Recon 2011

Alex Ionescu
Day Training - 2011-07-07
Start time 09:00
Duration 03:00
ID 154
Event type Workshop

Windows Internals for Reverse Engineers

Part 1: Inside the Windows Kernel

The focus of the first part is understanding the behaviour and operation of the Windows Kernel.

Core topics such as interrupts, DPCs, APCs, timers, scheduling and memory management will be discussed at the architectural level. You are expected to already be familiar with some of these ideas -- for example, on the topic of memory management, it is not about how to use malloc, but rather about the complexities of and effects of the algorithms used by Windows when managing pages.

A detailed summary of the object manager and ALPC mechanism will also be on the table, as well as the window manager (Win32k.sys) and its data structures/behaviors.

You will learn the various data structures used by bookkeeping and internal consistency and management of core system components and objects, such as threads and processes, and how these fields can affect the operation of the system in ways that malicious code can control. A secondary focus will be for forensic purposes -- how to recover system data and state from raw memory information.

You will be presented with many WinDBG/KD commands, as well as how to write your own scripts and extensions. Part 2: Windows Kernel Mode Reverse Engineering and Debugging

The second part will focus on using various tools to inspect the Windows kernel for consistency, tracing its operation, and editing it.

During this part, we will also focus on using VM technologies to emulate the Windows kernel as well as any drivers you will be writing and loading, to avoid hitting a real system, as well as avoiding the need for a second machine. Various debugging techniques will be demonstrated, such as GDB stubs in VMWare and QEMU, and how to plug-in IDA into these stubs to perform analysis without requiring WinDBG. Part 3: Windows Driver/Rootkit Analysis

The last part of the training focuses on building on your knowledge from the previous days to tackle several examples of malicious and/or buggy drivers in a given Windows system.

You will also learn how to write your own drivers and user-mode tools that can perform some of this work, for the purposes of better understanding driver operation and reversing a well-known driver to see its output in IDA to build a "base case" and discover various effects of WDK/MSVC optimizations.

You will apply both static analysis with IDA to understand the source code and behaviour of the drivers (no obfuscation will be employed, so knowledge in such mechanisms is not a prerequisite), as well as dynamic analysis through debugging and analysis tools presented earlier to determine the effect that the driver is having on the system.

For buggy drivers, you will have to provide some possible exploit code or at least an analysis of how the bug could be exploited by an unprivileged user-mode client. We may also look at several types of kernel-mode shellcode possibilities.

Finally, we will take a look at certain examples of plain C code, that contains well-known bugs, as well as certain harder-to-spot bugs within the specific context of running in a Windows kernel environment. Class Requirements

IMPORTANT: This training isn't for reverse engineering beginners, and none of the basic stuff will be presented. You should be able to understand x86 assembly to take this course, but knowledge of obfuscation, packing, etc, is not required. Basic knowledge of Windows, Intel architecture, and operating systems is required -- you should know what an interrupt is, and what is the difference between user and kernel mode (ring levels), a bit about segmentation and virtual memory/paging, etc.

VMware Player or Workstation is recommended with an installed version of Windows 7. 32-bit or 64-bit is fine -- you may prefer 32-bit if that is the disassembly you are most familiar with and/or want to use Hexrays. As well, development in class will be done on 32-bit targets to avoid signing issues and Patchguard, but 64-bit internals and Windows-specific changes will be covered.

You must have a Windows machine to attend, on which you have the latest version of the WDK (Windows Driver Kit) installed. You should have Visual Studio 2010 with the C/C++ compilers (Express Edition is fine). Legal IDA Pro license (5.5 or higher, 6.0 recommended). Hexrays helpful, but not required.