forked from 0xZ0F/Z0FCourse_ReverseEngineering
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Finished 7.1 VirtualMemory and 7.2 Privileges.
- Loading branch information
Showing
11 changed files
with
60 additions
and
35 deletions.
There are no files selected for viewing
Binary file not shown.
Binary file not shown.
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file was deleted.
Oops, something went wrong.
20 changes: 14 additions & 6 deletions
20
Chapter 7 - Windows/7.WIP Privileges.md → Chapter 7 - Windows/7.2 Privileges.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,21 +1,29 @@ | ||
| # 7.WIP Privileges | ||
| # 7.2 Privileges | ||
| To protect critical OS components, data, and processes, there are two privilege modes the processor can run under. These two modes are **user-mode** and **kernel-mode**. User code runs in user-mode, and OS code (this includes drivers) runs in kernel-mode. | ||
|
|
||
| > You may have heard of four different privilege levels described as rings. User-mode is privilege level/ring 3 and kernel-mode is privilege level/ring 0. Rings 1 and 2 are not used by Windows. | ||
| > You may have heard of four different privilege levels described as rings (numbered 0 to 3). User-mode is privilege level/ring 3 and kernel-mode is privilege level/ring 0. Rings 1 and 2 are not used by Windows. | ||
| ## Kernel-Mode | ||
| **Kernel-mode** allows the processor to essentially do whatever it wants by allowing access to any code on the system. User-mode processes can only access the kernel through strictly defined interfaces. Kernel mode is a necessity in an OS to keep user-mode processes in check. Kernel-mode processes share the same virtual address space. Pages within the kernel-mode virtual address space are only accessible from kernel-mode. User-mode pages are accessible from both kernel-mode and user-mode. | ||
|
|
||
| ## User-Mode to Kernel-Mode | ||
| Sometimes a user-mode process needs to access kernel-mode functionality. This happens very often such as when rendering windows or graphics. When a user-mode process calls a system service special instructions are executed that switch the thread to kernel-mode. Once the service finishes, the thread is switched back to user-mode. | ||
| Sometimes a user-mode process needs to access kernel-mode functionality. This happens very often such as when rendering windows or graphics. When a user-mode process calls a system service, special instructions are executed that switch the thread to kernel-mode. Once the service finishes, the thread is switched back to user-mode. | ||
|
|
||
| ## Hypervisor | ||
| With the boom of virtualization, there was a need for a way to run high-performance OS guests efficiently. To facilitate this virtualization, hypervisors are used. **Hypervisors** allow for the separation and isolation of all system components including virtual memory, physical memory, USB devices, and more. Hypervisors have more privileges than kernel-mode applications due to their ability to virtualize and isolate components. Because of this, Windows uses the hypervisor for security, this is known as **virtualization-based security (VBS)**. Some of the components in VBS are **Hyper Guard**, **Credential Guard**, **Application Guard**, **Host Guardian**, **Shielded Fabric**, and more. I won't explain all of these components, but I will briefly explain two of them. | ||
| With the boom of virtualization, there was a need for a way to run high-performance OS guests efficiently. To facilitate this virtualization, hypervisors are used. **Hypervisors** allow for the separation and isolation of all system components including virtual memory, physical memory, USB devices, and more. Hypervisors have more privileges and abilities than kernel-mode applications due to their ability to virtualize and isolate components. Because of this, Windows uses the hypervisor for security, this is known as *virtualization-based security* (VBS). Some of the components in VBS are the Hyper Guard, Credential Guard, Application Guard, Host Guardian, Shielded Fabric, and more. I won't explain all of these components, but I will briefly explain two of them. | ||
| * **Hyper Guard** - Protects important kernel and hypervisor related data structures and code. | ||
| * **Application Guard** - Stronger sandbox for Microsoft Edge. | ||
|
|
||
| The hypervisor also implements **Virtual Trust Levels (VTLs)**. VTLs are ordered differently than processor privilege levels (rings). VTL 0 has less privileges than VTL 1. The OS runs in VTL 0, and VBS runs in VTL 1. This puts VBS at a higher privilege level than kernel-mode and therefore cannot be touched by kernel-mode. User-mode and kernel-mode run within VTLs. | ||
| The hypervisor also implements **Virtual Trust Levels (VTLs)**. | ||
| > VTLs are ordered differently than processor privilege levels (rings). VTL 0 has less privileges than VTL 1. | ||
| The OS runs in VTL 0, and VBS runs in VTL 1. This gives VBS more privilege than kernel-mode and therefore cannot be touched by kernel-mode. You can think of user-mode and kernel-mode as running within VTLs, and the hypervisor managing the permissions for all VTLs. | ||
|
|
||
| Hypervisors are extremely complex and there's plenty to learn about them. The explanation I've provided is very brief and basic. Still, this is more than you will need to know when it comes to reversing, so if you didn't understand all of it, don't worry. I do encourage you to learn more about hypervisors because they are very interesting and vital to security. | ||
|
|
||
| > Although hypervisors have more privileges than kernel-mode, hypervisors do *not* run in ring -1. | ||
| > Although hypervisors have more privileges than kernel-mode, hypervisors do *not* run in ring -1. | ||
| [<- Previous Lesson](7.1%20VirtualMemory.md) | ||
| [Next Lesson ->](7.3%20Architecture.md) | ||
|
|
||
| [Chapter Home](7.0%20Windows.md) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,24 @@ | ||
| # 7.3 Architecture - WIP | ||
| As already discussed, Windows separates kernel-mode and user-mode. However, Windows doesn't stop there. Various other components are separated and organized in a structure-like way. Windows is built with an object-oriented design, although this is more apparent with kernel-mode components because mostly everything there runs together. User-mode is not as object-oriented because most of the components don't work together. | ||
|
|
||
| It's important to point out that this object-oriented design pertains to the components, not necessarily the underlying code. While the system components work in an object-oriented way, the OS is written in C which is not an *object-oriented programming* (OOP) language. This becomes apparent when looking at low-level structures (C doesn't have classes). Structures in C don't have any sort of OOP functionality. In C there is no structure inheritance, methods, constructors, etc. | ||
|
|
||
| ### Service vs Process | ||
| It's important to know the difference between a service and a process. A Windows service is just a daemon. A daemon is a program that runs in the background and is controlled by the OS, not the user. A process is similar, except it can be started or interacted with by a user. An example of a process is the logon process. An example of a service is the user manager. You interact with the logon process by entering a username and password. You don't interact with the user manager, it manages users in the background. Defining something as a process or service can be tricky and there are often processes that you would think are services, and services you would think are processes. | ||
|
|
||
| ## Layout | ||
| Here is a simplified view of the Windows architecture layout: | ||
|
|
||
| <p align="center"> | ||
| <img height="500" img src="[ignore]/WinArch.png"> | ||
| </p> | ||
|
|
||
| First off, notice the kernel-mode and user-mode separation. Also notice that the hypervisor is being shown in its own kernel-mode context, note however, the hypervisor runs in normal kernel-mode. | ||
|
|
||
| ### User-Mode: | ||
| * **Environment Subsystems** - This is essentially what users and programmers are presented. Think of it as the underlying implementation of the overall environment/personality presented to the OS users and programmers. There are three main subsystems which are Windows, POSIX, and OS/2. OS/2 was last used in Windows 2000. POSIX was replaced by the *Subsystem for Unix-based Applications* (SUA) which was then replaced with *Windows Subsystem for Linux* (WSL). | ||
| * **User Processes** - Conventional processes started and ran in user-mode. | ||
| * **Service Processes** - These host Windows services such as the *Task Scheduler*. These usually run along with the OS, meaning it doesn't matter if a user is logged in or not. If the OS is running, they're running. | ||
| * **System Processes** - Fixed/hard-coded processes (not services). | ||
|
|
||
| You may notice that service and user processes run into subsystem DLLs. This is because user-mode applications don't call the native Windows OS services directly. Instead they go through subsystem DLLs. The role of these DLLs is to translate document and public function calls into the internal (typically undocumented) native system functions. Most of these functions/services are implemented in NTDLL.dll. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters