Part Undocumented Windows NT CHAPTER 6 Hooking Windows NT System Services CHAPTER 7 Adding New System Services to the Windows NT Kernel CHAPTER 8 Local Procedure Call CHAPTER 9 Hooking Software Interrupts CHAPTER 10 Adding New Software Interrupts CHAPTER 11 Portable Executable File Format Chapter 6 T N s Window g Hookin s Service m Syste R CHAPTE S THI N I + Looking at system services under various operating systems + Examining the need for hooking system services s hook f o s type g Implementin + THIS CHAPTER DISCUSSES hooking Windows NT system services. Before we begin, let's first review what we mean by a system service. A system service refers to a set of functions (primitive or elaborate) provided by the operating system. Application programming interfaces (APIs) enable developers to call several system services, di- c dynami a f o m for e th n i s API s provide m syste g operatin e Th . indirectly r o y rectl link library (DLL) or a static compiler library. These APIs are often based on system d base y directl e ar s call I AP e th f o e Som . system g operatin e th y b d provide s service m syste e multipl g jlepene makin som n do d an , service m syste g correspondin a n o . services m syste o t s call y an e mak t no y ma s call I AP e th f o e som , Also . calls e servic In short, you do not need a one-to-one mapping between API functions and system services. Figure 6-1 demonstrates this in context of Windows NT. w Vie g Lon e Th : Services m Syste System services and the APIs calling these system services have come a long way . NT s Window o t S DO m fro System Services under DOS including ( l kerne S MS-DO e th f o t par e compris s service m syste , DOS r Unde f o m for e th n i s user o t e availabl e ar s service m syste e Thes . IO.SYS) d an S MSDOS.SY e appropriat e th g callin y b d invoke e b n ca s ISR ISRs). ( s Routine e Servic t Interrup interrupt handlers using the INT instruction. API functions, provided by compiler r Fo . interrupt) h 21 T IN (the s service m syste r fo r handle t interrup e th l cal , libraries example, to open a file, MS-DOS provides a system service for which you have to 109 110 Part 11: Undocumented Windows NT - reg L C e th n i k mas e attribut , register H A e th n i D Ox3 r numbe n functio e th y specif ister, filename in the DS:DX register, as well as issue the INT 21h instruction. Compilers typically provide wrappers around this and provide a nice API function for this purpose. System Services under Windows 3.x and 8 95/9 s Window Under Windows 3.x or Windows 95/98, the core system services take the form of m for e th n i d provide e ar s API e Th . code S DO e real-mod e som d an s DLL d an s VXD of dynamic link libraries. These dynamic link libraries call the system services to implement the APIs. For example, to open a file, applications call an API function a 1 cal , turn n i , APIs e Thes . OpenFiles a h suc CreateFilefJ r L Qo KERNEL32.DL m fro system service. T N s Window r unde s Service m Syste Under Windows NT, the NT executive (part of NTOSKRNL.EXE) provides core sys- tem services. These services are rather generic and primitive. Various APIs such as l cal , turn n i , APIs e Thes . DLLs f o m for e th n i d provide e ar X POSI d an , OS/2 , Win32 services provided by the NT executive. The name of the API function to call differs s i e servic m syste e sam e th h thoug n eve s subsystem t differen m fro g callin s user r fo l cal s application , API 2 Win3 e th m fro e fil a n ope o t , example r Fo . invoked ) open( e th l cal s application , API X POSI e th m fro e fil a n ope o t d an O CreateFile e servic m syste Q NtCreateFile e th l cal y ultimatel s application e thes f o h Bot . function . executive T N e th m fro Chapter 6: Hooking Windows NT System Services 111 Under Windows NT 3.51, the system services are provided by a kernel-mode component called NTOSKRNL.EXE. Most of the KERNEL32.DLL calls —such as — t managemen s object l kerne d an t managemen y memor o t d relate e thos are handled by these system services.The USER32 and GDI32 calls are han- dleseparata y db e subsystem process called CSRSS. Starting with Windows NT 4.0, Microsoft moved most of the functionality of CSRSS into a kernel- mode driver called WIN32K.SYS.The functionality moved into WIN32K.SYS is - sys e services.Thes m syste f o m for e th n i s application e th o t e availabl e mad - spe e ar y the e sinc s service m syste e nativ f o t par y trul t no e ar s service m te cific to the user interface and not used by all subsystems.This chapter and the . NTOSKRNL.EXE y b d provide s service m syste e th n o y onl s focu r chapte t nex Need for Hooking System Services Hooking represents a very common mechanism oTfntercepting a particular section e th f o r behavio e th g modifyin f o y wa l usefu a s provide g Hookin . code g executin f o operating system. Hooking can help the developer in several ways. Often develop- r rathe l cal I AP n a r o e servic m syste a k hoo o t w ho h wit e mor d concerne e ar s er than why to hook. Nevertheless, we examine the various possible situations in which the need to hook a system service arises. How hooking can help the devel- . sections g followin e th n i d explaine s i r ope e Occurrenc t a s Event g Trappin - mu a f o n creatio , (CreateFileO) e fil a f o n creatio e th s a h suc s event p tra s Developer tex (CreateMutex()), or Registry accesses (RegCreateKeyO) for specific purposes. n ca , synchronously , call e servic m syste r o I AP d event-relate r particula a g Hookin s kind e thes d fin l wil g monitorin m syste g doin s Application . events e thos p tra p hel - occur e th y b d triggere s interrupt s a t ac d coul s hook e Thes . invaluable g hookin f o rence of these events. A developer could write a routine to handle the occurrence of these events and take appropriate action. s Need r Use t Sui o t r Behavio m Syste g Modifyin - operat y modif n ca s hook e th g introducin y b l contro f o w flo l norma e th g Divertin ing system behavior. This enables the developer to change data structures and con- text at the time of hooking - enough to induce new behavior. For example, you can . NtCreateFilee th g service m hookin Qsyste y b e fil e sensitiv a f o g openin e th t protec Although NTFS provides user-level security for files, this security is not available e undesirabl y an e hav t no s doe g hookin t tha e ensur d shoul u Yo . partitions T FA n o side effects on the operating system. Protecting modifications to Registry keys is T N s Window d 112Undocumente : 11 t Par something easily doable when you hook the Registry system services. This has sev- eral applications, since little protection is provided for Registry settings created by applications. •- ' m Syste e th f o r Behavio e th g Studyin In order to get a better idea of the internal workings of the operating system, study- ing the behavior of the system is something most debuggers or system hackers will s require y functionalit m syste g operatin d undocumente f o g Understandin . to e relat a lot of hacking, which goes hand in hand with hooking. Debugging - sticki e th g debu o t g hookin e system-servic f o e us e mak d coul s program x Comple n installatio e th h wit m proble a d ha e w , back s day w fe a , example r Fo . problems t es of a piece of software. We had difficulty creating folders and shortcuts for this ap- - pro n installatio e th t tha d figure y quickl e w , hook e systemwid a g Usin . plication s folder e th l instal o t e wher d indicate t tha e valu y Registr a r fo g lookin s wa m gra e NtQueryValueKeyth d hooke e W , . Qcall menu) t Star e th e b o t d happene h (whic t tha d create e W .