42a0b038b509b/html5/thumbnails/27.jpg)
Logger and ACD Controller Win System32 home
directory
ACD Reader/Writer
ACD file (shared-readmode)
LawPacket structure
Fixed fields
Hook Logger
Buffered Write
“Log.txt”
Bruno Vavalà - Whips 1.0 Beta 27
![Page 28: Whips1.0 Internals](https://reader031.vdocuments.mx/reader031/viewer/2022013118/555c4463d8b42a0b038b509b/html5/thumbnails/28.jpg)
WHIPS Agent Ready-to-run application (pretty ugly interface)
Are you able to design it better?!?!... Do it
Driver Controls Pipe
ACD window Filter Rule insertion/deletion
Monitor Log window Manual/Automatic (timeout
based) refresh
Index field in the Insert Filterwindow
Bruno Vavalà - Whips 1.0 Beta 28
![Page 29: Whips1.0 Internals](https://reader031.vdocuments.mx/reader031/viewer/2022013118/555c4463d8b42a0b038b509b/html5/thumbnails/29.jpg)
Bruno Vavalà - Whips 1.0 Beta 29
![Page 30: Whips1.0 Internals](https://reader031.vdocuments.mx/reader031/viewer/2022013118/555c4463d8b42a0b038b509b/html5/thumbnails/30.jpg)
What’s next ?
Bruno Vavalà - Whips 1.0 Beta 30
![Page 31: Whips1.0 Internals](https://reader031.vdocuments.mx/reader031/viewer/2022013118/555c4463d8b42a0b038b509b/html5/thumbnails/31.jpg)
Distributed WHIPS Global ACD maintenance
Auto Update
Less overhead for “Windows typical users”
Interface: with or without it ?
Better and faster protection
Architectural complexityincreased
(Do you want the barrel to befull and the wife to be drunk?!)
Bruno Vavalà - Whips 1.0 Beta 31
![Page 32: Whips1.0 Internals](https://reader031.vdocuments.mx/reader031/viewer/2022013118/555c4463d8b42a0b038b509b/html5/thumbnails/32.jpg)
What’s better to do now ? Increasing:
Stability
Reliability (still not so high)
Performance
Security issues
Secure boot
Non-paged memory amount
Authentication betweencomponents
Integrity and availability of usedfiles
Secure channel communication
Bruno Vavalà - Whips 1.0 Beta 32
![Page 33: Whips1.0 Internals](https://reader031.vdocuments.mx/reader031/viewer/2022013118/555c4463d8b42a0b038b509b/html5/thumbnails/33.jpg)
References Battistoni, Gabrielli, Mancini - An Host Intrusion Prenvention System for Windows Operating Systems,
ESORICS 2004
Bernaschi, Gabrielli, Mancini - REMUS: a Security-Enhanced Operating System, ACM Feb. 2002
Russinovich, Solomon - Microsoft Windows Internals 4th Edition: Microsoft Windows Server, Windows XP and Windows 2000, Microsoft Press, 2004
(NOT YET RELEASED) Russinovich, Solomon - Microsoft Windows Internals 5th Ed.: Microsoft Windows Vista
Nebbet - Windows NT/2000: Native API reference, Macmillan Technical Publishing
Hoglund, Butler - Rootkits: Subverting the Windows Kernel, Addison Wesley Professional, 2005
Oney – Programming The Windows Driver Model, 2nd Edition (2003)
Microsoft Developer Network - msdn.microsoft.com
Windows Driver Development - www.osronline.com
Battistoni / Licameli / Di Biagio Laurea Thesis and other stuff at www.robertobattistoni.it
Bruno Vavalà - Whips 1.0 Beta 33
![Page 34: Whips1.0 Internals](https://reader031.vdocuments.mx/reader031/viewer/2022013118/555c4463d8b42a0b038b509b/html5/thumbnails/34.jpg)
I WantYOU
Bruno Vavalà - Whips 1.0 Beta 34
If you like WHIPS, you are…
WELCOME
…just ask to Prof. Mancini or Roberto Battistoni
![Page 35: Whips1.0 Internals](https://reader031.vdocuments.mx/reader031/viewer/2022013118/555c4463d8b42a0b038b509b/html5/thumbnails/35.jpg)
The end
Enjoy WHIPS
For further information visit
whips.sourceforge.net
For any other thing, bugs above all, send an email at
or
Bruno Vavalà - Whips 1.0 Beta 35