SlideShare a Scribd company logo

RSA SF Conference talk-2009-ht2-401 sallam

Download as PPT, PDF
Ahmed Sallam
Ahmed Sallam

- The document discusses how ordinary people can understand Windows code despite it previously being kept secret. - It outlines resources now available from Microsoft to learn Windows internals like debuggers, symbol files, documentation and communities. Skills needed are also discussed. - Case studies are presented showing how tools like debuggers and disassemblers can be used to understand techniques used by rootkits and find undocumented Windows functions. - In conclusion, the document argues Windows code is not as secret as assumed and many means exist for both security experts and developers to learn it through resources Microsoft now provides.

Technology
1 of 36
Windows Code Shredded Can an ordinary person understand Windows code? Ahmed Sallam Chief Software Architect McAfee Avert Labs 04/24/09 | HT2-401
Notes • This is not the final presentation. This is an initial draft that tells the story. I will be working with Jeffrey Cufaude on completing the presentation. • I will deliver the presentation using my own laptops as I will be showing simple code breaking techniques using IDA and WinDBG. 2
What this presentation is all about? • Is Windows code the big secret people think it is? • Who knows Windows code very well? • Can you contact and learn from those who knows Windows source code? • Why some of you need to know Windows code? • Can you learn Windows code and how? • Is Windows code changing much? • Case studies from McAfee’s research 3
What this session is not about • Not about teaching you how to break Windows code for fun or for bad purpose. • Not about discovering Windows vulnerabilities • Not about exploiting Windows code • If you are looking for any of the above then sorry you won’t find any of it here  4
Historical perspectives 5 • Microsoft always kept windows source code as a big secret over the past twenty years Source: http://www.microsoft.com/presspass/press/2004/Feb04/02-12windowssource.mspx
More historical perspectives • Besides few technical articles and the popular “Windows Internals” book series, Microsoft never provided any serious documentation on their operating systems secrets • Microsoft used not to provide good kernel debugger • Microsoft used not to provide symbol files • Windows internals were only known mostly to hackers • Hackers had their own communities where they share information about Windows internals • Security companies have skillful people who tries to understand windows code 6
Windows secret books • Any Windows book with the words “secret”, “undocumented”, “internals”, etc. would sell immediately. 7
How people used to break Windows code? • Using a disassembler like IDA: – With no symbols debugging was painful • Using a low level debugger like Numega SoftIce: – Major compatibility issues – Platform support always late – Operating system frequent crashes • Runtime instrumentation tools and debuggers – Thousands of irrelevant events per second – Required some data mining and reporting engines 8
Skill set required to break Windows code? • Understanding of assembly language • Understanding of CPU architecture • Understanding of operating systems architecture • Understanding of file structure on disk and in memory • Patience, patience, patience, patience • Who has all of the above; – Only people with clear targets and strong intentions – Mostly hackers – Few security experts 9
Why this is all changing now? • Microsoft is providing: – Symbol files for Windows core modules and applications – Windows kernel Debugger, WinDBG – Documentation to abide to EC rulings – Online communities and groups for people to ask Windows experts • Virtualization making whole system debugging simpler • Disassemblers are designed with Windows APIs and symbols knowledge in mind. • Online Windows open source documentation projects • And off course Google 10
Microsoft Windows Symbols • Available as a download package from Microsoft debugging web site: http://www.microsoft.com/whdc/DevTools/Debugging/symbolpkg.mspx • Microsoft making symbols available online via the Microsoft Symbol Server • For WinDBG Set the debugger symbol path as follows: SRV*DownstreamStore*http://msdl.microsoft.com/download/symbols • Microsoft provides a programmable library to read symbols (Debug help) • IDA and other Disassemblers can automatically load Windows symbols from server • Private symbols files have all information in them for the debugger to resolve data (local variables, structure type information, functions, source file name/line info...). • In next slides will show how understanding Windows code is pretty straightforward with the availability of Windows symbols 11
Debugging Windows in A virtual Environment • Using WinDbg and a desktop virtual environment like Microsoft Virtual PC or VMware workstation you can debug an entire Windows environment • Trick is to debug over a virtual serial port • Trick is to map a virtual serial port to a named pipe and configure WinDbg to do kernel debugging via the virtual serial port • Good instructions from VMware site: http://www.vmware.com/support/gsx3/doc/devices_serial_debug • Here will show a live demo of how this looks like 12
Dumping Windows Private Symbols using WinDbg • In this slide will present a video or active demo that shows how to use WinDbg to list all Windows kernel internal data structure 13
Traversing windows key code modules via a disassembler • You can use WinDbg but requires interactive session • You can use a commercial Disassembler • Here will place a video recording that shows how to traverse through windows disassembled code. • Will cover: – Windows system service dispatch table and transfer of control form user mode to kernel mode – Windows ntoskrnl covering object manager, I/O manager, security reference monitor, etc. – Windows device drivers: ntfs driver, tcip, etc. – Internet explorer internal modules 14
Simple debugging techniques • Using both kernel debugger and a disassembler can provide good results • Example, finding Windows functions inter- dependencies: – Use disassembler as it shows who calls who – Works but gives many results – Use WinDBG and put a break point at an internal function then dump the stack. – Using WinDBG to understand devices stacks • Will place a video to demonstrate the above 15
Windows Open Specification Online Documentation • Microsoft made key information available pursuant to the Consent Decree and the European Commission's 2004 Decision • Example of available documentation: – Windows protocols – Office protocols – Office file formats – SQL server protocols – Computer languages • Whole information available at MSDN Library web site: http://msdn.microsoft.com/en-us/library under the “Open Specification” section. • Use the documentation along other tools and you will find answers to how Windows work and what is happening there 16
Googling Windows Symbols • Are you impatient and need immediate answer? Google everything. • Pick a Windows internal symbols name and Google the web. • Do you want more specialized technical info? Google the groups. http://groups.google.com • Are you wondering if there is open source that may explain how it works? Google the code. http://code.google.com • Are you looking for papers? Google the web and specify the file format to be PDF, .DOC, PPT or whatever makes sense to you. • Are you looking for people blogging about it? Google the blogs. http://blogsearch.google.com • Are you looking for books maybe talking about it? Google the books. http://books.google.com • Do you find what you’re looking for in a foreign language? Translate the page. http://translate.google.com • Point is, just pick any symbol name or even a memory address and Google it. 17
Windows Open Source Documentation Projects • Many open source projects aim at building an operating system equivalent to Windows Architecture • Some aim at achieving full application compatibility with Windows • React Operating System http://www.reactos.org/en/index.html is a good example • Exact implementation of Windows modules and device drivers • Code is written by literally converting each Windows assembly function back into its equivalent C code • A good place to start learning about Windows architecture • A video will be placed to compare some Windows assembly with its equivalent ReactOS C function 18
Windows Driver Kit (WDK) • Available on: http://www.microsoft.com/whdc/devtools/wdk/def ault.mspx • Contain many useful help files and technical docs • Installable File System available for free in WDK – IFS used to cost about $1000 and to require a special NDA with Microsoft – Contains source code of Microsoft FastFat and CDFS file system drivers – Contains working file system filter drivers • Good source for documentation about Microsoft Windows Architecture 19
Microsoft WinHEC Conference • All conference papers and pres available via: – http://www.microsoft.com/whdc/winhec/2008/pres.mspx – http://www.microsoft.com/whdc/winhec/2008/papers.mspx • Advanced Windows Architecture documents designed for device driver and hardware engineer • Good source to learn about Windows kernel mode and devices archiecture 20
Microsoft MVP / MVPSP/ open source • Microsoft Most Valuable Professionals (MVPs) are exceptional technical community leaders from around the world who are awarded for voluntarily sharing their high quality, real world expertise in offline and online technical communities. (source Microsoft MVP web site) • The MVP Source Licensing Program (MVPSLP) recognizes some of the most valuable individuals within the Microsoft platforms community, by giving them the opportunity to differentiate themselves professionally as Windows-platforms experts through access to Microsoft Windows Shared Source access. (source Microsoft MVP web site) • MVP official web site: http://mvp.support.microsoft.com/ • Find MVP, track their blogs, their online postings, correspond with them and you will lean more about Windows internals • If interested you can license Windows and application source code if you meet certain criteria. • You can check http://www.codeplex.com/ Microsoft’s open source project and look for projects with participation form MVPs 21
Nicely Designed Windows Hacking Web Sites • In old days hackers used cryptic web sites with cryptic names and cryptic content • Nowadays, more hackers tend to find useful use of their internal Windows knowledge and build their own social networking alike sites • Hacking alike documents are now written with higher level of accuracy, clarity and professionalism. • Helps people find jobs as security experts or consultants. So we can no longer call them bad hackers anymore. • Some even have their own blog 22
Using Microsoft Windows Internals • Windows Internals book series, by Mark Russinovich and , David A. Solomon from Microsoft Press is one of the best sources to learn about Windows internals • The book references many parameters using their symbol name • Use the symbol then use WinDbg or a Disassembler to understand more the code referenced by the symbol 23
Referencing symbols programmatically • Microsoft provides a programmable interface called Debug Help library to load, enumerate and find modules symbols in memory • There was time when library was not documented. Full library documentation is available with nice sample code under: http://msdn.microsoft.com/en-us/library/ms679309(VS.85).aspx • You can load a module symbol using: SymLoadModuleEx() • You can enumerate symbols using: SymEnumerateModules64() • You can retrieve a symbol by address (SymFromAddr(()) or by name (SymFromName()) • Very useful to write your own memory diagnostic • You can also use your favorite scripting language as long as it can call into Windows DLLs • You can even reference symbols programmatically in a kernel mode device driver 24
Case studies • Three case studies will be covered here: – Terminating DKOM Rootkits – Obtaining documentation for DnsQueryEx – Finding Windows user mode API filtering code 25
Case study a: terminating DKOM Rootkits • Direct Kernel Object Manipulation (DKOM) Rootkits modify Windows kernel dynamic lists to hide their presence • While working on terminating a Rootkit we get into some interesting situation: – If you terminate the Rootkit other processes in the system becomes hidden!? – If you terminate the hidden IE process created by the Rootkit more processes becomes hidden!? • How to find out what is going out? – Contacting Microsoft is not a valid option. – Check the Windows kernel, yes that’s simpler • Runtime debugger • Kernel assembly dump 26
Case study 1: terminating DKOM Rootkits • Here will provdie live demo that shows: – how to use WinDBG to identify process termination stack through the PspProcessDelete() function 27
Case study 1: terminating DKOM Rootkits Analyzing PspProcess Delete in IDA. • Will clean this slide a little bit 28 28
Case study 2: DnsQueryEx • DnsQuery() is a documented API to query public DNS records • DnsQuery does not create another thread hence calling function has to wait until DnsQuery returns • But calling public DNS servers can take time • Normal solution is create another thread which calls DnsQuery and wait until that thread returns or time out • While looking into the code found DnsQueryEx which internally creates a thread • Contacted Microsoft to obtain correct prototype. Microsoft said function undocumented • Did a whole search inside Windows SKD found the function prototype • Contacted Microsoft again with finding and asked for more documentation for parameters • Microsoft thankfully responded with full detailed documentation • Point is, sometimes Microsoft support team say it is documented but once you prove it is not they fully cooperate 29
Case study 3: finding Windows filtering interface • Here will do a live demo on how to find the interface using WinDbg and how this is useful. • Point is sometimes API you’re looking for is available but you can not find the documentation so WinDbg is a nice solution 30
Did Google Disassemble windows Code? 31
Is Windows Code changing much? • Not really, only few changes • You can easily spot changes in Windows kernel data structures using WinDbg “dt” command • You can compare stack frames • You can use Debug Help library to compare functions, a simple MD5 hash per function body can do it • You can easily find newly exported functions from WinDbg or Disassembler or even parsing the executable file .EXPORTS section 32
Why do you need to understand how Windows work? • Obviously software developers can achieve a lot as covered in slide deck • Software developers can write many useful system diagnostic and profiling tools • With current economy downturn condition McAfee expects more corporate targeted attacks • Attackers are using all available resources to learn how to break Windows and its applications • Security professionals ought to leverage same available resources and come up with better defensive methods • System security administrators can write simple scripts to explore their systems memory and ensure kernel and applications memory integrity: – Who is hooking Windows functions and why? – Who is hooking browser functions and why? – Who is loading device driver and why? – Who is attaching as a filter driver and why? • Many free security tools are available too but using the knowledge available online you can write your own, especially if you are a software developer 33
Conclusion • Windows code is not the top secret people think it is • Microsoft provide many useful means to understand windows internals: WinDbg, symbols, Windows Internals book, Debug Help library, Online documentation and communites • Not only hackers can learn Windows Internals but also average software engineers • Encourage your people to leverage available resources 34
Finally • Obviously Microsoft provides all of those resources for good purpose so make sure you keep your usage within the intended good usage boundaries 35
Thank you for your time Time for Q&A 36

Recommended

Ahmed sallam technical_journey_1992_1999
Ahmed sallam technical_journey_1992_1999Ahmed sallam technical_journey_1992_1999
Ahmed sallam technical_journey_1992_1999
Ahmed Sallam
 
Android
AndroidAndroid
Android
Tapan Khilar
 
Android ppt
Android pptAndroid ppt
Android ppt
Indumathy Mayuranathan
 
Android Applications
Android ApplicationsAndroid Applications
Android Applications
Nazeer Hussain University
 
Mohit Jaiswal
Mohit JaiswalMohit Jaiswal
Mohit Jaiswal
Sunil Kumar
 
Prasoon
PrasoonPrasoon
Prasoon
Prasoon
 
Mobile application security
Mobile application securityMobile application security
Mobile application securityShubhneet Goel
 
Android Security
Android SecurityAndroid Security
Android Security
Mehrnaz Amoon
 

Recommended

Ahmed sallam technical_journey_1992_1999
Ahmed sallam technical_journey_1992_1999Ahmed sallam technical_journey_1992_1999
Ahmed sallam technical_journey_1992_1999
Ahmed Sallam
 
Android
AndroidAndroid
Android
Tapan Khilar
 
Android ppt
Android pptAndroid ppt
Android ppt
Indumathy Mayuranathan
 
Android Applications
Android ApplicationsAndroid Applications
Android Applications
Nazeer Hussain University
 
Mohit Jaiswal
Mohit JaiswalMohit Jaiswal
Mohit Jaiswal
Sunil Kumar
 
Prasoon
PrasoonPrasoon
Prasoon
Prasoon
 
Mobile application security
Mobile application securityMobile application security
Mobile application securityShubhneet Goel
 
Android Security
Android SecurityAndroid Security
Android Security
Mehrnaz Amoon
 
OWASP for iOS
OWASP for iOSOWASP for iOS
OWASP for iOS
Phineas Huang
 
Analysis and research of system security based on android
Analysis and research of system security based on androidAnalysis and research of system security based on android
Analysis and research of system security based on androidRavishankar Kumar
 
Windows Phone 8 Security Deep Dive
Windows Phone 8 Security Deep DiveWindows Phone 8 Security Deep Dive
Windows Phone 8 Security Deep Dive
Microsoft Developer Network (MSDN) - Belgium and Luxembourg
 
Android Security
Android SecurityAndroid Security
Android Security
Lars Jacobs
 
Mobile Threats and Trends Changing Mobile App Security
Mobile Threats and Trends Changing Mobile App SecurityMobile Threats and Trends Changing Mobile App Security
Mobile Threats and Trends Changing Mobile App Security
DevOps.com
 
Android App Developement
Android App DevelopementAndroid App Developement
Android App Developement
Aayush Gupta
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
Dirk Nicol
 
Windows Phone Application Penetration Testing
Windows Phone Application Penetration Testing Windows Phone Application Penetration Testing
Windows Phone Application Penetration Testing
Jewel Joy
 
Android security
Android securityAndroid security
Android security
Mobile Rtpl
 
Windows Phone 8 application security
Windows Phone 8 application securityWindows Phone 8 application security
Windows Phone 8 application securityAndrey Chasovskikh
 
Windows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 AppsWindows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 AppsJorge Orchilles
 
What's new in Android Pie
What's new in Android PieWhat's new in Android Pie
What's new in Android Pie
Hassan Abid
 
2015.04.24 Updated > Android Security Development - Part 1: App Development
2015.04.24 Updated > Android Security Development - Part 1: App Development 2015.04.24 Updated > Android Security Development - Part 1: App Development
2015.04.24 Updated > Android Security Development - Part 1: App Development
Cheng-Yi Yu
 
Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android Applications
Cláudio André
 
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...
Consulthinkspa
 
iOS Application Penetration Testing
iOS Application Penetration TestingiOS Application Penetration Testing
iOS Application Penetration Testing
n|u - The Open Security Community
 
Anti key logging and real-time encrypting software | keystrokes encrypting so...
Anti key logging and real-time encrypting software | keystrokes encrypting so...Anti key logging and real-time encrypting software | keystrokes encrypting so...
Anti key logging and real-time encrypting software | keystrokes encrypting so...
Mike Taylor
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application Security
Prateek Jain
 
Android Security
Android SecurityAndroid Security
Android Security
Suminda Gunawardhana
 
Software potential code protector
Software potential code protector Software potential code protector
Software potential code protector InishTech
 
CNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgCNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbg
Sam Bowne
 
TypeScript - Javascript done right
TypeScript - Javascript done rightTypeScript - Javascript done right
TypeScript - Javascript done right
Wekoslav Stefanovski
 

More Related Content

What's hot

OWASP for iOS
OWASP for iOSOWASP for iOS
OWASP for iOS
Phineas Huang
 
Analysis and research of system security based on android
Analysis and research of system security based on androidAnalysis and research of system security based on android
Analysis and research of system security based on androidRavishankar Kumar
 
Windows Phone 8 Security Deep Dive
Windows Phone 8 Security Deep DiveWindows Phone 8 Security Deep Dive
Windows Phone 8 Security Deep Dive
Microsoft Developer Network (MSDN) - Belgium and Luxembourg
 
Android Security
Android SecurityAndroid Security
Android Security
Lars Jacobs
 
Mobile Threats and Trends Changing Mobile App Security
Mobile Threats and Trends Changing Mobile App SecurityMobile Threats and Trends Changing Mobile App Security
Mobile Threats and Trends Changing Mobile App Security
DevOps.com
 
Android App Developement
Android App DevelopementAndroid App Developement
Android App Developement
Aayush Gupta
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
Dirk Nicol
 
Windows Phone Application Penetration Testing
Windows Phone Application Penetration Testing Windows Phone Application Penetration Testing
Windows Phone Application Penetration Testing
Jewel Joy
 
Android security
Android securityAndroid security
Android security
Mobile Rtpl
 
Windows Phone 8 application security
Windows Phone 8 application securityWindows Phone 8 application security
Windows Phone 8 application securityAndrey Chasovskikh
 
Windows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 AppsWindows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 AppsJorge Orchilles
 
What's new in Android Pie
What's new in Android PieWhat's new in Android Pie
What's new in Android Pie
Hassan Abid
 
2015.04.24 Updated > Android Security Development - Part 1: App Development
2015.04.24 Updated > Android Security Development - Part 1: App Development 2015.04.24 Updated > Android Security Development - Part 1: App Development
2015.04.24 Updated > Android Security Development - Part 1: App Development
Cheng-Yi Yu
 
Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android Applications
Cláudio André
 
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...
Consulthinkspa
 
iOS Application Penetration Testing
iOS Application Penetration TestingiOS Application Penetration Testing
iOS Application Penetration Testing
n|u - The Open Security Community
 
Anti key logging and real-time encrypting software | keystrokes encrypting so...
Anti key logging and real-time encrypting software | keystrokes encrypting so...Anti key logging and real-time encrypting software | keystrokes encrypting so...
Anti key logging and real-time encrypting software | keystrokes encrypting so...
Mike Taylor
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application Security
Prateek Jain
 
Android Security
Android SecurityAndroid Security
Android Security
Suminda Gunawardhana
 
Software potential code protector
Software potential code protector Software potential code protector
Software potential code protector InishTech
 

What's hot (20)

OWASP for iOS
OWASP for iOSOWASP for iOS
OWASP for iOS
 
Analysis and research of system security based on android
Analysis and research of system security based on androidAnalysis and research of system security based on android
Analysis and research of system security based on android
 
Windows Phone 8 Security Deep Dive
Windows Phone 8 Security Deep DiveWindows Phone 8 Security Deep Dive
Windows Phone 8 Security Deep Dive
 
Android Security
Android SecurityAndroid Security
Android Security
 
Mobile Threats and Trends Changing Mobile App Security
Mobile Threats and Trends Changing Mobile App SecurityMobile Threats and Trends Changing Mobile App Security
Mobile Threats and Trends Changing Mobile App Security
 
Android App Developement
Android App DevelopementAndroid App Developement
Android App Developement
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
 
Windows Phone Application Penetration Testing
Windows Phone Application Penetration Testing Windows Phone Application Penetration Testing
Windows Phone Application Penetration Testing
 
Android security
Android securityAndroid security
Android security
 
Windows Phone 8 application security
Windows Phone 8 application securityWindows Phone 8 application security
Windows Phone 8 application security
 
Windows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 AppsWindows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 Apps
 
What's new in Android Pie
What's new in Android PieWhat's new in Android Pie
What's new in Android Pie
 
2015.04.24 Updated > Android Security Development - Part 1: App Development
2015.04.24 Updated > Android Security Development - Part 1: App Development 2015.04.24 Updated > Android Security Development - Part 1: App Development
2015.04.24 Updated > Android Security Development - Part 1: App Development
 
Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android Applications
 
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...
 
iOS Application Penetration Testing
iOS Application Penetration TestingiOS Application Penetration Testing
iOS Application Penetration Testing
 
Anti key logging and real-time encrypting software | keystrokes encrypting so...
Anti key logging and real-time encrypting software | keystrokes encrypting so...Anti key logging and real-time encrypting software | keystrokes encrypting so...
Anti key logging and real-time encrypting software | keystrokes encrypting so...
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application Security
 
Android Security
Android SecurityAndroid Security
Android Security
 
Software potential code protector
Software potential code protector Software potential code protector
Software potential code protector
 

Similar to RSA SF Conference talk-2009-ht2-401 sallam

CNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgCNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbg
Sam Bowne
 
TypeScript - Javascript done right
TypeScript - Javascript done rightTypeScript - Javascript done right
TypeScript - Javascript done right
Wekoslav Stefanovski
 
Reverse Engineering.pptx
Reverse Engineering.pptxReverse Engineering.pptx
Reverse Engineering.pptxSameer Sapra
 
CNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgCNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbg
Sam Bowne
 
Ch 6: The Wild World of Windows
Ch 6: The Wild World of WindowsCh 6: The Wild World of Windows
Ch 6: The Wild World of Windows
Sam Bowne
 
Developer Special: How to Prepare Applications for Notes 64-bit Clients
Developer Special: How to Prepare Applications for Notes 64-bit ClientsDeveloper Special: How to Prepare Applications for Notes 64-bit Clients
Developer Special: How to Prepare Applications for Notes 64-bit Clients
panagenda
 
DEF CON 27 - workshop - RICHARD GOLD - mind the gap
DEF CON 27 - workshop - RICHARD GOLD - mind the gapDEF CON 27 - workshop - RICHARD GOLD - mind the gap
DEF CON 27 - workshop - RICHARD GOLD - mind the gap
Felipe Prado
 
CNIT 127 Ch 6: The Wild World of Windows
CNIT 127 Ch 6: The Wild World of WindowsCNIT 127 Ch 6: The Wild World of Windows
CNIT 127 Ch 6: The Wild World of Windows
Sam Bowne
 
Learn the java basic programming with example and syntaxchapter1-part-b.pptx
Learn the java basic programming with example and syntaxchapter1-part-b.pptxLearn the java basic programming with example and syntaxchapter1-part-b.pptx
Learn the java basic programming with example and syntaxchapter1-part-b.pptx
GaytriMate
 
Docker, how to use it. organize a meeting with IBM products...
Docker, how to use it. organize a meeting with IBM products...Docker, how to use it. organize a meeting with IBM products...
Docker, how to use it. organize a meeting with IBM products...
Andrea Fontana
 
Enhancing and modifying_the_core_android_os
Enhancing and modifying_the_core_android_osEnhancing and modifying_the_core_android_os
Enhancing and modifying_the_core_android_os
Arnav Gupta
 
W1.pptx
W1.pptxW1.pptx
W1.pptx
MohamedNowfeek1
 
Overcoming software development challenges by using an integrated software fr...
Overcoming software development challenges by using an integrated software fr...Overcoming software development challenges by using an integrated software fr...
Overcoming software development challenges by using an integrated software fr...
Design World
 
Dot net Online Training | .Net Training and Placement online
Dot net Online Training | .Net Training and Placement onlineDot net Online Training | .Net Training and Placement online
Dot net Online Training | .Net Training and Placement online
Garuda Trainings
 
Enhancing and modifying_the_core_android_os
Enhancing and modifying_the_core_android_osEnhancing and modifying_the_core_android_os
Enhancing and modifying_the_core_android_os
Arnav Gupta
 
IoT: Contrasting Yocto/Buildroot to binary OSes
IoT: Contrasting Yocto/Buildroot to binary OSesIoT: Contrasting Yocto/Buildroot to binary OSes
IoT: Contrasting Yocto/Buildroot to binary OSes
Mender.io
 
Build automation best practices
Build automation best practicesBuild automation best practices
Build automation best practicesCode Mastery
 
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbgPractical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Sam Bowne
 
Android Architecture design programming with java
Android Architecture design programming with javaAndroid Architecture design programming with java
Android Architecture design programming with java
ssuser471dfb
 
Wintellect - Devscovery - Portable Class Library
Wintellect - Devscovery - Portable Class LibraryWintellect - Devscovery - Portable Class Library
Wintellect - Devscovery - Portable Class LibraryJeremy Likness
 

Similar to RSA SF Conference talk-2009-ht2-401 sallam (20)

CNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgCNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbg
 
TypeScript - Javascript done right
TypeScript - Javascript done rightTypeScript - Javascript done right
TypeScript - Javascript done right
 
Reverse Engineering.pptx
Reverse Engineering.pptxReverse Engineering.pptx
Reverse Engineering.pptx
 
CNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgCNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbg
 
Ch 6: The Wild World of Windows
Ch 6: The Wild World of WindowsCh 6: The Wild World of Windows
Ch 6: The Wild World of Windows
 
Developer Special: How to Prepare Applications for Notes 64-bit Clients
Developer Special: How to Prepare Applications for Notes 64-bit ClientsDeveloper Special: How to Prepare Applications for Notes 64-bit Clients
Developer Special: How to Prepare Applications for Notes 64-bit Clients
 
DEF CON 27 - workshop - RICHARD GOLD - mind the gap
DEF CON 27 - workshop - RICHARD GOLD - mind the gapDEF CON 27 - workshop - RICHARD GOLD - mind the gap
DEF CON 27 - workshop - RICHARD GOLD - mind the gap
 
CNIT 127 Ch 6: The Wild World of Windows
CNIT 127 Ch 6: The Wild World of WindowsCNIT 127 Ch 6: The Wild World of Windows
CNIT 127 Ch 6: The Wild World of Windows
 
Learn the java basic programming with example and syntaxchapter1-part-b.pptx
Learn the java basic programming with example and syntaxchapter1-part-b.pptxLearn the java basic programming with example and syntaxchapter1-part-b.pptx
Learn the java basic programming with example and syntaxchapter1-part-b.pptx
 
Docker, how to use it. organize a meeting with IBM products...
Docker, how to use it. organize a meeting with IBM products...Docker, how to use it. organize a meeting with IBM products...
Docker, how to use it. organize a meeting with IBM products...
 
Enhancing and modifying_the_core_android_os
Enhancing and modifying_the_core_android_osEnhancing and modifying_the_core_android_os
Enhancing and modifying_the_core_android_os
 
W1.pptx
W1.pptxW1.pptx
W1.pptx
 
Overcoming software development challenges by using an integrated software fr...
Overcoming software development challenges by using an integrated software fr...Overcoming software development challenges by using an integrated software fr...
Overcoming software development challenges by using an integrated software fr...
 
