T : Malware Analysis and Antivirus Technologies Windows Operating System
|
|
- Paul Cummings
- 5 years ago
- Views:
Transcription
1 T : Malware Analysis and Antivirus Technologies Windows Operating System Antti Tikkanen, Protecting the irreplaceable f-secure.com
2 Lecture Agenda 1. Applications on Windows 2. Processes and Threads 3. Windows Architecture 4. System Mechanisms 5. Management Mechanisms 6. Memory Management 7. File Systems 8. Security Mechanisms 9. Driver Basics 2
3 Applications on Windows 3
4 Executable Format Object files and executables follow the PE (Portable Executable) file format Full specification available online firmware/pecoff.mspx More on this in Reverse Engineering III 4
5 Windows Executables Filename extension hints to the executable type EXE = executable application, anything from a DOS executable to 64-bit Windows applications DLL = Dynamic link library, a set of callable routines compiled together as a loadable file SYS = Driver OBJ = Object file, input to the linker Note that Windows does not really care much about the file extension You can execute britneyspears.jpg just fine! All of these follow the PE specification 5
6 Windows API Windows API (aka. Win32 API) is the interface to the operating system for applications Exposed by a set of system libraries: kernel32.dll, user32.dll, Several subcategories Administration and management (WMI, ) Diagnostics (event logging, ) Networking Security System services (processes, threads, registry ) MSDN is the reverse engineers best friend for Windows binaries 6
7 Native API Undocumented interface to OS functionality One level below Windows API Some low-level functionality only available through Native API Examples of interesting functions NtSetSystemInformation NtQuerySystemInformation NtQueryDirectoryFile See Windows NT/2000 Native API Reference by Nebbett 7
8 Windows Architecture 8
9 Simplified Windows Architecture System Support Processes Service Processes User Applications Environment Subsystems Subsystem DLL s NTDLL.DLL Kernel Executive Device Drivers Windowing & Graphics HAL 9
10 System Mechanisms 10
11 Kernel-mode & user-mode 0xFFFFFFFF System-space (Ring 0) Int 0x2e / Sysenter 0x User-space User-space (Ring User-space 3) (Ring 3) (Ring 3) 11
12 System Service Dispatching Interrupt Read the file Return to caller Call NtReadFile Dismiss interrupt Nt! NtReadFile Nt! KiSystemService Sysenter Return to caller Call NtReadFile Return to caller ReadFile( ) Ntdll.dll! NtReadFile Kernel32.dll! ReadFile Application 12
13 System Service Dispatching 13
14 System Service Dispatching 14
15 Processes & Threads 15
16 Processes Abstraction of an executing program A process has A private virtual address space (user-mode address space) A base image (the main executable) A set of open handles to OS resources An access token ( who is this process, what can it do ) A process ID (PID) One or more threads Job = A group of processes that can be managed as a unit 16
17 Protected Processes (Vista and later) By default, a process with a token containing the debug privilege can obtain any access to all other processes Admins should have control over the machine, right To support playback of high-quality digital content, Vista introduced Protected Processes Determined by a flag in the EPROCESS structure of the kernel process object Process image file must be signed with a special certificate Protected processes cannot be manipulated from other processes Can be terminated, though Examples: audiodg.exe, werfault.exe 17
18 Threads A thread is what gets scheduled for execution on the CPU A thread has A context (the state of execution) A list of exception handlers Two stacks, one for user-mode and one for kernel-mode A thread ID (TID) An access token Thread-Local Storage (TLS), a per-thread storage area Fiber = Manually scheduled unit of execution, shares the context of its owning thread 18
19 Processes & Threads 19
20 Case Study: FU Rootkit The FU rootkit hides processes by unlinking them from the kernels process list Why do those processes still get execution time? 20
21 Case Study: DLL Injection A technique to run code in the context of another process by forcing it to load a DLL Motivation 1. Stealth: no extra processes in process list 2. Data capture using API hooks 3. Making reverse engineering more difficult 4. Avoiding HIPS features Various ways to accomplish DLL injection on Windows Registry: AppInit_DLLs Using remote threads SetWindowsHookEx From the kernel using APC s 21
22 What does this code do? 22
23 TEB & PEB TEB = Thread Environment Block Container for thread-specific things like the exception handler list, stack pointer, Windows uses the fs segment to store it (offset 0x18 has pointer to self) mov eax, fs[18] PEB = Process Environment Block Container for process-specific things like the list of loaded modules TEB has a pointer to PEB at offset 0x30 Important when reversing code that Enumerates loaded modules (Peb.Ldr) Checks for an attached debugger (PEB.BeingDebugged) Installs an exception handler (TEB.NtTib.ExceptionList) 23
24 Example: Checking For a Debugger ; Call IsDebuggerPresent() call [IsDebuggerPresent] test eax, eax ; Do the same by checking PEB mov eax, large fs:18h ; Offset 18h has self-pointer to TEB mov eax, [eax+30h] ; Offset 30h has pointer to PEB movzx eax, byte ptr [eax+2] ; PEB.BeingDebugged test eax, eax 24
25 Example: Installing an Exception Handler ; Install a SEH exception handler push offset_my_handler ; pointer to our handler push fs:[0] ; pointer to old exception record mov fs:[0], esp ; update TEB.NtTib.ExceptionList 25
