2013 01-03 --ncc_group_-_crash_course_-_windows_filter_driver_security

557 views

Published on

A short presentation from an internal NCC Group monthly tech team meeting on Windows Filter Driver architecture, implementation, attack surfaces and security considerations.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
557
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
15
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

2013 01-03 --ncc_group_-_crash_course_-_windows_filter_driver_security

  1. 1. Windows File System Filter Drivers … plus a little about security … A crash course in 15 minutes…
  2. 2. What are legacy filter drivers? • Standard Windows • Registers handlers / call backs during init • Filters I/O requests for FSs or volumes • Each I/O request is an I/O request packet (IRP) • Their load order dictates where they filter • … old clunky basically
  3. 3. What are file system mini filter drivers?
  4. 4. What are mini filter altitudes? Filter 420000-429999 FSFilter Top 400000-409999 FSFilter Activity Monitor 360000-389999 FSFilter Undelete 340000-349999 FSFilter Anti-Virus 320000-329998 FSFilter Replication 300000-309998 FSFilter Continuous Backup 280000-289998 FSFilter Content Screener 260000-269998 FSFilter Quota Management 240000-249999 FSFilter System Recovery 220000-229999 FSFilter Cluster File System 200000-209999 FSFilter HSM 180000-189999 *FSFilter Imaging (ex: .ZIP) 170000-174999 FSFilter Compression 160000-169999 FSFilter Encryption 140000-149999 FSFilter Virtualization 130000-139999 FSFilter Physical Quota management 120000-129999 FSFilter Open File 100000-109999 FSFilter Security Enhancer 80000-89999 FSFilter Copy Protection 60000-69999 FSFilter Bottom 40000-49999
  5. 5. Why do we care?
  6. 6. Enumeration - fltmc
  7. 7. Enumeration - fltmc
  8. 8. Enumeration - sc
  9. 9. How it works - fltmc
  10. 10. How it works - fltmc • Filter Manager is a legacy filter driver which exposes: • .FltMgr • Standard Windows APIs then
  11. 11. Mini filter attack surface – msg handling • FltCreateCommunicationPort • Registers handlers / call backs during initialization
  12. 12. Mini filter attack surface – msg handling
  13. 13. Mini filter attack surface – msg handling • 64bit Windows calling conventions Using the x64 convention, the first four integer arguments (from left to right) are passed in 64-bit registers designated for that purpose: RCX: 1st integer argument RDX: 2nd integer argument R8: 3rd integer argument R9: 4th integer argument Integer arguments beyond the first four are passed on the stack.
  14. 14. Mini filter attack surface – msg handling
  15. 15. Attacks to consider • Logic issues / dangerous functionality in custom message handling • Information leakage vulnerabilities • Memory corruption issues • State machine problems (i.e. lack of locking / unlocking) • Incorrect return values • Poor handling of file system API parameters • Issues listed on the Security Considerations for Filter Drivers • http://msdn.microsoft.com/en- gb/library/windows/hardware/ff556606(v=vs.85).aspx • … the unloading of filters on breakout assessments …
  16. 16. Further reading • User-Mode Library for Filter Manager • http://msdn.microsoft.com/en- gb/library/windows/hardware/ff557247(v=vs.85).aspx • FltXxx (Minifilter Driver) Routines • http://msdn.microsoft.com/en-us/library/ff544617(v=vs.85).aspx • Enumerating Minifilter Callbacks • http://www.inreverse.net/?p=1334 • Windows Driver Kit Samples • http://code.msdn.microsoft.com/windowshardware/site/search?f%5B0%5D.Typ e=Technology&f%5B0%5D.Value=File%20System • Filter Driver Development Guide • http://download.microsoft.com/download/e/b/a/eba1050f-a31d-436b-9281- 92cdfeae4b45/filterdriverdeveloperguide.doc
  17. 17. UK Offices Manchester - Head Office Cheltenham Edinburgh Leatherhead London Thame North American Offices San Francisco Chicago Atlanta New York Seattle Boston Australian Offices Sydney European Offices Amsterdam - Netherlands Munich – Germany Zurich - Switzerland Thanks! Questions? Ollie Whitehouse ollie.whitehouse@nccgroup.com

×