DOCSLIB.ORG

Basics of Windows OS for Reverse Engineering Malware

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Basics of Windows OS for Reverse Engineering Malware Basics of Windows OS for Reverse Engineering Malware Protecting the irreplaceable | f-secure.com Copyright F-Secure 2010. All rights reserved. Applications on Windows 2 February 18, 2013 Copyright F-Secure 2010. All rights reserved. Executable Format • Object files and executables follow the PE (Portable Executable) file format • Full specification available online • http://www.microsoft.com/whdc/system/platform/ firmware/PECOFF.mspx • Best viewed with your hex editor (HT) or specialized PE viewer (PEBrowsePro ->) 3 February 18, 2013 Copyright F-Secure 2010. All rights reserved. Windows Executables • Filename extension hints to the executable type • EXE = executable application, anything from a DOS executable to 64-bit Windows applications • DLL = Dynamic link library, a set of callable routines compiled together as a loadable file • SYS = Driver • OBJ = Object file, input to the linker • Note that Windows does not really care much about the file extension • You can execute application.jpg just fine • All of these follow the PE/COFF specification • APPX is used for Windows 8 Windows Store apps • Not a PE, but a ZIP archive with all application contents inside 4 February 18, 2013 Copyright F-Secure 2010. All rights reserved. Windows API • Windows API (aka. Win32 API) is the interface to the operating system for applications • Exposed by a set of system libraries: kernel32.dll, user32.dll, … • Windows 7 refactored the system libraries (“MinWin”) so you will see e.g. kernelbase.dll • On 64-bit, because of 32-bit compatibilty, c:\windows\syswow64 contains another set of libraries • Several subcategories • Administration and management (WMI, …) • Diagnostics (event logging, …) • Networking • Security • System services (processes, threads, registry…) • MSDN is the reverse engineers best friend for Windows binaries • http://msdn2.microsoft.com/en-us/library/default.aspx 5 February 18, 2013 Copyright F-Secure 2010. All rights reserved. Native API • Undocumented interface to OS functionality • One level below Windows API • Some low-level functionality only available through Native API • Examples of interesting functions • NtSetSystemInformation • NtQuerySystemInformation • NtQueryDirectoryFile • See “Windows NT/2000 Native API Reference” by Nebbett 6 February 18, 2013 Copyright F-Secure 2010. All rights reserved. Windows Architecture 7 February 18, 2013 Copyright F-Secure 2010. All rights reserved. Simplified Windows Architecture System Support Service User Environment Processes Processes Applications Subsystems Subsystem DLL’s NTDLL.DLL Executive Windowing & Graphics Kernel Device Drivers HAL 8 February 18, 2013 Copyright F-Secure 2010. All rights reserved. System Mechanisms 9 February 18, 2013 Copyright F-Secure 2010. All rights reserved. Kernel-mode & user-mode 0xFFFFFFFF System-space (Ring 0) Int 0x2e / Sysenter User-space User-space (RingUser -3)space (Ring 3) (Ring 3) 0x00000000 10 February 18, 2013 Copyright F-Secure 2010. All rights reserved. System Service Dispatching Read the file Nt! Return to caller NtReadFile Call NtReadFile Interrupt Nt! Dismiss interrupt KiSystemService Sysenter Ntdll.dll! Return to caller NtReadFile Call NtReadFile Kernel32.dll! Return to caller ReadFile ReadFile(…) Application 11 February 18, 2013 Copyright F-Secure 2010. All rights reserved. System Service Dispatching 12 February 18, 2013 Copyright F-Secure 2010. All rights reserved. System Service Dispatching 13 February 18, 2013 Copyright F-Secure 2010. All rights reserved. Processes & Threads 14 February 18, 2013 Copyright F-Secure 2010. All rights reserved. Processes • Abstraction of an executing program • A process has • A private virtual address space (user-mode address space) • A base image (the main executable) • A set of open handles to OS resources • An access token (“who is this process, what can it do”) • A process ID (PID) • One or more threads • Job = A group of processes that can be managed as a unit 15 February 18, 2013 Copyright F-Secure 2010. All rights reserved. Threads • A thread is what gets scheduled for execution on the CPU • A thread has • A context (the state of execution) • A list of exception handlers • Two stacks, one for user-mode and one for kernel-mode • A thread ID (TID) • An access token • Thread-Local Storage (TLS), a per-thread storage area • Fiber = Manually scheduled unit of execution, shares the context of its owning thread (ConvertThreadToFiber, CreateFiber, SwitchToFiber) 16 February 18, 2013 Copyright F-Secure 2010. All rights reserved. Processes & Threads 17 February 18, 2013 Copyright F-Secure 2010. All rights reserved. Demo: Processes and Threads 18 February 18, 2013 Case Study: FU Rootkit • The FU rootkit hides processes by unlinking them from the kernels process list • Why do those processes still get execution time? 19 February 18, 2013 © F-Secure Confidential Copyright F-Secure 2010. All rights reserved. Case Study: DLL Injection • A technique to run code in the context of another process by forcing it to load a DLL • Motivation 1. Stealth: no extra processes in process list 2. Data capture using API hooks (e.g. banking trojans) 3. Making reverse engineering more difficult 4. Avoiding HIPS features (outbound network connectivity from trusted process) • Various ways to accomplish DLL injection on Windows • Registry: AppInit_DLLs • Using remote threads • SetWindowsHookEx • From the kernel using APC’s 20 February 18, 2013 Copyright F-Secure 2010. All rights reserved. What does this code do? 21 February 18, 2013 Copyright F-Secure 2010. All rights reserved. TEB & PEB • TEB = Thread Environment Block • Container for thread-specific things like the exception handler list, stack pointer, … • Windows uses the fs segment to store it (offset 0x18 has pointer to self) • mov eax, fs[18] • PEB = Process Environment Block • Container for process-specific things like the list of loaded modules • TEB has a pointer to PEB at offset 0x30 • Important when reversing code that • Enumerates loaded modules (Peb.Ldr) • Checks for an attached debugger (PEB.BeingDebugged) • Installs an exception handler (TEB.NtTib.ExceptionList) 22 February 18, 2013 Copyright F-Secure 2010. All rights reserved. Example: Checking For a Debugger ; Call IsDebuggerPresent() call [IsDebuggerPresent] test eax, eax ; Do the same by checking PEB mov eax, large fs:18h ; Offset 18h has self-pointer to TEB mov eax, [eax+30h] ; Offset 30h has pointer to PEB movzx eax, byte ptr [eax+2] ; PEB.BeingDebugged test eax, eax 23 February 18, 2013 Copyright F-Secure 2010. All rights reserved. Example: Installing an Exception Handler ; Install a SEH exception handler push offset_my_handler ; pointer to our handler push fs:[0] ; pointer to old exception record mov fs:[0], esp ; update TEB.NtTib.ExceptionList 24 February 18, 2013 Copyright F-Secure 2010. All rights reserved. Memory Management 25 February 18, 2013 Copyright F-Secure 2010. All rights reserved. Memory Manager • Each process on Windows sees a large, continuous address space • The memory manager has two important tasks 1. Mapping access to virtual memory into physical memory 2. Paging contents of virtual memory to disk as physical memory runs out, and paging data back to memory when it’s needed 26 February 18, 2013 Copyright F-Secure 2010. All rights reserved. Virtual Memory • Each process has private, virtual address space • Paging = the process of transferring memory contents to and from disk • Amount of virtual memory can exceed physical memory 27 February 18, 2013 Copyright F-Secure 2010. All rights reserved. Virtual Memory (x86) • Total of 4 GB virtual memory • By default, only lower 2 GB accessible from user-mode • Upper 2 GB reserved for kernel-mode and shared between all processes 28 February 18, 2013 Copyright F-Secure 2010. All rights reserved. Management Mechanisms 29 February 18, 2013 Copyright F-Secure 2010. All rights reserved. Registry • A directory for storing settings and configuration data for the Operating System and applications • Think of it as a huge .ini file • Basic concepts • Hive • Key • Value • Hives are just files, most under %SystemRoot%\System32\Config 30 February 18, 2013 Copyright F-Secure 2010. All rights reserved. Registry Hive Format 31 February 18, 2013 Copyright F-Secure 2010. All rights reserved. Registry Root Keys • HKEY_LOCAL_MACHINE (HKLM) • System-wide information • HKEY_USERS (HKU) • User-specific settings for all accounts • HKEY_CURRENT_USER (HKCU) • A link to the current user under HKEY_USERS • HKEY_CLASSES_ROOT (HKCR) • File associations and COM registration, links to HKLM\Software\Classes • HKEY_PERFORMANCE_DATA • HKEY_CURRENT_CONFIG • Current HW profile, links to HKLM\System\CurrentControlSet\Hardware Profiles\Current 32 February 18, 2013 Copyright F-Secure 2010. All rights reserved. Registry and Malware • Malware wants to survive a reboot • Registry is the most common way of starting after reboot • Hundreds of “launchpoints” • HKLM\Software\Microsoft\Windows\CurrentVersion\Run:MyApp • HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe:Debugger • Malware also wants to change (security) settings for other components • Windows Firewall, IE extensions and settings, Windows File Protection, … • The registry is also a great source for forensic data, for example: • HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ UserAssist 33 February 18, 2013 Copyright F-Secure 2010. All rights reserved. Services • Services are background processes
Load more

Recommended publications
  • (12) Patent Application Publication (10) Pub. No.: US 2008/0103921 A1 CELLA Et Al
    US 20080 103921A1 (19) United States (12) Patent Application Publication (10) Pub. No.: US 2008/0103921 A1 CELLA et al. (43) Pub. Date: May 1, 2008 (54) CONTINGENCY-BASED OPTIONS AND (60) Provisional application No. 60/137,310, filed on Jun. FUTURES FOR CONTINGENT TRAVEL 3, 1999. ACCOMMODATIONS Publication Classification (76) Inventors: Charles H. CELLA, Pembroke, MA (US); Edward J. KELLY, Wellesley, (51) Int. Cl. MA (US); Matthew P. VINCENT, G06Q 30/00 (2006.01) Georgetown, MA (US) (52) U.S. Cl. ................................................................ 705/26 Correspondence Address: STRATEGIC PATENTS P.C.. (57) ABSTRACT CFO PORTFOLIOP P.O. BOX S2OSO MINNEAPOLIS, MN 55402 (US) Disclosed herein is a system for allowing a remote user to purchase, over a distributed computer network (e.g., the (21) Appl. No.: 11/875,368 Internet), an option for a ticket and/or accommodations for a contingent event', e.g., an event which is certain to occur (22) Filed: Oct. 19, 2007 but for which the participants, content and/or location(s) are Related U.S. Application Data not predetermined. For instance, the Subject system can be used to sell options for the purchase of tickets to such (63) Continuation of application No. 09/586,723, filed on contingent events such as playoff games on the basis of what Jun. 5, 2000. teams qualify, or all-star game. 282 Y 294 292 HOTEL DINING 290 TRANSPORTATION 288 284 3O4 TICKET OTHER GOODS RENTAL LOCAL CAR ATTRACTIONS OTHER SERVICES Patent Application Publication May 1, 2008 Sheet 1 of 10 US 2008/O103921 A1 to 1 O2 1 O2 1 O2 BUYER BUYER BUYER N7 10 HOST PROVIDER > 104 108 Fig.
    [Show full text]
  • The Linux Kernel Hidden Inside Windows 10
    GAINING VISIBILITY INTO LINUX BINARIES ON WINDOWS: DEFEND AND UNDERSTAND WSL BLUEHAT 2016 ALEX IONESCU @AIONESCU BIO Vice President of EDR Strategy at CrowdStrike, a security startup Previously worked at Apple on iOS Core Platform Team Co-author of Windows Internals 5th, 6th and now 7th Edition Reverse engineering NT since 2000 – lead kernel developer on ReactOS Project Instructor of worldwide Windows Internals classes Conference speaking: • BlueHat 2016, Infiltrate 2015 • Blackhat 2016, 2015, 2013, 2008 • SyScan 2015-2012, NoSuchCon 2014-2013, Breakpoint 2012 • Recon 2016-2010, 2006 For more info, see www.alex-ionescu.com and www.windows-internals.com INTRODUCTION • I have been analyzing WSL since its first inception as “Astoria” and “Arcadia” • Based on Microsoft Research “DrawBridge” Project • Achieved arbitrary ELF binary execution in January 2016 – no WSL installed (Redstone 1 Preview) • Discovered multiple design issues that would allow malicious users to abuse/exploit the subsystem • Presented at BlackHat 2016 after most of the issues had been fixed in Anniversary Update • “Optionality” of subsystem was now enforced (driver no longer present by default at boot) • Protected Process boundary added to driver/subsystem, and Pico processes are isolated too • Some visibility issues addressed (SeLocateProcessImageName no longer returns NULL, for example) • Many more visibility issues exist • New challenges and features which can negatively impact security are coming in Redstone 2 • Aka RS2 aka “Creator’s Update” aka 1703 DESIGN ISSUES
    [Show full text]
  • The OS/2 Warp 4 CID Software Distribution Guide
    SG24-2010-00 International Technical Support Organization The OS/2 Warp 4 CID Software Distribution Guide January 1998 Take Note! Before using this information and the product it supports, be sure to read the general information in Appendix D, “Special Notices” on page 513. First Edition (January 1998) This edition applies to OS/2 Warp 4 in a software distribution environment and to NetView Distribution Manager/2 (NVDM/2) with Database 2 (DB2) Version 2.11 for OS/2 and Tivoli TME 10 Software Distribution 3.1.3 for OS/2 (SD4OS2) software distribution managers. This edition also applies to OS/2 Warp 4 subcomponents, such as TCP/IP 4.0, MPTS, NetFinity 4.0, Peer Services, and LAN Distance, and to OS/2- related products, such as eNetwork Personal Communications for OS/2 Warp, eNetwork Communications Server for OS/2 Warp, Transaction Server, Lotus Notes, and Lotus SmartStuite 96 for OS/2 Warp. Comments may be addressed to: IBM Corporation, International Technical Support Organization Dept. DHHB Building 045 Internal Zip 2834 11400 Burnet Road Austin, Texas 78758-3493 When you send information to IBM, you grant IBM a non-exclusive right to use or distribute the information in any way it believes appropriate without incurring any obligation to you. © Copyright International Business Machines Corporation 1998. All rights reserved Note to U.S Government Users – Documentation related to restricted rights – Use, duplication or disclosure is subject to restrictions set forth in GSA ADP Schedule Contract with IBM Corp. Contents Figures. .xiii Tables. xvii Preface. .xix How This Redbook in Organized .
    [Show full text]
  • 12 Microsoft Hot Spots to Watch in 2012
    Foley: 12 Microsoft Hot Spots to Watch in 2012 JANUARY 2012 VOL. 18 NO. 1 REDMONDMAG.COM Steve Ballmer’s potential replacement, best exec fi ghts, products that changed tech forever: Redmond editors lay out lists that IT pros shouldn’t miss. + A Look at BeyondTrust PowerBroker Desktops DLP Solve Active Directory Disasters BETTER BUSINESS INTELLIGENCE AT A BETTER PRICE UP TO 72% LESS Untitled-8 2 6/15/10 3:19 PM S Turn your raw data into a powerful strategic advantage with Business Intelligence solutions from DellTM and Microsoft®—and do it for up to 72% less per terabyte than the competition.* Built on industry standards, Microsoft® SQL Server® 2008 R2 systems from Dell are designed to speed implementations, lower risk, and reduce complexity—all while delivering the best price-for-performance in the industry. SIMPLIFY YOUR IT AT DELL.COM/SQLBI * 72% claim based upon a comparison of list prices of typical Business Intelligence off erings from leading hardware manufacturers versus Dell/Microsoft combined off erings. Benchmarked systems confi gured with 4-5 TB of data storage, database application software, and Business Intelligence analytic software. Dell is a trademark of Dell Inc. ©2010 Dell Inc. All rights reserved. Untitled-8 3 6/15/10 3:20 PM Redmond The Independent Voice of the Microsoft IT CommunityContentsJANUARY 2012 COVER STORY REDMOND REPORT 9 IT Awaits Release of SQL Server 2012 Microsoft changed how its upcoming database management system will be packaged, while also rolling out release candidate software. COLUMNS 6 Barney’s Rubble: Doug Barney The Privacy Is Dead List Issue To start 2012, we’re offering numbered thoughts from our cleverest minds on where Microsoft and IT have been and are going.
    [Show full text]
  • Microsoft and Cray to Unveil $25,000 Windows-Based Supercomputer
    AAll About Microsoft: l lCodeTracker A monthly look at Microsoft’s codenames and what they Areveal about the direction of the company. b o u t M i c r o s o f t : All About Microsoft CodeTracker Keeping track of Microsoft's myriad codenames is an (almost) full-time occupation. I know, as I spend a lot of my work hours tracking down the latest names in the hopes of being able to better keep tabs on what's coming next from the Redmondians. Each month, I'll be releasing an updated, downloadable version of the CodeTracker. I'll add new codenames -- arranged in alphabetical order by codename -- of forthcoming Microsoft products and technologies. I also will note timing changes (date slips, the release of a new test build, the disappearance of a planned deliverable) for entries that are already part of the Tracker. Once Microsoft releases the final version of a product or technology I've been tracking, I will remove it from the Tracker. In that way, the CodeTracker will remain focused on futures. (An aside about the Tracker: A question mark in place of an entry means I have insufficient information to hazard even an educated guess about a particular category.) If you have suggested new entries or corrections to existing ones, please drop me an e-mail at mjf at microsofttracker dot com. Thanks! Mary Jo Foley, Editor, ZDNet's "All About Microsoft" blog This Month's Theme: OOF It’s the height of the summer here in the U.S., and summer holidays are in full swing for the Softies.
    [Show full text]
  • Universal Unhooking
    W HITE PAPER Universal Unhooking Blinding Security Software In both ‘good’ and ‘bad’ uses, hooks are inserted by overwriting the first few bytes of a target function to hijack execution flow. Code hooking is a technique used for redirecting a computer’s execution flow to modify software. Essentially, a ‘hook’ is something that will allow the developer to see, view, and interact with something that is already going on in the system. Code hooks can perform a wide variety of functionality, both innocent and nefarious, including: • Patching a bug • Performance monitoring • Disabling digital rights management systems • Capturing keystrokes (keylogging) • Hiding processes and files (rootkits) The antivirus (AV) industry uses code hooking to monitor processes for potentially malicious behavior, protect applications by injecting anti-exploitation checks, and isolate processes by sandboxing or virtualization. The technique can also be used by bad actors, for instance, to implement a rootkit to hide processes and network connections from the end-user and security software. Bad actors have also determined how to monetize the technique by hooking browsers to invisibly modify online banking sites to steal credentials or initiate fraudulent transfers. In both ‘good’ and ‘bad’ uses, hooks are inserted by overwriting the first few bytes of a target function to hijack execution flow. Typically, a JMP or CALL is inserted to transfer execution to new code that will perform the new functionality and, depending on the intended behavior, may return to the original function to complete its execution. Universal Unhooking | 2 A Pen Tester’s Perspective A Brief Detour: Code Hooking One of the first things a penetration tester performs The diagram below depicts the general outline of code after gaining initial access to a system is to dump hooking.
    [Show full text]
  • 98-365 Microsoft
    98-365 microsoft Number : 98-365 Passing Score : 800 Time Limit : 120 min www.examsforall.com http://www.gratisexam.com/ Exam A QUESTION 1 You need to assign permission to acces resources. Which type of group should you use? A. Workgroup B. Security group C. Organizational group D. Distribution group Correct Answer: B Section: (none) Explanation Explanation/Reference: QUESTION 2 You manage a Workgroup. You need to create a group for print administrators. Which type of group should you create? A. Domain Local group B. Local group C. Global group D. Universal group Correct Answer: B Section: (none) Explanation Explanation/Reference: QUESTION 3 In which order are group policies applied? (To answer, move the appropriate scopes from the list of scopes to the answer area and arrange them from first applied to last applied) Select and Place: http://www.gratisexam.com/ Correct Answer: Section: (none) Explanation Explanation/Reference: QUESTION 4 http://www.gratisexam.com/ You need to create a group that includes users from different domains in a single forest. You also need to enable the group to access resources in any domain in the forest. Which type of group should you create? A. Workgroup B. Local group C. Universal groep D. Global group E. Domain local group Correct Answer: C Section: (none) Explanation Explanation/Reference: QUESTION 5 You need to access resources located in another forest. Which should you create? A. Child domain B. Distribution group C. Trust D. Organizational unit Correct Answer: D Section: (none) Explanation Explanation/Reference: QUESTION 6 Users report that they are unable to print.
    [Show full text]
  • Dave Probert, Ph.D. ‐ Windows Kernel Architect Core Operating Systems Division –Microsoft
    Dave Probert, Ph.D. ‐ Windows Kernel Architect Core Operating Systems Division –Microsoft Copyright Microsoft Corporation UNIX vs NT Design Environments Environment which influenced fundamental design decisions UNIX [1969] Windows (NT) [1989] 16-bit program address space 32-bit program address space Kbytes of physical memory Mbytes of physical memory Swapping system with memory mapping Virtual memory Kbytes of disk, fixed disks Mbytes of disk, removable disks Uniprocessor Multiprocessor (4-way) State-machine based I/O devices Micro-controller based I/O devices Standalone interactive systems Client/Server distributed computing Small number of friendly users Large, diverse user populations Copyright Microsoft Corporation Effect on OS Design NT vs UNIX Although both Windows and Linux have adapted to changes in the environment, the original design environments (i.e. in 1989 and 1969) heavily influenced the design choices: Unit of concurrency: Threads vs processes Addr space, uniproc Process creation: CreateProcess() vs fork() Addr space, swapping I/O: Async vs sync Swapping, I/O devices Namespace root: Virtual vs Filesystem Removable storage Security: ACLs vs uid/gid User populations Copyright Microsoft Corporation Today’s Environment [2009] 64-bit addresses GBytes of physical memory TBytes of rotational disk New Storage hierarchies (SSDs) Hypervisors, virtual processors Multi-core/Many-core Heterogeneous CPU architectures, Fixed function hardware High-speed internet/intranet, Web Services Media-rich applications Single user, but vulnerable
    [Show full text]
  • Ebook - Informations About Operating Systems Version: September 3, 2016 | Download
    eBook - Informations about Operating Systems Version: September 3, 2016 | Download: www.operating-system.org AIX Operating System (Unix) Internet: AIX Operating System (Unix) AmigaOS Operating System Internet: AmigaOS Operating System Android operating system Internet: Android operating system Aperios Operating System Internet: Aperios Operating System AtheOS Operating System Internet: AtheOS Operating System BeIA Operating System Internet: BeIA Operating System BeOS Operating System Internet: BeOS Operating System BSD/OS Operating System Internet: BSD/OS Operating System CP/M, DR-DOS Operating System Internet: CP/M, DR-DOS Operating System Darwin Operating System Internet: Darwin Operating System Debian Linux Operating System Internet: Debian Linux Operating System eComStation Operating System Internet: eComStation Operating System Symbian (EPOC) Operating System Internet: Symbian (EPOC) Operating System FreeBSD Operating System (BSD) Internet: FreeBSD Operating System (BSD) Gentoo Linux Operating System Internet: Gentoo Linux Operating System Haiku Operating System Internet: Haiku Operating System HP-UX Operating System (Unix) Internet: HP-UX Operating System (Unix) GNU/Hurd Operating System Internet: GNU/Hurd Operating System Inferno Operating System Internet: Inferno Operating System IRIX Operating System (Unix) Internet: IRIX Operating System (Unix) JavaOS Operating System Internet: JavaOS Operating System LFS Operating System (Linux) Internet: LFS Operating System (Linux) Linspire Operating System (Linux) Internet: Linspire Operating
    [Show full text]
  • Sample Chapters from Windows Internals, Sixth Edition, Part 1
    spine = 1.2” Part 1 About the Authors Mark Russinovich is a Technical Fellow in ® the Windows Azure™ group at Microsoft. Windows Internals He is coauthor of Windows Sysinternals SIXTH EDITION Administrator’s Reference, co-creator of the Sysinternals tools available from Microsoft Windows ® The definitive guide—fully updated for Windows 7 TechNet, and coauthor of the Windows Internals and Windows Server 2008 R2 book series. Delve inside Windows architecture and internals—and see how core David A. Solomon is coauthor of the Windows Internals book series and has taught components work behind the scenes. Led by a team of internationally his Windows internals class to thousands of renowned internals experts, this classic guide has been fully updated Windows developers and IT professionals worldwide, SIXTH for Windows 7 and Windows Server® 2008 R2—and now presents its including Microsoft staff. He is a regular speaker 6EDITION coverage in two volumes. at Microsoft conferences, including TechNet As always, you get critical, insider perspectives on how Windows and PDC. operates. And through hands-on experiments, you’ll experience its Alex Ionescu is a chief software architect and internal behavior firsthand—knowledge you can apply to improve consultant expert in low-level system software, application design, debugging, system performance, and support. kernel development, security training, and Internals reverse engineering. He teaches Windows internals courses with David Solomon, and is ® In Part 1, you will: active in the security research community.
    [Show full text]
  • Rethinking the Library OS from the Top Down
    Rethinking the Library OS from the Top Down Donald E. Porter†, Silas Boyd-Wickizer‡, Jon Howell, Reuben Olinsky, Galen C. Hunt † Department of Computer Science ‡ MIT CSAIL Microsoft Research Stony Brook University 32 Vassar Street One Microsoft Way Stony Brook, NY 11794 Cambridge, MA 02139 Redmond, WA 98052 “There is nothing new under the sun, but there are a using a custom file system storage stack rather than using the lot of old things we don’t know.” default sequential prefetching heuristics. – Ambrose Bierce, The Devil’s Dictionary Like many of its contemporaries, the library OS approach is large- ly forgotten, a casualty of the rise of the modern virtual machine Abstract monitor (VMM) [8]. While most new OS designs of the time— This paper revisits an old approach to operating system construc- including library OS designs—ran only a handful of custom ap- tion, the library OS, in a new context. The idea of the library OS plications on small research prototypes, VMM systems proliferat- is that the personality of the OS on which an application depends ed because they could run major applications by reusing existing runs in the address space of the application. A small, fixed set of feature-rich operating systems. The performance benefits offered abstractions connects the library OS to the host OS kernel, offer- by library OS designs did not overcome the need for legacy com- ing the promise of better system security and more rapid inde- patibility. On the other hand, the need for security and independ- pendent evolution of OS components. ent system isolation has increased since the 1990s due to the rise of the Internet.
    [Show full text]
  • Performance Evaluation of Windows Virtual Machines on a Linux Host
    Automatika Journal for Control, Measurement, Electronics, Computing and Communications ISSN: (Print) (Online) Journal homepage: https://www.tandfonline.com/loi/taut20 Performance evaluation of windows virtual machines on a Linux host Josip Balen , Krešimir Vdovjak & Goran Martinović To cite this article: Josip Balen , Krešimir Vdovjak & Goran Martinović (2020) Performance evaluation of windows virtual machines on a Linux host, Automatika, 61:3, 425-435, DOI: 10.1080/00051144.2020.1775961 To link to this article: https://doi.org/10.1080/00051144.2020.1775961 © 2020 The Author(s). Published by Informa UK Limited, trading as Taylor & Francis Group Published online: 10 Jun 2020. Submit your article to this journal Article views: 93 View related articles View Crossmark data Full Terms & Conditions of access and use can be found at https://www.tandfonline.com/action/journalInformation?journalCode=taut20 AUTOMATIKA 2020, VOL. 61, NO. 3, 425–435 https://doi.org/10.1080/00051144.2020.1775961 REGULAR PAPER Performance evaluation of windows virtual machines on a Linux host Josip Balen , Krešimir Vdovjak and Goran Martinović Faculty of Electrical Engineering, Computer Science and Information Technology Osijek, Osijek, Croatia ABSTRACT ARTICLE HISTORY Virtualization has experienced a dramatic expansion recently and today is ubiquitous in modern Received 14 August 2019 IT industry since it provides numerous benefits to companies and individual users. It increases Accepted 27 May 2020 efficiency, flexibility and scalability of IT equipment by enabling different software-based envi- KEYWORDS ronments on a single physical hardware. Each virtual machine is a separate instance that is Linux; operating system; completely independent and separated from the computer hardware and it runs on emulated performance evaluation; hardware.
    [Show full text]