26 Memory Management 26
27 Memory Manager Each process on Windows sees a large, continuous address space The memory manager has two important tasks 1. Mapping access to virtual memory into physical memory 2. Paging contents of virtual memory to disk as physical memory runs out, and paging data back to memory when it s needed 27
28 Virtual Memory Each process has private, virtual address space Paging = the process of transferring memory contents to and from disk Amount of virtual memory can exceed physical memory 28
29 Virtual Memory (x86) Total of 4 GB virtual memory By default, only lower 2 GB accessible from user-mode Upper 2 GB reserved for kernel-mode and shared between all processes 29
30 Management Mechanisms 30
31 Registry A directory for storing settings and configuration data for the Operating System and applications Think of it as a huge.ini file Basic concepts Hive Key Value Hives are just files, most under %SystemRoot%\System32\Config 31
32 Registry Hive Format 32
33 Registry Root Keys HKEY_LOCAL_MACHINE (HKLM) System-wide information HKEY_USERS (HKU) User-specific settings for all accounts HKEY_CURRENT_USER (HKCU) A link to the current user under HKEY_USERS HKEY_CLASSES_ROOT (HKCR) File associations and COM registration, links to HKLM\Software\Classes HKEY_PERFORMANCE_DATA HKEY_CURRENT_CONFIG Current HW profile, links to HKLM\System\CurrentControlSet\Hardware Profiles\Current 33
34 Registry and Malware Malware wants to survive a reboot Registry is the most common way of starting after reboot Hundreds of launchpoints HKLM\Software\Microsoft\Windows\CurrentVersion\Run:MyApp HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe:Debugger Malware also wants to change (security) settings for other components Windows Firewall, IE extensions and settings, Windows File Protection, The registry is also a great source for forensic data, for example: HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ UserAssist 34
35 Services Services are background processes that usually perform a specific task and require no user-interaction For example, Automatic Updates Controlled by the Service Control Manager (SCM), services.exe Configuration data under HKLM\System\CurrentControlSet\Services Different types of services Kernel drivers Separate process Shared process (hosted by svchost.exe) 35
36 Demo: Services 1. Which process is hosting the Automatic Updates service? 2. What file implements the service? DEMO 36
37 File Systems 37
38 Windows File System Formats CDFS (cdfs.sys) CD-ROM filesystem, considered legacy UDF (udfs.sys) Universal Disk Format, the standardized format for optical storage FAT12, FAT16, FAT32 (fastfat.sys) Legacy filesystem, mostly replaced by NTFS exfat (aka. FAT64) Adds functionality on top of FAT (file size limit increase, ACL s) NTFS 38
39 NTFS Native file system for Windows Support for advanced features ACL s on files and directories Alternate Data Streams Disk quotas Sparse files Compression and encryption Soft and hard links Transactional semantics 39
40 Demo: Alternate Data Streams DEMO 40
41 Security Mechanisms 41
42 Security & Objects Almost everything on Windows is an object Process, thread, desktop, mutex, Basic concepts Security Identifier (SID) is a unique ID for any actor S A token identifies the security context of a process Member of Administrators group, can shut down OS Security Descriptor specifies who can do what to an object Owner Discretionary Access Control List (DACL) Privileges 42
43 Access Check 43
44 Driver Basics 44
45 I/O Subsystem A set of components in the kernel that manage and provide access to hardware devices I/O Manager Plug and Play Manager Power Manager Key concepts Driver Device I/O requests 45
46 I/O Manager The core of the I/O system Provides a framework for other components to have device independent I/O services Responsible for dispatching the service requests to the appropriate device drivers for further processing Packet-driven (IRP s, I/O request packets) Handles creation and destruction of IRP s Offers uniform interface for drivers that handle IRP s 46
47 Driver Basics Drivers are loadable kernel-mode components Code in drivers gets executed in different contexts: 1. In the user thread that initiated I/O 2. A system thread 3. As a result of an interrupt (any thread) Different types of drivers: file system drivers, protocol drivers, hardware drivers Layered driver model 47
48 Reverse Engineering Drivers Interesting elements 1. Initialization routine (DriverEntry) The entrypoint of a driver Sets up global variables, initializes handler functions 2. Add-device routine Called by PnP manager for PnP drivers when a new device appears 3. Dispatch routines Main functionality of most drivers ( read, write, close ) In many cases the interesting stuff is here 48
49 Suggested Material Sysinternals tools Process Monitor Process Explorer Autoruns The Art of Computer Virus Research and Defense Chapter 3: Malicious Code Environments, from 3.1 through 3.6 Chapter 12: Memory Scanning and Disinfection Windows Internals, 5 th edition 49
50
Malware Analysis and Antivirus Technologies: Windows Operating System
Malware Analysis and Antivirus Technologies: Windows Operating System Protecting the irreplaceable f-secure.com Lecture Agenda 1. Applications on Windows 2. Processes and Threads 3. Windows Architecture
More informationIntroduction to Windows internals.
Introduction to Windows internals pavel.turbin@f-secure.com kimmo.kasslin@f-secure.com 2 Architecture 3 Windows architecture 4 System Mechanisms 5 Kernel-mode & user-mode 0xFFFFFFFF System-space (Ring
More informationWindows for Reverse Engineers
Windows for Reverse Engineers T-110.6220 Special Course in Information Security Kimmo Kasslin, 26 th Feb 2014 Protecting the irreplaceable www.f-secure.com Architecture 2 February 27, 2014 F-Secure Confidential
More informationwindows maurizio pizzonia roma tre university
windows maurizio pizzonia roma tre university 1 references M. Russinovich, D. A. Solomon Windows Internals: Including Windows Server 2008 and Windows Vista 5 th ed. Microsoft Press 2 architecture overview
More informationPractical Malware Analysis
Practical Malware Analysis Ch 7: Analyzing Malicious Windows Programs Rev. 2-27-17 The Windows API (Application Programming Interface) What is the API? Governs how programs interact with Microsoft libraries
More informationIntroduction to I/O. 1-Slide Overview to File Management
Introduction to I/O 1-Slide Overview to File Management I/O Hardware I/O Application Interface I/O Subsystem Issues Note: much material in this set of slides comes directly from Solomon&Russinovich, Inside
More informationT Using debuggers to analyze malware. Antti Tikkanen, F-Secure Corporation
T-110.6220 Using debuggers to analyze malware Antti Tikkanen, F-Secure Corporation Agenda Debugger basics Introduction Scenarios and tools How do debuggers work? Debug API The debugging loop Underlying
More informationAusgewählte Betriebssysteme - Mark Russinovich & David Solomon (used with permission of authors)
Outline Windows 2000 - The I/O Structure Ausgewählte Betriebssysteme Institut Betriebssysteme Fakultät Informatik Components of I/O System Plug n Play Management Power Management I/O Data Structures File
More informationMalware Analysis and Antivirus Technologies: Using Debuggers to Analyze Malware
Malware Analysis and Antivirus Technologies: Using Debuggers to Analyze Malware Protecting the irreplaceable f-secure.com Agenda Debugger basics Introduction Scenarios and tools How debuggers work Debug
More informationWindows 7 Overview. Windows 7. Objectives. The History of Windows. CS140M Fall Lake 1
Windows 7 Overview Windows 7 Overview By Al Lake History Design Principles System Components Environmental Subsystems File system Networking Programmer Interface Lake 2 Objectives To explore the principles
More informationWindows History 2009 Windows 7 2
Example: Windows 1 Windows History 2009 Windows 7 2 Features added Windows2000 additions Plug-and-play Network directory service New GUI Vista additions New GUI More focus on security clean-up the code
More informationAusgewählte Betriebssysteme
Ausgewählte Betriebssysteme Windows 2000 & Linux Betriebssysteme Technische Universität Dresden 1 Outline of Lectures Introduction I/O Structure & IRQ Handling Memory management NT file system (Processes
More informationOutline of Lectures. Ausgewählte Betriebssysteme Windows 2000 & Linux. Resources for these Lectures. Windows An Introduction.
