Windows Vista Kernel Security [EN].ppt

Who am I? High school student Website/Blog: Microsoft Student Partner (MSP) Security Fanatics ! Reverse Engineering Vulnerabilities Analyse Malicious Binary Research Security Tools Programming Core System Security Research TinyKRNL Project Kernel Developer (ATAPI) Agenda Kernel Hooking, why ? Patchguard Code Integrity Signed Drivers Windows Vista (32 bits Kernel) SSDT KIDT MSR Windows Vista (64 bits Kernel) SSDT KIDT MSR Kernel Hooking, Why ? Mainly from rootkits ! Modification of system table like SDT Functions NtCreateProcess, NtSystemInformation, ... Modification of internal stuctures PsLoadedModuleList Modification of IDT to manage external debugger Modification of the 0x2E interrupt to hook syscalls (Win2K) Modification of MSR registers to hook syscalls (WinXP, Win2k3, WinVista) Modification of system functions prolog Patchguard Authors : Windows Core Team First implementation in Windows XP x64 Cf. Analysis of Matt Miller Ken Johnson (Win2k3) Checking of system tables and critical sections. Functions IDT GDT SDT Processus list MSRs 25, Octobre 2006 – Authentium 8, Novembre 2006 – Windows Vista RTM Code Integrity (CI.DLL) Authors : Windows DRM Team Windows Vista Innovation Numerous steps A bootloader checks the ntoskrnl, HAL, and boot drivers authenticity. Checks the ntoskrnl import table Deleting or patching of CI.DLL = Cannot boot ! Note : WINLOAD.EXE checks NTOSKRNL.EXE authenticity while booting Enabled before patchguard Can be disabled by user while booting. Signed Drivers (KMD) Goal : Prevent from rootkits and malicious drivers. Mandatory on Windows Vista 64bits Signed by a certificate Can be disabled by user while booting (BOOT.INI) July 2006 – J. Rutkowska / BlackHat Three steps attack Eat the full physical memory Access granted to the pagination file (pagefile.sys) from a direct access to the HDD (\\.\PHYSICALDRIVE0) Modify a loaded driver (e.g. NULL.sys) Another step using hardware virtualization. Pacifica (AMD SVM extensions) / Vanderpool (Vt-x)