Dot net Online Training | .Net Training and Placement online
Dot net Online Training | .Net Training and Placement onlineDot net Online Training | .Net Training and Placement online
Dot net Online Training | .Net Training and Placement online
 
Enhancing and modifying_the_core_android_os
Enhancing and modifying_the_core_android_osEnhancing and modifying_the_core_android_os
Enhancing and modifying_the_core_android_os
 
IoT: Contrasting Yocto/Buildroot to binary OSes
IoT: Contrasting Yocto/Buildroot to binary OSesIoT: Contrasting Yocto/Buildroot to binary OSes
IoT: Contrasting Yocto/Buildroot to binary OSes
 
Build automation best practices
Build automation best practicesBuild automation best practices
Build automation best practices
 
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbgPractical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
 
Android Architecture design programming with java
Android Architecture design programming with javaAndroid Architecture design programming with java
Android Architecture design programming with java
 
Wintellect - Devscovery - Portable Class Library
Wintellect - Devscovery - Portable Class LibraryWintellect - Devscovery - Portable Class Library
Wintellect - Devscovery - Portable Class Library
 

More from Ahmed Sallam

Intel vmcs-shadowing-paper
Intel vmcs-shadowing-paperIntel vmcs-shadowing-paper
Intel vmcs-shadowing-paper
Ahmed Sallam
 
Hosted Desktop and Evolution of Hardware Server Technologies-2015 Edition
Hosted Desktop and Evolution of Hardware Server Technologies-2015 EditionHosted Desktop and Evolution of Hardware Server Technologies-2015 Edition
Hosted Desktop and Evolution of Hardware Server Technologies-2015 EditionAhmed Sallam
 
Hosted desktop and evolution of hardware server technologies - 2015 edition
Hosted desktop and evolution of hardware server technologies - 2015 editionHosted desktop and evolution of hardware server technologies - 2015 edition
Hosted desktop and evolution of hardware server technologies - 2015 edition
Ahmed Sallam
 
Hosted desktops and server evolution technologies - 2014 Edition
Hosted desktops and server evolution technologies - 2014 EditionHosted desktops and server evolution technologies - 2014 Edition
Hosted desktops and server evolution technologies - 2014 Edition
Ahmed Sallam
 
The new era of mega trends securtity
The new era of mega trends securtityThe new era of mega trends securtity
The new era of mega trends securtity
Ahmed Sallam
 
Arm tech con 2014 slides - sallam-public
Arm tech con 2014 slides - sallam-publicArm tech con 2014 slides - sallam-public
Arm tech con 2014 slides - sallam-public
Ahmed Sallam
 
An Analysis And Solution For The Problem Of Hidden Orphan Processes On Window...
An Analysis And Solution For The Problem Of Hidden Orphan Processes On Window...An Analysis And Solution For The Problem Of Hidden Orphan Processes On Window...
An Analysis And Solution For The Problem Of Hidden Orphan Processes On Window...Ahmed Sallam
 
Sans Mc Afee Pandel Slides
Sans Mc Afee Pandel SlidesSans Mc Afee Pandel Slides
Sans Mc Afee Pandel SlidesAhmed Sallam
 
VMWorld 2009 Presentation
VMWorld 2009 PresentationVMWorld 2009 Presentation
VMWorld 2009 PresentationAhmed Sallam
 

More from Ahmed Sallam (9)

Intel vmcs-shadowing-paper
Intel vmcs-shadowing-paperIntel vmcs-shadowing-paper
Intel vmcs-shadowing-paper
 
Hosted Desktop and Evolution of Hardware Server Technologies-2015 Edition
Hosted Desktop and Evolution of Hardware Server Technologies-2015 EditionHosted Desktop and Evolution of Hardware Server Technologies-2015 Edition
Hosted Desktop and Evolution of Hardware Server Technologies-2015 Edition
 
Hosted desktop and evolution of hardware server technologies - 2015 edition
Hosted desktop and evolution of hardware server technologies - 2015 editionHosted desktop and evolution of hardware server technologies - 2015 edition
Hosted desktop and evolution of hardware server technologies - 2015 edition
 
Hosted desktops and server evolution technologies - 2014 Edition
Hosted desktops and server evolution technologies - 2014 EditionHosted desktops and server evolution technologies - 2014 Edition
Hosted desktops and server evolution technologies - 2014 Edition
 
The new era of mega trends securtity
The new era of mega trends securtityThe new era of mega trends securtity
The new era of mega trends securtity
 
Arm tech con 2014 slides - sallam-public
Arm tech con 2014 slides - sallam-publicArm tech con 2014 slides - sallam-public
Arm tech con 2014 slides - sallam-public
 
An Analysis And Solution For The Problem Of Hidden Orphan Processes On Window...
An Analysis And Solution For The Problem Of Hidden Orphan Processes On Window...An Analysis And Solution For The Problem Of Hidden Orphan Processes On Window...
An Analysis And Solution For The Problem Of Hidden Orphan Processes On Window...
 
Sans Mc Afee Pandel Slides
Sans Mc Afee Pandel SlidesSans Mc Afee Pandel Slides
Sans Mc Afee Pandel Slides
 
VMWorld 2009 Presentation
VMWorld 2009 PresentationVMWorld 2009 Presentation
VMWorld 2009 Presentation
 

Recently uploaded

Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
DianaGray10
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
Product School
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
RTTS
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Ramesh Iyer
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Jeffrey Haguewood
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
Ralf Eggert
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Inflectra
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User Group
CatarinaPereira64715
 
"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi
Fwdays
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
Elena Simperl
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
Product School
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
Cheryl Hung
 

Recently uploaded (20)

Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User Group
 
"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 

RSA SF Conference talk-2009-ht2-401 sallam

  • 1. Windows Code Shredded Can an ordinary person understand Windows code? Ahmed Sallam Chief Software Architect McAfee Avert Labs 04/24/09 | HT2-401
  • 2. Notes • This is not the final presentation. This is an initial draft that tells the story. I will be working with Jeffrey Cufaude on completing the presentation. • I will deliver the presentation using my own laptops as I will be showing simple code breaking techniques using IDA and WinDBG. 2
  • 3. What this presentation is all about? • Is Windows code the big secret people think it is? • Who knows Windows code very well? • Can you contact and learn from those who knows Windows source code? • Why some of you need to know Windows code? • Can you learn Windows code and how? • Is Windows code changing much? • Case studies from McAfee’s research 3
  • 4. What this session is not about • Not about teaching you how to break Windows code for fun or for bad purpose. • Not about discovering Windows vulnerabilities • Not about exploiting Windows code • If you are looking for any of the above then sorry you won’t find any of it here  4
  • 5. Historical perspectives 5 • Microsoft always kept windows source code as a big secret over the past twenty years Source: http://www.microsoft.com/presspass/press/2004/Feb04/02-12windowssource.mspx
  • 6. More historical perspectives • Besides few technical articles and the popular “Windows Internals” book series, Microsoft never provided any serious documentation on their operating systems secrets • Microsoft used not to provide good kernel debugger • Microsoft used not to provide symbol files • Windows internals were only known mostly to hackers • Hackers had their own communities where they share information about Windows internals • Security companies have skillful people who tries to understand windows code 6
  • 7. Windows secret books • Any Windows book with the words “secret”, “undocumented”, “internals”, etc. would sell immediately. 7
  • 8. How people used to break Windows code? • Using a disassembler like IDA: – With no symbols debugging was painful • Using a low level debugger like Numega SoftIce: – Major compatibility issues – Platform support always late – Operating system frequent crashes • Runtime instrumentation tools and debuggers – Thousands of irrelevant events per second – Required some data mining and reporting engines 8
  • 9. Skill set required to break Windows code? • Understanding of assembly language • Understanding of CPU architecture • Understanding of operating systems architecture • Understanding of file structure on disk and in memory • Patience, patience, patience, patience • Who has all of the above; – Only people with clear targets and strong intentions – Mostly hackers – Few security experts 9
  • 10. Why this is all changing now? • Microsoft is providing: – Symbol files for Windows core modules and applications – Windows kernel Debugger, WinDBG – Documentation to abide to EC rulings – Online communities and groups for people to ask Windows experts • Virtualization making whole system debugging simpler • Disassemblers are designed with Windows APIs and symbols knowledge in mind. • Online Windows open source documentation projects • And off course Google 10
  • 11. Microsoft Windows Symbols • Available as a download package from Microsoft debugging web site: http://www.microsoft.com/whdc/DevTools/Debugging/symbolpkg.mspx • Microsoft making symbols available online via the Microsoft Symbol Server • For WinDBG Set the debugger symbol path as follows: SRV*DownstreamStore*http://msdl.microsoft.com/download/symbols • Microsoft provides a programmable library to read symbols (Debug help) • IDA and other Disassemblers can automatically load Windows symbols from server • Private symbols files have all information in them for the debugger to resolve data (local variables, structure type information, functions, source file name/line info...). • In next slides will show how understanding Windows code is pretty straightforward with the availability of Windows symbols 11
  • 12. Debugging Windows in A virtual Environment • Using WinDbg and a desktop virtual environment like Microsoft Virtual PC or VMware workstation you can debug an entire Windows environment • Trick is to debug over a virtual serial port • Trick is to map a virtual serial port to a named pipe and configure WinDbg to do kernel debugging via the virtual serial port • Good instructions from VMware site: http://www.vmware.com/support/gsx3/doc/devices_serial_debug • Here will show a live demo of how this looks like 12
  • 13. Dumping Windows Private Symbols using WinDbg • In this slide will present a video or active demo that shows how to use WinDbg to list all Windows kernel internal data structure 13
  • 14. Traversing windows key code modules via a disassembler • You can use WinDbg but requires interactive session • You can use a commercial Disassembler • Here will place a video recording that shows how to traverse through windows disassembled code. • Will cover: – Windows system service dispatch table and transfer of control form user mode to kernel mode – Windows ntoskrnl covering object manager, I/O manager, security reference monitor, etc. – Windows device drivers: ntfs driver, tcip, etc. – Internet explorer internal modules 14
  • 15. Simple debugging techniques • Using both kernel debugger and a disassembler can provide good results • Example, finding Windows functions inter- dependencies: – Use disassembler as it shows who calls who – Works but gives many results – Use WinDBG and put a break point at an internal function then dump the stack. – Using WinDBG to understand devices stacks • Will place a video to demonstrate the above 15
  • 16. Windows Open Specification Online Documentation • Microsoft made key information available pursuant to the Consent Decree and the European Commission's 2004 Decision • Example of available documentation: – Windows protocols – Office protocols – Office file formats – SQL server protocols – Computer languages • Whole information available at MSDN Library web site: http://msdn.microsoft.com/en-us/library under the “Open Specification” section. • Use the documentation along other tools and you will find answers to how Windows work and what is happening there 16
  • 17. Googling Windows Symbols • Are you impatient and need immediate answer? Google everything. • Pick a Windows internal symbols name and Google the web. • Do you want more specialized technical info? Google the groups. http://groups.google.com • Are you wondering if there is open source that may explain how it works? Google the code. http://code.google.com • Are you looking for papers? Google the web and specify the file format to be PDF, .DOC, PPT or whatever makes sense to you. • Are you looking for people blogging about it? Google the blogs. http://blogsearch.google.com • Are you looking for books maybe talking about it? Google the books. http://books.google.com • Do you find what you’re looking for in a foreign language? Translate the page. http://translate.google.com • Point is, just pick any symbol name or even a memory address and Google it. 17
  • 18. Windows Open Source Documentation Projects • Many open source projects aim at building an operating system equivalent to Windows Architecture • Some aim at achieving full application compatibility with Windows • React Operating System http://www.reactos.org/en/index.html is a good example • Exact implementation of Windows modules and device drivers • Code is written by literally converting each Windows assembly function back into its equivalent C code • A good place to start learning about Windows architecture • A video will be placed to compare some Windows assembly with its equivalent ReactOS C function 18
  • 19. Windows Driver Kit (WDK) • Available on: http://www.microsoft.com/whdc/devtools/wdk/def ault.mspx • Contain many useful help files and technical docs • Installable File System available for free in WDK – IFS used to cost about $1000 and to require a special NDA with Microsoft – Contains source code of Microsoft FastFat and CDFS file system drivers – Contains working file system filter drivers • Good source for documentation about Microsoft Windows Architecture 19
  • 20. Microsoft WinHEC Conference • All conference papers and pres available via: – http://www.microsoft.com/whdc/winhec/2008/pres.mspx – http://www.microsoft.com/whdc/winhec/2008/papers.mspx • Advanced Windows Architecture documents designed for device driver and hardware engineer • Good source to learn about Windows kernel mode and devices archiecture 20
  • 21. Microsoft MVP / MVPSP/ open source • Microsoft Most Valuable Professionals (MVPs) are exceptional technical community leaders from around the world who are awarded for voluntarily sharing their high quality, real world expertise in offline and online technical communities. (source Microsoft MVP web site) • The MVP Source Licensing Program (MVPSLP) recognizes some of the most valuable individuals within the Microsoft platforms community, by giving them the opportunity to differentiate themselves professionally as Windows-platforms experts through access to Microsoft Windows Shared Source access. (source Microsoft MVP web site) • MVP official web site: http://mvp.support.microsoft.com/ • Find MVP, track their blogs, their online postings, correspond with them and you will lean more about Windows internals • If interested you can license Windows and application source code if you meet certain criteria. • You can check http://www.codeplex.com/ Microsoft’s open source project and look for projects with participation form MVPs 21
  • 22. Nicely Designed Windows Hacking Web Sites • In old days hackers used cryptic web sites with cryptic names and cryptic content • Nowadays, more hackers tend to find useful use of their internal Windows knowledge and build their own social networking alike sites • Hacking alike documents are now written with higher level of accuracy, clarity and professionalism. • Helps people find jobs as security experts or consultants. So we can no longer call them bad hackers anymore. • Some even have their own blog 22
  • 23. Using Microsoft Windows Internals • Windows Internals book series, by Mark Russinovich and , David A. Solomon from Microsoft Press is one of the best sources to learn about Windows internals • The book references many parameters using their symbol name • Use the symbol then use WinDbg or a Disassembler to understand more the code referenced by the symbol 23
  • 24. Referencing symbols programmatically • Microsoft provides a programmable interface called Debug Help library to load, enumerate and find modules symbols in memory • There was time when library was not documented. Full library documentation is available with nice sample code under: http://msdn.microsoft.com/en-us/library/ms679309(VS.85).aspx • You can load a module symbol using: SymLoadModuleEx() • You can enumerate symbols using: SymEnumerateModules64() • You can retrieve a symbol by address (SymFromAddr(()) or by name (SymFromName()) • Very useful to write your own memory diagnostic • You can also use your favorite scripting language as long as it can call into Windows DLLs • You can even reference symbols programmatically in a kernel mode device driver 24
  • 25. Case studies • Three case studies will be covered here: – Terminating DKOM Rootkits – Obtaining documentation for DnsQueryEx – Finding Windows user mode API filtering code 25
  • 26. Case study a: terminating DKOM Rootkits • Direct Kernel Object Manipulation (DKOM) Rootkits modify Windows kernel dynamic lists to hide their presence • While working on terminating a Rootkit we get into some interesting situation: – If you terminate the Rootkit other processes in the system becomes hidden!? – If you terminate the hidden IE process created by the Rootkit more processes becomes hidden!? • How to find out what is going out? – Contacting Microsoft is not a valid option. – Check the Windows kernel, yes that’s simpler • Runtime debugger • Kernel assembly dump 26
  • 27. Case study 1: terminating DKOM Rootkits • Here will provdie live demo that shows: – how to use WinDBG to identify process termination stack through the PspProcessDelete() function 27
  • 28. Case study 1: terminating DKOM Rootkits Analyzing PspProcess Delete in IDA. • Will clean this slide a little bit 28 28
  • 29. Case study 2: DnsQueryEx • DnsQuery() is a documented API to query public DNS records • DnsQuery does not create another thread hence calling function has to wait until DnsQuery returns • But calling public DNS servers can take time • Normal solution is create another thread which calls DnsQuery and wait until that thread returns or time out • While looking into the code found DnsQueryEx which internally creates a thread • Contacted Microsoft to obtain correct prototype. Microsoft said function undocumented • Did a whole search inside Windows SKD found the function prototype • Contacted Microsoft again with finding and asked for more documentation for parameters • Microsoft thankfully responded with full detailed documentation • Point is, sometimes Microsoft support team say it is documented but once you prove it is not they fully cooperate 29
  • 30. Case study 3: finding Windows filtering interface • Here will do a live demo on how to find the interface using WinDbg and how this is useful. • Point is sometimes API you’re looking for is available but you can not find the documentation so WinDbg is a nice solution 30
  • 31. Did Google Disassemble windows Code? 31
  • 32. Is Windows Code changing much? • Not really, only few changes • You can easily spot changes in Windows kernel data structures using WinDbg “dt” command • You can compare stack frames • You can use Debug Help library to compare functions, a simple MD5 hash per function body can do it • You can easily find newly exported functions from WinDbg or Disassembler or even parsing the executable file .EXPORTS section 32
  • 33. Why do you need to understand how Windows work? • Obviously software developers can achieve a lot as covered in slide deck • Software developers can write many useful system diagnostic and profiling tools • With current economy downturn condition McAfee expects more corporate targeted attacks • Attackers are using all available resources to learn how to break Windows and its applications • Security professionals ought to leverage same available resources and come up with better defensive methods • System security administrators can write simple scripts to explore their systems memory and ensure kernel and applications memory integrity: – Who is hooking Windows functions and why? – Who is hooking browser functions and why? – Who is loading device driver and why? – Who is attaching as a filter driver and why? • Many free security tools are available too but using the knowledge available online you can write your own, especially if you are a software developer 33
  • 34. Conclusion • Windows code is not the top secret people think it is • Microsoft provide many useful means to understand windows internals: WinDbg, symbols, Windows Internals book, Debug Help library, Online documentation and communites • Not only hackers can learn Windows Internals but also average software engineers • Encourage your people to leverage available resources 34
  • 35. Finally • Obviously Microsoft provides all of those resources for good purpose so make sure you keep your usage within the intended good usage boundaries 35
  • 36. Thank you for your time Time for Q&A 36