Ausgewählte Betriebssysteme Windows 2000 & Linux Betriebssysteme Technische Universität Dresden Outline of Lectures Introduction I/O Structure & IRQ Handling Memory management NT file system (Processes
More informationOutline of Lectures. Ausgewählte Betriebssysteme Windows 2000 & Linux. Resources for these Lectures. Windows An Introduction
Ausgewählte Betriebssysteme Windows 2000 & Linux Betriebssysteme Technische Universität Dresden Outline of Lectures Introduction I/O Structure & IRQ Handling Memory management NT file system (Processes
More informationAusgewählte Betriebssysteme Windows 2000 & Linux
Ausgewählte Betriebssysteme Windows 2000 & Linux Betriebssysteme Technische Universität Dresden 1 Outline of Lectures Introduction I/O Structure & IRQ Handling Memory management NT file system (Processes
More informationFrom last time. What is the maximum size of a file in bytes? What is the maximum total size of directories and files in a single disk partition?
OMP25111 Lecture 17 1/27 From last time A file system uses inodes which contain 8 block-numbers. These are for the first 7 blocks of the file and an indirect block, which just contains block-numbers for
More informationReverse Engineering. Class 5. Malware Analysis. Reverse Engineering Class 5 Martin Balao martin.uy/reverse v1.0 EN CC BY-SA
Reverse Engineering Class 5 1 Something odd? 2 Process injection Hide and evade audit logs Bypass endpoint firewalls with application filtering Steal information from the injected process Change session
More informationOutline. Process and Thread Management. Data Structures (2) Data Structures. Kernel Process Block (PCB)
Outline Process and Thread Management Ausgewählte Betriebssysteme Professur Betriebssysteme Fakultät Informatik Data Structures Process Creation Thread Creation Scheduling 2 Data Structures Data Structures
More informationProcess and Thread Management
Process and Thread Management Ausgewählte Betriebssysteme Professur Betriebssysteme Fakultät Informatik Data Structures Process Creation Thread Creation Scheduling Outline 2 1 Data Structures Process represented
More informationWindows Kernel Internals II Overview University of Tokyo July 2004*
Windows Kernel Internals II Overview University of Tokyo July 2004* Dave Probert, Ph.D. Advanced Operating Systems Group Windows Core Operating Systems Division Microsoft Corporation Microsoft Corporation
More informationDKOM (Direct Kernel Object Manipulation)
DKOM (Direct Kernel Object Manipulation) Jamie Butler Director of Engineering HBGary, LLC http://www.hbgary.com Operating System Design User Land Operating system provides common API for developers to
More informationAdvanced Malware Analysis Training Series.
Advanced Malware Analysis Training Series Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions of any kind. Also the views/ideas/knowledge
More informationCS 290 Host-based Security and Malware. Christopher Kruegel
CS 290 Host-based Security and Malware Christopher Kruegel chris@cs.ucsb.edu Windows Windows > 90 % of all computers run Windows when dealing with security issues, it is important to have (some) knowledge
More informationA+ Guide to Managing & Maintaining Your PC, 8th Edition. Chapter 11 Optimizing Windows
Chapter 11 Optimizing Windows Objectives Learn about Windows utilities and tools you can use to solve problems with Windows Learn how to optimize Windows to improve performance Learn how to manually remove
More informationFlare-On 5: Challenge 7 Solution WorldOfWarcraft.exe
Flare-On 5: Challenge 7 Solution WorldOfWarcraft.exe Challenge Author: Ryan Warns Summary This challenge implements a 32-bit Windows binary meant to run in a Windows on Windows (WOW) environment. Analysis
More informationMultithreading Applications in Win32
Copyright, 2006 Multimedia Lab., UOS Multithreading Applications in Win32 (Introduction to Operating Systems) SeongJongChoi chois@mmlab.net Multimedia Lab. Dept. of Electrical and Computer Eng. University
More informationWindows Interrupts
Windows 2000 - Interrupts Ausgewählte Betriebssysteme Institut Betriebssysteme Fakultät Informatik 1 Interrupts Software and Hardware Interrupts and Exceptions Kernel installs interrupt trap handlers Interrupt
More informationUnit OS2: Operating System Principles. Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze
Unit OS2: Operating System Principles 2.5. Quiz Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze Copyright Notice 2000-2005 David A. Solomon and Mark
More informationProtection and System Calls. Otto J. Anshus
Protection and System Calls Otto J. Anshus Protection Issues CPU protection Prevent a user from using the CPU for too long Throughput of jobs, and response time to events (incl. user interactive response
More informationSYSTEM CALL IMPLEMENTATION. CS124 Operating Systems Fall , Lecture 14
SYSTEM CALL IMPLEMENTATION CS124 Operating Systems Fall 2017-2018, Lecture 14 2 User Processes and System Calls Previously stated that user applications interact with the kernel via system calls Typically
More informationDLL Injection A DA M F U R M A N EK KON TA MF URMANEK. PL HT T P :/ /BLOG. A DAMF URM ANEK.PL
DLL Injection ADAM FURMANEK KONTAKT@ADAMFURMANEK.PL HT TP://BLOG.ADAMFURMANEK.PL Agenda What and Why Preliminaries How + Demos Summary 5/9/2018 5:24:18 PM ADAM FURMANEK DLL INJECTION 2 What and Why 5/9/2018
More informationWEEK 2.0. Any sufficiently advanced technology is indistinguishable from magic.
WEEK 2.0 Any sufficiently advanced technology is indistinguishable from magic. Recycler A recycle bin for each user Created upon file deletion Only for RB aware programs ie Office, not command line tools
More informationFor 100% Result Oriented IGNOU Coaching and Project Training Call CPD: ,
Question 2: (15 Marks) The Sleeping-Barber Problem: A barbershop consists of a waiting room with n chairs, and the barber room containing the barber chair. If there are no customers to be served, the barber
More informationReconstructing the Scene of the Crime
Reconstructing the Scene of the Crime Who are they? STEVE DAVIS PETER SILBERMAN Security Consultant / Researcher at MANDIANT Engineer / Researcher at MANDIANT Agenda ½ Demo Pop it like its hotttt Problem
More informationThreads Implementation. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University
Threads Implementation Jin-Soo Kim (jinsookim@skku.edu) Computer Systems Laboratory Sungkyunkwan University http://csl.skku.edu Today s Topics How to implement threads? User-level threads Kernel-level
More informationInspecting and Manipulating binaries
Inspecting and Manipulating binaries Introduction. x86 architecture. Assembler. Binary inspection. General sample (crackme) Binary manipulation. Python to the rescue! Malware analysis What we (you) are
More informationCOMP091 Operating Systems 1. File Systems
COMP091 Operating Systems 1 File Systems Media File systems organize the storage space on persistent media such as disk, tape, CD/DVD/BD, USB etc. Disk, USB drives, and virtual drives are referred to as
More informationMalware Behavior. Chapter 11
Malware Behavior Chapter 11 Common Malware Functionalities Downloaders Backdoors Credential stealers Persistence mechanisms Privilege escalation Covering tracks (rootkits) Downloaders and Launchers Retrieve
More informationPredicting the future of stealth attacks. Aditya Kapoor, McAfee Labs Rachit Mathur, McAfee Labs
Predicting the future of stealth attacks Aditya Kapoor, McAfee Labs Rachit Mathur, McAfee Labs Outline Introduction Last Decade of Stealth Malware Current Rootkit Threats and Challenges Discussion on Stealth
More informationCS 5460/6460 Operating Systems
CS 5460/6460 Operating Systems Fall 2009 Instructor: Matthew Flatt Lecturer: Kevin Tew TAs: Bigyan Mukherjee, Amrish Kapoor 1 Join the Mailing List! Reminders Make sure you can log into the CADE machines
More informationWindows Registry. Windows Registry. A Wealth of Evidence. What is the Registry? Some Evidence that Can Be Recovered. Registry History: Windows 3.
Windows Registry Windows Registry Week 3 Part 1 A great source of evidence and headaches What is the Registry? A Wealth of Evidence Collection of files that, together, form all the settings needed by applications
More informationDEEP HOOKS MONITORING NATIVE EXECUTION IN WOW64 APPLICATIONS. Yarden Assaf
DEEP HOOKS MONITORING NATIVE EXECUTION IN WOW64 APPLICATIONS Assaf Carlsbad @assaf_carlsbad Yarden Shafir @yarden_shafir Yarden I started dancing at the age of 7 and later competed with a rhythmic gymnastics
More informationChapter 4: Threads. Overview Multithreading Models Thread Libraries Threading Issues Operating System Examples Windows XP Threads Linux Threads
Chapter 4: Threads Overview Multithreading Models Thread Libraries Threading Issues Operating System Examples Windows XP Threads Linux Threads Chapter 4: Threads Objectives To introduce the notion of a
More informationLesson 2: Editing the Registry
Lesson 2: Editing the Registry Lesson 2 Editing the Registry 4-15 Windows XP Professional stores hardware and software settings centrally in a hierarchical database called the Registry, which replaces
More informationUser Mode Debugging Internals
User Mode Debugging Internals Introduction The internal mechanisms of what allows user-mode debugging to work have rarely ever been fully explained. Even worse, these mechanisms have radically changed
More informationMemory Analysis. CSF: Forensics Cyber-Security. Part II. Basic Techniques and Tools for Digital Forensics. