The document discusses various components inside the Windows kernel, including system threads, work items, asynchronous procedure calls (APCs), deferred procedure calls (DPCs), timers, process and thread callbacks, completion routines, I/O request packets (IRPs), and the structure of a kernel driver. It provides data structure definitions and examples of how these components work and interact inside the kernel.
3. Introduce the Component
inside Windows Kernel
1. Usage
2. Introduce the data structure
3. How it work inside Windows Kernel
4. What’s the usage in root-kit
5. Exercises
4. System Threads
• Driver may create multiple threads handling
different requests from kernel or user.
• Call API PsCreateSystemThread
NTSTATUS PsCreateSystemThread(
_Out_ PHANDLE ThreadHandle,
_In_ ULONG DesiredAccess,
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_opt_ HANDLE ProcessHandle,
_Out_opt_ PCLIENT_ID ClientId,
_In_ PKSTART_ROUTINE StartRoutine,
_In_opt_ PVOID StartContext
);
5. System Threads
• If process handle is not NULL, thread will be
created under that process.
• Someone say, if call PsCreateSystemThread in an
IOCTL handler, the new thread will be in the user-
mode application ???
6. Exercises
• Determine whether any of them pass a non-NULL
ProcessHandle parameter. Explain the purpose of
these routines. Repeat the exercise for as many
functions as possible.
7. Work Items
• Similar to system threads
• Except that no physical thread object
• Common driver programming pattern to queue
work items inside a DPC
PIO_WORKITEM IoAllocateWorkItem(
_In_ PDEVICE_OBJECT DeviceObject
);
VOID IoQueueWorkItem(
_In_ PIO_WORKITEM IoWorkItem,
_In_ PIO_WORKITEM_ROUTINE WorkerRoutine,
_In_ WORK_QUEUE_TYPE QueueType,
_In_opt_ PVOID Context
);
11. Asynchronous Procedure
Calls
• Asynchronous I/O completion, thread suspension, and
process shutdown
• Undocumented API
• Kernel Mode (PASSIVE_LEVEL , APC_LEVEL)
• User Mode (PASSIVE_LEVEL)
• Rootkits achieve this by queueing a user-mode APC to
a thread in the process in which they want to inject
code.
13. Deferred Procedure Calls
• Routines executed at DISPATCH_LEVEL
• Hardware drivers use them to process interrupts
coming from the device
• Some rootkits use DPCs to synchronize access to
global linked lists
16. kd> !thread
THREAD 8649d020 Cid 0134.032c Teb: 7ffdf000 Win32Thread: e1634008 RUNNING on processor 0
IRP List:
8692cf68: (0006,0094) Flags: 40000000 Mdl: 00000000
Not impersonating
DeviceMap e21e88b0
Owning Process 0 Image: <Unknown>
Attached Process 864a07f0 Image: ReverseEngineer
Wait Start TickCount 20134 Ticks: 0
Context Switch Count 23 IdealProcessor: 0 LargeStack
UserTime 00:00:00.000
KernelTime 00:00:00.015
Win32 Start Address ReverseEngineeringTester!ILT+1240(_wmainCRTStartup) (0x0042e4dd)
Start Address kernel32!BaseProcessStartThunk (0x7c8106f5)
Stack Init f7517000 Current f7516b8c Base f7517000 Limit f7513000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr Args to Child
f78b2fd0 80541b8d f7516bc8 00000000 00000000 NotYourFault!TestDpcRoutine+0x52 (FPO: [Non-Fpo]) (CONV:
stdcall) [c:userskent_huangperforcepd_kent_huangcorevsapipdkent_huangvsapitoolsnotyourfault
notyourfaultreverseengineeringworkeritem.c @ 57]
f78b2ff4 8054185a f7516b20 00000000 00000000 nt!KiRetireDpcList+0x46 (FPO: [0,0,0])
f78b2ff8 f7516b20 00000000 00000000 00000000 nt!KiDispatchInterrupt+0x2a (FPO: [Uses EBP] [0,0,1])
WARNING: Frame IP not in any known module. Following frames may be wrong.
8054185a 00000000 00000009 bb835675 00000128 0xf7516b20
17. Timer
• Signal the expiration of a certain amount of time
• Periodically or at some time in the future
VOID KeInitializeTimer(
_Out_ PKTIMER Timer
);
BOOLEAN KeSetTimer(
_Inout_ PKTIMER Timer,
_In_ LARGE_INTEGER DueTime,
_In_opt_ PKDPC Dpc
);
BOOLEAN KeSetTimerEx(
_Inout_ PKTIMER Timer,
_In_ LARGE_INTEGER DueTime,
_In_ LONG Period,
_In_opt_ PKDPC Dpc
);
19. Process and Thread
Callbacks
• Callback function when create or terminate process
or thread
• PsSetCreateProcessNotifyRoutine
• PsSetCreateThreadNotifyRoutine
• PsSetLoadImageNotifyRoutine
20. • Many anti-virus software products register these
callbacks to monitor system behavior.
• Kernel-mode root-kits sometimes use them in
conjunction with APCs to inject code into new
processes
21. Completion Routines
• Completion routines are used to notify drivers that
their I/O request has been completed
• Use when low-level driver complete a IRP
• IoCompleteRequest, IoSetCompletionRoutine
24. • Windows uses I/O request packets (IRPs) to
describe I/O requests to kernel- mode components
(like drivers)
• IRP can be divided into two areas
• static, dynamic
• Ex. IRP_MJ_CREATE, IRP_MJ_READ, etc…
27. Kernel Driver
• Type of Kernel Driver
• Legacy software driver
• Legacy filter driver
• File system minifilter driver
28. How to Write Kernel Driver
• WDM ( Windows Driver Model )
• Defined since Windows 2000 and all drivers you
analyze are based on it
• KMDF ( kernel-mode driver framework )
• WDF is basically a set of libraries built on top of
WDM that simplifies driver development
30. • If you do not initialize the MajorFunction table,
default handler is “IopInvalidDeviceRequest”
• If a driver supports dynamic unloading, it must also
fill out the DriverUnload field
33. IRP Handling
• The prototype for these dispatch routines
• If the dispatch routine successfully completes:
• Calls IoCompleteRequest and returns
• If it cannot complete:
• Return an error, pass the IRP to another driver, or
pend the IRP
NTSTATUS XXX_Dispatch ( PDEVICE_OBJECT *DeviceObject, PIRP *Irp );
34. A Common Mechanism for
User-Kernel Communication
• Shared memory region double-mapped in user and
kernel space
• Create an event that a user-mode thread can wait on;
the event state can be used as a trigger for further
action
• Interrupt handling
• IRP_MJ_DEVICE_CONTROL operation and commonly
referred to as device I/O control or simply IOCTL
35. I/O Control Code
• User-mode code can request these IOCTL
operations through the DeviceIoControl API.
User Mode:
bResult = DeviceIoControl(hDevice, dwIoControlCode, lpInBuffer, nInBufferSize,
lpOutBuffer, nOutBufferSize, lpBytesReturned, &Overlapped);
Kernel Mode:
NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObj, PUNICODE_STRING RegistryPath) {
…
DriverObj->MajorFunction[IRP_MJ_CLEANUP] = DispatchFilter;
DriverObj->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DispatchFilter;
…
}
NTSTATUS DispatchFilter(PDEVICE_OBJECT DeviceObject, PIRP Irp) {
PIO_STACK_LOCATION IrpStack = IoGetCurrentIrpStackLocation(Irp);
switch(IrpStack->MajorFunction) {
…
case IRP_MJ_DEVICE_CONTROL:
// Handle IOCTL
break;
…
}
}
37. Miscellaneous System
Mechanisms
• System Control Registers
• Root-kit developers resort to hooking func- tions
in the kernel. But Kernel code is mapped as
Read-Only.
• Protect by hardware level special control register:
CR0
• CPU can write to read-only pages (WP bit)
39. KeServiceDescriptorTable
• Many root-kits resort to hooking system calls
• But the system call table (KiServiceTable) is not
exported
• How to access KiServiceTable?
• Ex. Sample G