SlideShare a Scribd company logo

Is That A Penguin In My Windows?

Z
zeroSteiner

Windows Subsystem for Linux (WSL) Overview BSides Las Vegas Wednesday August 3rd, 2016

Technology
1 of 28
Download to read offline
Is That A Penguin In My Windows? Spencer (@zeroSteiner) McIntyre BSides Las Vegas Wednesday August 3rd, 2016
Agenda • About Me • Windows Subsystem for Linux Overview • Why are we here and why do we care? • How does it work? • Implementation Details • Syscall functionality • Filesystem details • Attacker Notes • Fingerprinting WSL • Payload Compatibility • Inter process access
About Me • Spencer McIntyre • Work at SecureState • Research, Development, “Special” Projects • BSOD-inducer • Avid open source contributor (Metasploit among others) • Python enthusiast • I can haz acronyms? • OSCP, OSEE
Overview • Windows Subsystem for Linux • Objective is to allow native x86-64 ELF binaries to run natively on Windows platforms • It’s not virtualization • Supposedly Linux executables run at normal speeds • Linux processes are “picoprocesses” • WSL Core implementation provided by two Windows drivers • LXCORE • Larger of the two, provides all of the Linux Syscalls • LXSS
Microsoft’s Diagram Source: https://blogs.msdn.microsoft.com/wsl/2016/04/22/windows-subsystem-for-linux-overview/
Implementation Details
Driver Architecture • LXCORE Provides the main functionality • Including Driverlxss object • No accompanying lxcore object • LXSS loads LXCORE and calls LxInitialize
Picoprocesses • Container process with a limited access to the Kernel API • Product of Microsoft’s research project dubbed “Drawbridge” from 2011 • Project goal was to provide faster isolated / sandboxed execution • Speed came from the lack of a virtualization overhead • First added to Windows 8.1 and Server 2012 R2 • Process does not contain PEB / TEB / NTDLL.DLL / user32!gSharedInfo • Windows Kernel still provides thread scheduling and memory management
Syscalls You Say? • Picoprocesses get a separate syscall dispatcher • Driver registers itself as a picoprocess provider and dispatches it’s own syscalls • Linux syscalls implemented in LXCORE!LxpSyscall_* • 216 in Windows 10 Preview 14385 vs 345 in Linux 3.4-rc7 • 62.6% coverage • Missing syscalls include some *32 equivalents • Existing are 16-bit not 64-bit, 32-bit calls were introduced in Linux 2.4
Syscalls You Say? • The kernel dispatches to the picoprovider for fulfillment • Linux calls with NT equivalents forward the call to be fulfilled by the kernel • Syscall is made by the user process with the convention expected by the pico driver • In this case, the one specified by Linux x86-64 / System V ABI • System V ABI Syscall Convention • Syscall number -> RAX • Arguments -> RDI, RSI, RDX, RCX, R8, R9 (remaining on the stack)
Debugging Syscalls • Useful for bug hunting • We can break on specific conditions using the Linux calling convention • Example call stack for MMAP LXCORE!LxpSys_MMAP <- Break here for mmap syscalls and/or args to mmap LXCORE!LxpSysDispatch LXCORE!PicoSystemCallDispatch <- Break here for all WSL syscalls nt!PsPicoSystemCallDispatch <- Break here for all picoprocess syscalls nt!KiSystemServiceUser
Filesystems • WSL 2 main file systems • VoIFs • Linux root directories • Not accessible by Windows applications • DriveFs • Access to the Windows filesystem • /mnt/c • Additional filesystems for /proc, /sys, etc. • Control file systems are incomplete • /proc/net results in broken ifconfig
DriveFS Specific • Despite being root, files can only be read as user that started bash • Linux file permissions are stored in NTFS extended attribute • Permissions and owner are ignored for files created by root
Attacker Notes
Identifying WSL • Obvious: • grep Microsoft /proc/version && echo “WSL Detected” • Check for mounted drives in /mnt • Behavioral clues: • 1 module in /sys/modules (lack of drivers is suspicious) • /proc missing modules entry • Strict checks of mmap syscall flags • mmap(NULL, 4096, PROT_READ|PROT_WRITE|0x1000, …
Very Subtle Microsoft…
Metasploit Payload Compatibility • Each was tested as a native ELF executable • Working payloads can’t access network configuration details Payload Name Compatible? linux/x64/mettel/reverse_tcp no* linux/x64/shell_reverse_tcp yes linux/x86/meterpreter/reverse_tcp no** python/meterpreter/reverse_tcp yes * Strict mmap syscall implementation ** 32-bit ELF files are not supported
Python Meterpreter
Linux Kernel Protections • All the basics are implemented • Usermode ASLR (randomize_va_space) • Data Execution Prevention (DEP) • NULL page mapping prevention (mmap_min_addr)
Cross Process Access • Desirable for an attacker to infect the Linux container or Windows host • Linux processes can not list Windows processes • Windows can list Linux processes • PIDs do not match
Linux -> Windows Access • No process access • Windows processes are objects exposed through the Win32 API • Linux exposes information through files in /proc • Win32 API requires that the process make syscalls into NT kernel • Picoprocesses have a separate syscall dispatcher
Windows -> Linux Access • Limited information is available • Linux processes can not be debugged (OpenProcess fails) • Acceptable flags: (PROCESS_QUERY_LIMITED_INFORMATION | SYNCHRONIZE) • Without this Meterpreter’s migrate will not function • Low 8-bits of Linux process exit code can be retrieved with GetExitCodeProcess from Windows • dwStatus >> 8 • Windows user processes can obtain same info for “root” processes • The Windows permissions are effectively the same (Can’t write to %Systemroot%System32wbemMOF etc.)
Cross User Access • WSL Environments are specific to the user who started them • Hence the inherited permissions • Resources in one running WSL environment can not be accessed from another • Multiple invocations of “bash” as one user do share an environment • Files, processes, etc. are all inaccessible • Primarily relevant in multi-user environments like Server 2012
Closing Thoughts • “root” doesn’t mean much • Nuances in what root means and how its handled will be a source of user mistakes
References • https://blogs.msdn.microsoft.com/wsl/2016/04/22/windows-subsystem-for-linux-overview/ • https://blogs.windows.com/windowsexperience/2016/04/06/announcing-windows-10-insider- preview-build-14316/ • http://research.microsoft.com/en-us/projects/drawbridge/ • https://blogs.windows.com/buildingapps/2016/03/30/run-bash-on-ubuntu-on-windows/ • https://github.com/Microsoft/BashOnWindows • https://blogs.msdn.microsoft.com/wsl/2016/06/15/wsl-file-system-support/ • https://blogs.msdn.microsoft.com/wsl/2016/06/08/wsl-system-calls/ • https://blogs.msdn.microsoft.com/wsl/2016/05/23/pico-process-overview/
Thanks for your time! Spencer McIntyre @zeroSteiner github.com/zeroSteiner

Recommended

Practical Windows Kernel Exploitation
Practical Windows Kernel ExploitationPractical Windows Kernel Exploitation
Practical Windows Kernel ExploitationzeroSteiner
 
Fun With Dr Brown
Fun With Dr BrownFun With Dr Brown
Fun With Dr BrownzeroSteiner
 
Bypassing patchguard on Windows 8.1 and Windows 10
Bypassing patchguard on Windows 8.1 and Windows 10Bypassing patchguard on Windows 8.1 and Windows 10
Bypassing patchguard on Windows 8.1 and Windows 10Honorary_BoT
 
Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon chinaPeter Hlavaty
 
Metasploit & Windows Kernel Exploitation
Metasploit & Windows Kernel ExploitationMetasploit & Windows Kernel Exploitation
Metasploit & Windows Kernel ExploitationzeroSteiner
 
Injection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesInjection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesenSilo
 
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis SystemScalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis SystemTamas K Lengyel
 
Process injection - Malware style
Process injection - Malware styleProcess injection - Malware style
Process injection - Malware styleSander Demeester
 

Recommended

Practical Windows Kernel Exploitation
Practical Windows Kernel ExploitationPractical Windows Kernel Exploitation
Practical Windows Kernel ExploitationzeroSteiner
 
Fun With Dr Brown
Fun With Dr BrownFun With Dr Brown
Fun With Dr BrownzeroSteiner
 
Bypassing patchguard on Windows 8.1 and Windows 10
Bypassing patchguard on Windows 8.1 and Windows 10Bypassing patchguard on Windows 8.1 and Windows 10
Bypassing patchguard on Windows 8.1 and Windows 10Honorary_BoT
 
Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon chinaPeter Hlavaty
 
Metasploit & Windows Kernel Exploitation
Metasploit & Windows Kernel ExploitationMetasploit & Windows Kernel Exploitation
Metasploit & Windows Kernel ExploitationzeroSteiner
 
Injection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesInjection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesenSilo
 
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis SystemScalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis SystemTamas K Lengyel
 
Process injection - Malware style
Process injection - Malware styleProcess injection - Malware style
Process injection - Malware styleSander Demeester
 
Steelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with PythonSteelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with Pythoninfodox
 
[若渴計畫] Black Hat 2017之過去閱讀相關整理
[若渴計畫] Black Hat 2017之過去閱讀相關整理[若渴計畫] Black Hat 2017之過去閱讀相關整理
[若渴計畫] Black Hat 2017之過去閱讀相關整理Aj MaChInE
 
CrySys guest-lecture: Virtual machine introspection on modern hardware
CrySys guest-lecture: Virtual machine introspection on modern hardwareCrySys guest-lecture: Virtual machine introspection on modern hardware
CrySys guest-lecture: Virtual machine introspection on modern hardwareTamas K Lengyel
 
Vulnerability desing patterns
Vulnerability desing patternsVulnerability desing patterns
Vulnerability desing patternsPeter Hlavaty
 
Rainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectRainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectPeter Hlavaty
 
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)Shota Shinogi
 
Pitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysisPitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysisTamas K Lengyel
 
Metasploit - The Exploit Learning Tree
Metasploit - The Exploit Learning TreeMetasploit - The Exploit Learning Tree
Metasploit - The Exploit Learning TreeE Hacking
 
Practical Malware Analysis Ch12
Practical Malware Analysis Ch12Practical Malware Analysis Ch12
Practical Malware Analysis Ch12Sam Bowne
 
Fuzzing the Media Framework in Android
Fuzzing the Media Framework in AndroidFuzzing the Media Framework in Android
Fuzzing the Media Framework in AndroidE Hacking
 
Virtual Machine Introspection with Xen
Virtual Machine Introspection with XenVirtual Machine Introspection with Xen
Virtual Machine Introspection with XenTamas K Lengyel
 
Attack on the Core
Attack on the CoreAttack on the Core
Attack on the CorePeter Hlavaty
 
OffensiveCon2022: Case Studies of Fuzzing with Xen
OffensiveCon2022: Case Studies of Fuzzing with XenOffensiveCon2022: Case Studies of Fuzzing with Xen
OffensiveCon2022: Case Studies of Fuzzing with XenTamas K Lengyel
 
ShinoBOT Suite
ShinoBOT SuiteShinoBOT Suite
ShinoBOT SuiteShota Shinogi
 
Power of linked list
Power of linked listPower of linked list
Power of linked listPeter Hlavaty
 
Packers
PackersPackers
PackersAnge Albertini
 
Pitfalls of virtual machine introspection on modern hardware
Pitfalls of virtual machine introspection on modern hardwarePitfalls of virtual machine introspection on modern hardware
Pitfalls of virtual machine introspection on modern hardwareTamas K Lengyel
 
Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Peter Hlavaty
 
Practical Malware Analysis: Ch 11: Malware Behavior
Practical Malware Analysis: Ch 11: Malware BehaviorPractical Malware Analysis: Ch 11: Malware Behavior
Practical Malware Analysis: Ch 11: Malware BehaviorSam Bowne
 
LMG Lightning Talks - SFO17-205
LMG Lightning Talks - SFO17-205LMG Lightning Talks - SFO17-205
LMG Lightning Talks - SFO17-205Linaro
 
Running Applications on the NetBSD Rump Kernel by Justin Cormack
Running Applications on the NetBSD Rump Kernel by Justin Cormack Running Applications on the NetBSD Rump Kernel by Justin Cormack
Running Applications on the NetBSD Rump Kernel by Justin Cormack eurobsdcon
 
CNIT 127 14: Protection Mechanisms
CNIT 127 14: Protection MechanismsCNIT 127 14: Protection Mechanisms
CNIT 127 14: Protection MechanismsSam Bowne
 

More Related Content

What's hot

Steelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with PythonSteelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with Pythoninfodox
 
[若渴計畫] Black Hat 2017之過去閱讀相關整理
[若渴計畫] Black Hat 2017之過去閱讀相關整理[若渴計畫] Black Hat 2017之過去閱讀相關整理
[若渴計畫] Black Hat 2017之過去閱讀相關整理Aj MaChInE
 
CrySys guest-lecture: Virtual machine introspection on modern hardware
CrySys guest-lecture: Virtual machine introspection on modern hardwareCrySys guest-lecture: Virtual machine introspection on modern hardware
CrySys guest-lecture: Virtual machine introspection on modern hardwareTamas K Lengyel
 
Vulnerability desing patterns
Vulnerability desing patternsVulnerability desing patterns
Vulnerability desing patternsPeter Hlavaty
 
Rainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectRainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectPeter Hlavaty
 
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)Shota Shinogi
 
Pitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysisPitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysisTamas K Lengyel
 
Metasploit - The Exploit Learning Tree
Metasploit - The Exploit Learning TreeMetasploit - The Exploit Learning Tree
Metasploit - The Exploit Learning TreeE Hacking
 
Practical Malware Analysis Ch12
Practical Malware Analysis Ch12Practical Malware Analysis Ch12
Practical Malware Analysis Ch12Sam Bowne
 
Fuzzing the Media Framework in Android
Fuzzing the Media Framework in AndroidFuzzing the Media Framework in Android
Fuzzing the Media Framework in AndroidE Hacking
 
Virtual Machine Introspection with Xen
Virtual Machine Introspection with XenVirtual Machine Introspection with Xen
Virtual Machine Introspection with XenTamas K Lengyel
 
OffensiveCon2022: Case Studies of Fuzzing with Xen
OffensiveCon2022: Case Studies of Fuzzing with XenOffensiveCon2022: Case Studies of Fuzzing with Xen
OffensiveCon2022: Case Studies of Fuzzing with XenTamas K Lengyel
 
Power of linked list
Power of linked listPower of linked list
Power of linked listPeter Hlavaty
 
Pitfalls of virtual machine introspection on modern hardware
Pitfalls of virtual machine introspection on modern hardwarePitfalls of virtual machine introspection on modern hardware
Pitfalls of virtual machine introspection on modern hardwareTamas K Lengyel
 
Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Peter Hlavaty
 
Practical Malware Analysis: Ch 11: Malware Behavior
Practical Malware Analysis: Ch 11: Malware BehaviorPractical Malware Analysis: Ch 11: Malware Behavior
Practical Malware Analysis: Ch 11: Malware BehaviorSam Bowne
 
LMG Lightning Talks - SFO17-205
LMG Lightning Talks - SFO17-205LMG Lightning Talks - SFO17-205
LMG Lightning Talks - SFO17-205Linaro
 

What's hot (20)

Steelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with PythonSteelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with Python
 
[若渴計畫] Black Hat 2017之過去閱讀相關整理
[若渴計畫] Black Hat 2017之過去閱讀相關整理[若渴計畫] Black Hat 2017之過去閱讀相關整理
[若渴計畫] Black Hat 2017之過去閱讀相關整理
 
CrySys guest-lecture: Virtual machine introspection on modern hardware
CrySys guest-lecture: Virtual machine introspection on modern hardwareCrySys guest-lecture: Virtual machine introspection on modern hardware
CrySys guest-lecture: Virtual machine introspection on modern hardware
 
Vulnerability desing patterns
Vulnerability desing patternsVulnerability desing patterns
Vulnerability desing patterns
 
Rainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectRainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could Expect
 
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
 
Pitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysisPitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysis
 
Metasploit - The Exploit Learning Tree
Metasploit - The Exploit Learning TreeMetasploit - The Exploit Learning Tree
Metasploit - The Exploit Learning Tree
 
Practical Malware Analysis Ch12
Practical Malware Analysis Ch12Practical Malware Analysis Ch12
Practical Malware Analysis Ch12
 
Fuzzing the Media Framework in Android
Fuzzing the Media Framework in AndroidFuzzing the Media Framework in Android
Fuzzing the Media Framework in Android
 
Virtual Machine Introspection with Xen
Virtual Machine Introspection with XenVirtual Machine Introspection with Xen
Virtual Machine Introspection with Xen
 
Attack on the Core
Attack on the CoreAttack on the Core
Attack on the Core
 
OffensiveCon2022: Case Studies of Fuzzing with Xen
OffensiveCon2022: Case Studies of Fuzzing with XenOffensiveCon2022: Case Studies of Fuzzing with Xen
OffensiveCon2022: Case Studies of Fuzzing with Xen
 
ShinoBOT Suite
ShinoBOT SuiteShinoBOT Suite
ShinoBOT Suite
 
Power of linked list
Power of linked listPower of linked list
Power of linked list
 
Packers
PackersPackers
Packers
 
Pitfalls of virtual machine introspection on modern hardware
Pitfalls of virtual machine introspection on modern hardwarePitfalls of virtual machine introspection on modern hardware
Pitfalls of virtual machine introspection on modern hardware
 
Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!
 
Practical Malware Analysis: Ch 11: Malware Behavior
Practical Malware Analysis: Ch 11: Malware BehaviorPractical Malware Analysis: Ch 11: Malware Behavior
Practical Malware Analysis: Ch 11: Malware Behavior
 
LMG Lightning Talks - SFO17-205
LMG Lightning Talks - SFO17-205LMG Lightning Talks - SFO17-205
LMG Lightning Talks - SFO17-205
 

Similar to Is That A Penguin In My Windows?

Running Applications on the NetBSD Rump Kernel by Justin Cormack
Running Applications on the NetBSD Rump Kernel by Justin Cormack Running Applications on the NetBSD Rump Kernel by Justin Cormack
Running Applications on the NetBSD Rump Kernel by Justin Cormack eurobsdcon
 
CNIT 127 14: Protection Mechanisms
CNIT 127 14: Protection MechanismsCNIT 127 14: Protection Mechanisms
CNIT 127 14: Protection MechanismsSam Bowne
 
The Quest for the Perfect API
The Quest for the Perfect APIThe Quest for the Perfect API
The Quest for the Perfect APImicrokerneldude
 
The linux kernel hidden inside windows 10
The linux kernel hidden inside windows 10The linux kernel hidden inside windows 10
The linux kernel hidden inside windows 10mark-smith
 
Open Source Cyber Weaponry
Open Source Cyber WeaponryOpen Source Cyber Weaponry
Open Source Cyber WeaponryJoshua L. Davis
 
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...DefconRussia
 
SC'16 PMIx BoF Presentation
SC'16 PMIx BoF PresentationSC'16 PMIx BoF Presentation
SC'16 PMIx BoF Presentationrcastain
 
Bridging the Semantic Gap in Virtualized Environment
Bridging the Semantic Gap in Virtualized EnvironmentBridging the Semantic Gap in Virtualized Environment
Bridging the Semantic Gap in Virtualized EnvironmentAndy Lee
 
CNIT 127 14: Protection Mechanisms
CNIT 127 14: Protection MechanismsCNIT 127 14: Protection Mechanisms
CNIT 127 14: Protection MechanismsSam Bowne
 
A Reimplementation of NetBSD Based on a Microkernel by Andrew S. Tanenbaum
A Reimplementation of NetBSD Based on a Microkernel by Andrew S. TanenbaumA Reimplementation of NetBSD Based on a Microkernel by Andrew S. Tanenbaum
A Reimplementation of NetBSD Based on a Microkernel by Andrew S. Tanenbaumeurobsdcon
 
OMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
OMFW 2012: Analyzing Linux Kernel Rootkits with VolatlityOMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
OMFW 2012: Analyzing Linux Kernel Rootkits with VolatlityAndrew Case
 
OSDC 2016 - Unifying Logs and Metrics Data with Elastic Beats by Monica Sarbu
OSDC 2016 - Unifying Logs and Metrics Data with Elastic Beats by Monica SarbuOSDC 2016 - Unifying Logs and Metrics Data with Elastic Beats by Monica Sarbu
OSDC 2016 - Unifying Logs and Metrics Data with Elastic Beats by Monica SarbuNETWAYS
 
Extending Sysdig with Chisel
Extending Sysdig with ChiselExtending Sysdig with Chisel
Extending Sysdig with ChiselSysdig
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote ShellcodeAj MaChInE
 
OSCON: System software goes weird
OSCON: System software goes weirdOSCON: System software goes weird
OSCON: System software goes weirdDocker, Inc.
 
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...Alexandre Moneger
 
DEF CON 27 - JESSE MICHAEL - get off the kernel if you can't drive
DEF CON 27 - JESSE MICHAEL - get off the kernel if you can't driveDEF CON 27 - JESSE MICHAEL - get off the kernel if you can't drive
DEF CON 27 - JESSE MICHAEL - get off the kernel if you can't driveFelipe Prado
 
Speed up your Symfony2 application and build awesome features with Redis
Speed up your Symfony2 application and build awesome features with RedisSpeed up your Symfony2 application and build awesome features with Redis
Speed up your Symfony2 application and build awesome features with RedisRicard Clau
 
CNIT 127 Ch 3: Shellcode
CNIT 127 Ch 3: ShellcodeCNIT 127 Ch 3: Shellcode
CNIT 127 Ch 3: ShellcodeSam Bowne
 

Similar to Is That A Penguin In My Windows? (20)

Running Applications on the NetBSD Rump Kernel by Justin Cormack
Running Applications on the NetBSD Rump Kernel by Justin Cormack Running Applications on the NetBSD Rump Kernel by Justin Cormack
Running Applications on the NetBSD Rump Kernel by Justin Cormack
 
CNIT 127 14: Protection Mechanisms
CNIT 127 14: Protection MechanismsCNIT 127 14: Protection Mechanisms
CNIT 127 14: Protection Mechanisms
 
The Quest for the Perfect API
The Quest for the Perfect APIThe Quest for the Perfect API
The Quest for the Perfect API
 
The linux kernel hidden inside windows 10
The linux kernel hidden inside windows 10The linux kernel hidden inside windows 10
The linux kernel hidden inside windows 10
 
Deep hooks
Deep hooksDeep hooks
Deep hooks
 
Open Source Cyber Weaponry
Open Source Cyber WeaponryOpen Source Cyber Weaponry
Open Source Cyber Weaponry
 
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
 
SC'16 PMIx BoF Presentation
SC'16 PMIx BoF PresentationSC'16 PMIx BoF Presentation
SC'16 PMIx BoF Presentation
 
Bridging the Semantic Gap in Virtualized Environment
Bridging the Semantic Gap in Virtualized EnvironmentBridging the Semantic Gap in Virtualized Environment
Bridging the Semantic Gap in Virtualized Environment
 
CNIT 127 14: Protection Mechanisms
CNIT 127 14: Protection MechanismsCNIT 127 14: Protection Mechanisms
CNIT 127 14: Protection Mechanisms
 
A Reimplementation of NetBSD Based on a Microkernel by Andrew S. Tanenbaum
A Reimplementation of NetBSD Based on a Microkernel by Andrew S. TanenbaumA Reimplementation of NetBSD Based on a Microkernel by Andrew S. Tanenbaum
A Reimplementation of NetBSD Based on a Microkernel by Andrew S. Tanenbaum
 
OMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
OMFW 2012: Analyzing Linux Kernel Rootkits with VolatlityOMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
OMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
 
OSDC 2016 - Unifying Logs and Metrics Data with Elastic Beats by Monica Sarbu
OSDC 2016 - Unifying Logs and Metrics Data with Elastic Beats by Monica SarbuOSDC 2016 - Unifying Logs and Metrics Data with Elastic Beats by Monica Sarbu
OSDC 2016 - Unifying Logs and Metrics Data with Elastic Beats by Monica Sarbu
 
Extending Sysdig with Chisel
Extending Sysdig with ChiselExtending Sysdig with Chisel
Extending Sysdig with Chisel
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
 
OSCON: System software goes weird
OSCON: System software goes weirdOSCON: System software goes weird
OSCON: System software goes weird
 
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
 
DEF CON 27 - JESSE MICHAEL - get off the kernel if you can't drive
DEF CON 27 - JESSE MICHAEL - get off the kernel if you can't driveDEF CON 27 - JESSE MICHAEL - get off the kernel if you can't drive
DEF CON 27 - JESSE MICHAEL - get off the kernel if you can't drive
 
Speed up your Symfony2 application and build awesome features with Redis
Speed up your Symfony2 application and build awesome features with RedisSpeed up your Symfony2 application and build awesome features with Redis
Speed up your Symfony2 application and build awesome features with Redis
 
CNIT 127 Ch 3: Shellcode
CNIT 127 Ch 3: ShellcodeCNIT 127 Ch 3: Shellcode
CNIT 127 Ch 3: Shellcode
 

Recently uploaded

Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 

Recently uploaded (20)

Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 

Is That A Penguin In My Windows?

  • 1. Is That A Penguin In My Windows? Spencer (@zeroSteiner) McIntyre BSides Las Vegas Wednesday August 3rd, 2016
  • 2. Agenda • About Me • Windows Subsystem for Linux Overview • Why are we here and why do we care? • How does it work? • Implementation Details • Syscall functionality • Filesystem details • Attacker Notes • Fingerprinting WSL • Payload Compatibility • Inter process access
  • 3. About Me • Spencer McIntyre • Work at SecureState • Research, Development, “Special” Projects • BSOD-inducer • Avid open source contributor (Metasploit among others) • Python enthusiast • I can haz acronyms? • OSCP, OSEE
  • 4. Overview • Windows Subsystem for Linux • Objective is to allow native x86-64 ELF binaries to run natively on Windows platforms • It’s not virtualization • Supposedly Linux executables run at normal speeds • Linux processes are “picoprocesses” • WSL Core implementation provided by two Windows drivers • LXCORE • Larger of the two, provides all of the Linux Syscalls • LXSS
  • 7. Driver Architecture • LXCORE Provides the main functionality • Including Driverlxss object • No accompanying lxcore object • LXSS loads LXCORE and calls LxInitialize
  • 8. Picoprocesses • Container process with a limited access to the Kernel API • Product of Microsoft’s research project dubbed “Drawbridge” from 2011 • Project goal was to provide faster isolated / sandboxed execution • Speed came from the lack of a virtualization overhead • First added to Windows 8.1 and Server 2012 R2 • Process does not contain PEB / TEB / NTDLL.DLL / user32!gSharedInfo • Windows Kernel still provides thread scheduling and memory management
  • 9. Syscalls You Say? • Picoprocesses get a separate syscall dispatcher • Driver registers itself as a picoprocess provider and dispatches it’s own syscalls • Linux syscalls implemented in LXCORE!LxpSyscall_* • 216 in Windows 10 Preview 14385 vs 345 in Linux 3.4-rc7 • 62.6% coverage • Missing syscalls include some *32 equivalents • Existing are 16-bit not 64-bit, 32-bit calls were introduced in Linux 2.4
  • 10. Syscalls You Say? • The kernel dispatches to the picoprovider for fulfillment • Linux calls with NT equivalents forward the call to be fulfilled by the kernel • Syscall is made by the user process with the convention expected by the pico driver • In this case, the one specified by Linux x86-64 / System V ABI • System V ABI Syscall Convention • Syscall number -> RAX • Arguments -> RDI, RSI, RDX, RCX, R8, R9 (remaining on the stack)
  • 11. Debugging Syscalls • Useful for bug hunting • We can break on specific conditions using the Linux calling convention • Example call stack for MMAP LXCORE!LxpSys_MMAP <- Break here for mmap syscalls and/or args to mmap LXCORE!LxpSysDispatch LXCORE!PicoSystemCallDispatch <- Break here for all WSL syscalls nt!PsPicoSystemCallDispatch <- Break here for all picoprocess syscalls nt!KiSystemServiceUser
  • 12. Filesystems • WSL 2 main file systems • VoIFs • Linux root directories • Not accessible by Windows applications • DriveFs • Access to the Windows filesystem • /mnt/c • Additional filesystems for /proc, /sys, etc. • Control file systems are incomplete • /proc/net results in broken ifconfig
  • 13. DriveFS Specific • Despite being root, files can only be read as user that started bash • Linux file permissions are stored in NTFS extended attribute • Permissions and owner are ignored for files created by root
  • 14.
  • 16. Identifying WSL • Obvious: • grep Microsoft /proc/version && echo “WSL Detected” • Check for mounted drives in /mnt • Behavioral clues: • 1 module in /sys/modules (lack of drivers is suspicious) • /proc missing modules entry • Strict checks of mmap syscall flags • mmap(NULL, 4096, PROT_READ|PROT_WRITE|0x1000, …
  • 18. Metasploit Payload Compatibility • Each was tested as a native ELF executable • Working payloads can’t access network configuration details Payload Name Compatible? linux/x64/mettel/reverse_tcp no* linux/x64/shell_reverse_tcp yes linux/x86/meterpreter/reverse_tcp no** python/meterpreter/reverse_tcp yes * Strict mmap syscall implementation ** 32-bit ELF files are not supported
  • 20. Linux Kernel Protections • All the basics are implemented • Usermode ASLR (randomize_va_space) • Data Execution Prevention (DEP) • NULL page mapping prevention (mmap_min_addr)
  • 21. Cross Process Access • Desirable for an attacker to infect the Linux container or Windows host • Linux processes can not list Windows processes • Windows can list Linux processes • PIDs do not match
  • 22. Linux -> Windows Access • No process access • Windows processes are objects exposed through the Win32 API • Linux exposes information through files in /proc • Win32 API requires that the process make syscalls into NT kernel • Picoprocesses have a separate syscall dispatcher
  • 23. Windows -> Linux Access • Limited information is available • Linux processes can not be debugged (OpenProcess fails) • Acceptable flags: (PROCESS_QUERY_LIMITED_INFORMATION | SYNCHRONIZE) • Without this Meterpreter’s migrate will not function • Low 8-bits of Linux process exit code can be retrieved with GetExitCodeProcess from Windows • dwStatus >> 8 • Windows user processes can obtain same info for “root” processes • The Windows permissions are effectively the same (Can’t write to %Systemroot%System32wbemMOF etc.)
  • 24. Cross User Access • WSL Environments are specific to the user who started them • Hence the inherited permissions • Resources in one running WSL environment can not be accessed from another • Multiple invocations of “bash” as one user do share an environment • Files, processes, etc. are all inaccessible • Primarily relevant in multi-user environments like Server 2012
  • 25. Closing Thoughts • “root” doesn’t mean much • Nuances in what root means and how its handled will be a source of user mistakes
  • 26.
  • 27. References • https://blogs.msdn.microsoft.com/wsl/2016/04/22/windows-subsystem-for-linux-overview/ • https://blogs.windows.com/windowsexperience/2016/04/06/announcing-windows-10-insider- preview-build-14316/ • http://research.microsoft.com/en-us/projects/drawbridge/ • https://blogs.windows.com/buildingapps/2016/03/30/run-bash-on-ubuntu-on-windows/ • https://github.com/Microsoft/BashOnWindows • https://blogs.msdn.microsoft.com/wsl/2016/06/15/wsl-file-system-support/ • https://blogs.msdn.microsoft.com/wsl/2016/06/08/wsl-system-calls/ • https://blogs.msdn.microsoft.com/wsl/2016/05/23/pico-process-overview/
  • 28. Thanks for your time! Spencer McIntyre @zeroSteiner github.com/zeroSteiner