Managing SoftwareManaging Darwin Darwin Trainer, CSI on 64 Sanoy - , PrincipalConsultant & bit Windows - Windows.com AND Scripts
http://csi-windows.com 1
• • ENG This sessionisan abridged version ofourcourse CSI – – – Principal Consultant and Trainer Windows 8. Put Applications on Windows 7, Virtualization and to Help Application Provisioning Specialists... Provides Training and Resources… - Windows.com - 52 Windows7 Application Support Engineer
Darwin Darwin
Sanoy
http://csi-windows.com 2
Windows OS Windows 64 64 - - binaries bit Edition bit bit Drivers 64 - bit bit 64 64
- bit Hardware (Most “Business Class” HW for last 6years)last HWfor Class” “Business (Most Hardware bit
- bit Software Spectrum 64 64 - binaries bit bit Drivers 64 - bit Compatible Edition - bit bit
Windows 7 Windows UAC + API
64 Win7 Win7 32 binaries WOW WOW - bit Drivers bit - bit bit WOW64 WOW64 (Windows On Windows)
Compatible Win7 Win7 32
binaries Edition WOW WOW 64 - bit bit -
bit bit
“Just “Just Works” XP 32 binaries 32
- bit bit - bit bit
http://csi-windows.com • • • • 32 Reuse Legacy Binaries SimultaneousMaintenance of Both Target XP, 32 Win7 – – – Minimize Minimizeof number Minimizeof sourcenumberfiles. - bit Middlewarebit Why Mixed 32 64 and number/complexity
- bit and 64 bitand compiles.
of
- bit: installers.
- Bitnesses bit?
http://csi-windows.com • • • • • • Duplicate32 1.5 Threads EachUseMore 512KB (32 64 & around EXEs 20% Larger 32 Only 64 – – – - .NET Framework.NET 32 32 bit Services OK bit Services Gbytes - - bit bit System32 - bit, Signed Driversbit, Signed Allowed WinSxS
Bigger onDisk(1.1isSysWOW64Bigger - bit Environment
64
- bit Platform
- bit)
)
http://csi-windows.com • • • • • to load 32 reg using process Level redirections certainof pathsfile and OS. By tricking 32 EXES Design which allows 64 Windows(32) WOW64 =
keys
- bit insteadOS DLLs of 64 - On WOW64 Defined bit processes to think they are on a 32 Windows64 - bit Windows to supports 32
- bit.
- - bit bit
http://csi-windows.com • • • • Thunking x64 =64 32 x86 = Bitness 64 - bit Platform Nomenclature
= HowMany Bits - - bit bit
= translating
differentbitness ?
http://csi-windows.com • • • • • WOW6432Node \ \ “32” mean in Filenames ending Legacy Locations RESERVEDfor SysWOW64 =32 System32 =64 Naming and FoldersNaming and - bitWindows DLLs = 32 - bit Windowsbit DLLs - bit Registrybit 64 nothing
- bit
.
.
http://csi-windows.com A Bunch Of DLLs With Me In My Process The OSThroughProcess Eyes ABC.EXE ABC.DLL XYZ.DLL Process (ABC.EXE)
Advapi32 ComDlg32.DLL Sechost Shell32 Kernel32.DLL NTDLL Ole32 User32.DLL
.DLL .DLL .DLL .DLL .DLL
Windows
http://csi-windows.com Injected.DLL Custom Function Custom IAT Shlwapi. RegCreateKey IAT ABC.EXE RegCreateKey
DLL InjectionDLL & API Interception
-
- >6c9b
>2e7f DLL
- - >2e7f
> 6c9b
Process (ABC.EXE)
ReportGen. IAT [6c9b] RegCreateKey
L
[2e7f]
DL
- - >2e7f ADVAPI32.DLL > 6c9b RegCreateKeyW
(code) • Used ForUsed
– – – AppVirt AppCompat WOW64
(App
- V)
http://csi-windows.com Windows 64 - Bit
SysWOW64 Redirected to WOW64 (64 (32 \ Windows \ Windows - - Wow64Win.dll bit bit Windows DLLs) bit Windows DLLs) WOW64 Architecture
System32 Load \ \ SysWOW64 User32.dll \
System32
\ User32.dll
math.exe(32bit) NTDll.dll
32
-
bit Processbit
HKLM Redirected to HKLM Wow64CPU.dll \ (64 (32 Software HKLM Write \ - - Software bit bit Software Registry) bit Software Registry) HKLM
\
Software
\ Wow6432Node
\ Software \ Wow6432Node \
Math Wow64.dll
\ Math
http://csi-windows.com Bitness math.exe (32 32 - bit bit Process - bit)
: Processes and Binaries
Arithmatic.dll Arithmatic.dll (32
stats.exe (64 stats.exe (32 Arithmatic.dll Arithmatic.dll (64 - bit) IPC
- bit) -
bit) - bit)
Load
math.exe (64
64 - bit bit Process - bit)
http://csi-windows.com • • • • • .HTA/.HTM= 32 .REG= 64 .PS1 =64 .VBS, .JS .CMD/.BAT= 64 Default Script Execution = - - bit bit 64
-
bit - -
bit bit
http://csi-windows.com • • • • Admins / StandardAdmins Users) 32 Binaries Watch:TheyMay on You Impact Missthe 64 ofFull Most ThirdParty Will Default Services 32 The – – – - Group Policy(64 Software Distribution Agent DesktopManagement Agent bit VBScript w/outbit VBScript Will UAC Admin Virtualize (Protected Bitness
of Agentthe WillDictateEXE Bitness Script Engine Other Environments - bit)
- bit For AWhile
- bit Agent
http://csi-windows.com • • • • Registry Redirection Path to System32 Scriptable Objects Calls to 32 – – – – match software. Pushing HKLM Do You Have Custom Subfolders? PS: New VBS: Script Bitness Engine Impacts CreateObject - - Object bit EXEs \ Software
–
are Ok inx64
32/64 Bit are different \
http://csi-windows.com • • VBScript PowerShell MustActivated Be Per – – – – – – Regsvr32 Elevate“ Regsvr32vbscript.dll Elevate“ RemoteSigned % RemoteSigned % windir windir Per \
% % JscriptRe \ \ vbscript.dll sysWOW64 system32 \ \ sysWOW64 System32 - Bitness Bitness Configuration
- \ Registeringis cmd.exe” \
\ Powershell.exeSet cmd.exe” \ Powershell.exeSet
- Per bitness - - bitness ExecutionPolicy - ExecutionPolicy
http://csi-windows.com • • Errors SetACL – – – Code: 800A01AD Code: "ActiveXcomponent can't create ' object 64 and 32 64 and 32 • Register BOTH
(Good) Extensions Example - - bit ScriptablebitCOM Object EXE bit
xxx.xxx '.
http://csi-windows.com • • • • .REG: shell.exe .PS1: .VBS: .CMD/.BAT: ... … ......
\
\ \ \
SysWOW64 SysWOW64 SysWOW64 SysWOW64
Force 32 \ \ \ \ WindowsPowerShell regedit.exe cscript.exe cmd.exe
-
Bit
\ v1.0 \ power
http://csi-windows.com • • • • 32 Wbemscripting Can force cross bitness access with two new Defaults to bitness of caller Has Bitness on Registry Provider – – - “__ “__ bit Script Read RequiredArchitecture ProviderArchitecture WMI Registry Access
properties 64 - bit Registry ", 32 ", TRUE
http://csi-windows.com • • • • • • and Win7 64. One small modification to run 32, Win732 onXP Worksfor XPandWin7. 64 Does nothing if desired bitness not available (e.g. If it not run in desired bitness. Re Snippet of code at top of script. Retrofit Scripts for 32 - - bit on 32 calls script desiredw/ bitness. - bit OS)
-
bit Bitness
http://csi-windows.com (In (In full course the code providedis for .CMD/.BATVBS, and .PS1) Working