Windows Internals

Processes, Threads, and Jobs in the Windows By Mark E. Russinovich and David A. Solomon https://www.microsoftpressstore.com/articles/article.aspx?p=223 3328 Kernel Structures EPROCESS, ETHREAD • Each Windows process is represented by an executive process (EPROCESS) block

• Threads are represented by executive thread (ETHREAD) blocks EPROCESS • lkd> dt _eprocess

26.2.20 vjj 4 KPROCESS • lkd> dt _kprocess

26.2.20 vjj 5 ETHREAD

26.2.20 vjj 7 KTHREAD

26.2.20 vjj 8 Environmet blocks

26.2.20 vjj 9 PEB • The PEB, which lives in the user process address space, contains information needed by the image loader, the heap manager, and other Windows system DLLs that need to access it from user mode

26.2.20 vjj 10 TEB

26.2.20 vjj 11 KPCR, KPRCB • KPCR represents the Kernel Processor Control Region • lkd> dt nt!_KPCR

• The Prcb field contains an embedded KPRCB structure that represents the Kernel Processor Control Block • lkd> dt nt!_KPRCB

• The PCR and PRCB contain information about the state of each processor in the system such as current IRQL, a pointer to the hardware Idt, the currently running thread, and the next thread selected to run

• Fooling Windows about its internal CPU (2017) https://rayanfam.com/topics/fooling-windows-about-cpu/

Kernel Process Control Block

26.2.20 vjj 13 memory

process vs Kernel

26.2.20 vjj 14 create process • vytvoření údajů o procesu, jeho prvním vláknu, souborech, ... EPROCESS + KPROCESS, ETHREAD + KTHREAD, ...

• vytvoření virtuálního adresového prostoru procesu - VAD strom a adresář tabulek stránek

• "namapování" exe a všech dll do virtuálního adresového prostoru procesu

• "namapování" PEB, TEB, ... do virtuálního adresového prostoru procesu, jejich alokace v RAM a inicializace

26.2.20 vjj 15 Virtual Memory mapping

VAD tree + Page Tables = virtual memory

VAD tree pgm EXE pgm EXE pgm DLLs pgm DLLs pgm data pgm data SYS DLLs SYS DLLs Page Table Entry SYS data SYS data Valid = 1 ... Page Frame Number = 0 (tj. Present = 0) jak se přesvědčit na vlastní oči Kernel Debugger • install WinDbg from Windows SDK • path to debug symbols srv*d:\Symbols*https://msdl.microsoft.com/download/symbols • admin> bcdedit /dbgsettings local • admin> bcdedit /debug on • reboot • admin> windbg -kl • admin> kd –kl • All memory input and output commands are available. • You can freely read from user memory and kernel memory. • You can also write to memory DbgPrint • Kernel-mode drivers and the Windows operating system frequently send messages to the kernel debugger by using DbgPrint and related functions.

• These messages are not automatically displayed during local kernel debugging.

• You can display them by using the !dbgprint extension SysInternals • DebugView • Win32 OutputDebugString • .NET System.Diagnostics.Debug.WriteLine • Kernel-mode DbgPrint

• Copy LiveKD.exe to C:\Program Files (x86)\Windows Kits\10\Debuggers\x64 • LiveKD -ml • The LiveKD tool simulates local kernel debugging. • This tool creates a "snapshot" dump file of the kernel memory, without actually stopping the kernel while this snapshot is made. • Therefore, the snapshot might not actually show a single instant state of the computer. Protected Processes

a set of technologies creating a Protected Environment to enforce Digital Rights Management (DRM) debug privilege • any process running with a token containing the debug privilege (such as an administrator’s account) can request any access right that it desires to any other process running on the machine • for example, it can read and write arbitrary process memory, inject code, suspend and resume threads, and query information on other processes. • Tools like Process Explorer and need and request these access rights to provide their functionality to users Digital Rights Management • the debug privilege clashes with the system behavior for digital rights management requirements • imposed by the media industry on computer operating systems that need to support playback of advanced, high-quality digital content such as BluRay and HD-DVD media • To support reliable and protected playback of such content, Windows uses protected processes. • These processes exist alongside normal Windows processes, but they add significant constraints to the access rights that other processes on the system (even when running with administrative privileges) can request Protected Media Path • Protected processes can be created by any application • however, the operating system will only allow a process to be protected if the image file has been digitally signed with a special Windows Media Certificate • The Protected Media Path (PMP) makes use of protected processes to provide protection for high-value media • API protected processes • protected processes have a special bit set in their EPROCESS structure that modifies the behavior of security-related routines in the process manager to deny certain access rights that would normally be granted to administrators

• Audio Device Graph process (Audiodg.exe) • protected music content may be decoded through it

client process (Werfault.exe) • it needs to have access to protected processes in case one of them crashes

• the System process itself • some of the decryption information is generated by the Ksecdd.sys driver and stored in its user-mode memory information on process internals • Process Explorer uses standard user-mode Windows to query information on process internals, it is unable to perform certain operations on protected processes.

• WinDbg in kernel debugging mode, which uses kernel-mode infrastructure to obtain this information, will be able to display complete information debugging mode • to perform local kernel debugging you must boot in debugging mode • This protects against debugger-based attacks on protected processes and the Protected Media Path (PMP) • When booted in debugging mode, high-definition content playback will not work • a protected process is indicated by a flag in the EPROCESS block • an administrator can still load a kernel-mode driver that disables this bit