TECH TRAINING 4 – DIVING INTO WINDOWS KERNEL INTERNALS FROM 0 DAYS AND EXPLOIT ANALYSIS

________________

OVERVIEW

We start our journey in kernel land by using undisclosed 0-days in AV products. We will use these 0-days as a mean to peruse into the core of the system.

Attendees will learn the various internals of the Windows NT kernel architecture: system components, mechanisms, functionalities and data structures.

This course will familiarize attendees with debugging, troubleshooting and exploration tools on Windows to investigate the internals and the state of the system, identify common problem symptoms on production systems and troubleshoot them on 32-bit and 64-bit Windows operating systems.

WHO SHOULD ATTEND

Candidates for this training are engineers, developers, IT staff or simply curious people who work with Windows operating systems at a level that might require Windows Internals knowledge.

KEY LEARNING OBJECTIVES

• Gain a good understanding of the inner working of the Windows operating system.

• Understand the various components that make up the core of the Windows operating system and the various interactions between them.

• Use the debugger to examine the system internals and identify common problem symptoms.

PER-REQUISITE KNOWLEDGE

Training attendees should be familiar with basic operating system concepts and have hands-on experience using the Windows operating system. Attendees should also be familiar with the Win32 API, C (or derived) programming language and have basic knowledge of x86/x86-64 assembly language.

COURSE AGENDA

Day 1

 “From 0-day kernel exploit to Windows Kernel Internals”

• Setting up the environment

• Windbg primer

Part I: “Shellcode analysis to Internals”: Analyzing an exploit to grasp important kernel concepts

We start our expedition in kernel land by reviewing an exploit shellcode. It is used as a mean to see important concepts such as: why and how it uses segmentation to access structures, why segmentation has led to pagination, what is this concept and how it is used to relate virtual and physical memory. We’ll then check the major internal structures used by the shellcode and see how the later could be improved. Finally we’ll concentrate on the security model viewed from the inside of the Windows kernel.

• Segmentation

  • Role

  • Pagination

    • PFE, PTE, PFN

    • Major kernel structures

      • KPCR, KPRCB, ETHREAD, EPROCESS, etc.

      • Synchronization (Spin locks, Push locks, etc.)

      • Security Model

        • Security Manager, TOKEN, SID, etc.

Part II: “Vulnerability analysis”: Understanding the vulnerabilities to explore internals concepts

Once the shellcode and its inner concepts have been studied in details, we’ll focus on the vulnerabilities themselves (some 0-days may be dropped as well J). We begin our journey by explaining how handles are used by the kernel and how they relate to the object manager. From there we follow the code path of the system call to see exactly how it works from its starting to its ending points. We review together what are drivers, how we can communicate with them, what type (in which form) of input and output they can take.

• Starting from the CreateFile system call

• Handles

  • Handle table ; Reference Counting

  • Object Manager

    • Object namespace ; Symbolic links ; OBJECT_HEADER ; object types

    • System service dispatching

      • MSR ; Interruptions ; System Service ; KeDescriptorTable[Shadow] ; Trap frames

      • Win32 processes

      • Device Manager & kernel drivers

        • Drivers types, architecture and layering

        • The I/O Dispatcher & I/O Requests

        • IRPs : Processing, completion, cancellation

        • MDLs

        • Leveraging security vulnerabilities

Day 2

Part III: “Exploit Analysis”: Using various exploits, from simple to advanced, to demonstrate the inner working of kernel components.

In this part we focus on various exploits to delve into the memory manager and various system key memory components. We also take a look asynchronous code execution with APCs, work items and timers. We’ll also investigate at tasks priorities with DPCs and the low levels IRQLs. As Win32k is also an important part of the kernel, we’ll discuss the kernel windowing system and key concepts such window messaging, sessions and desktops.

• Memory Manager

  • Kernel pools ; Thread stacks

  • Kernel pool overflows

  • Session space

  • VAD

  • MDL

  • Page locking

  • Working set trimming

  • NULL derefs

  • APCs

  • DPCs

  • IRQLs

  • Work items

  • Timers

  • Win32k

    • Messaging

    • Sessions

    • Dekstops

Part IV: “Protections”

Finally we take a deep look at the various mitigations in the latest versions of the Windows systems that render exploitation of flaws really tougher. Lastly we’ll also scrutinize the Patchguard protection system and its inner mechanisms.

• Kernel mitigations

• Patchguard

HARDWARE REQUIREMENTS

Hardware:

• 64-bit machine with at least 4GB of RAM

Software:

• IDA Pro

• Visual Studio 2012 [Visual c++ compiler chain required, e.g. “Visual express c++”]

• Virtualization software:

  • VMWare Player [at least version 5.0] or Workstation [at least version 9.0]
  • Ability to debug a virtual machine from Host O.S or from another virtual machine with Windbg

Other tools, including a working VM, will be provided.

ABOUT THE TRAINERS

Damien Aumaitre (Security Engineer, QuarksLab)

Damien is a senior security researcher. He enjoys hacking and dissecting OS internals. Lately he has been working on a proof of concept of a “ring-1″ debugger called virtdbg.

Sébastien Renaud (Security Engineer, QuarksLab)

Sébastien Renaud is a security engineer and reverse engineer working at Quarkslab, mainly focusing on reverse engineering, vulnerability research and analysis with a particular emphasis on the Windows operating system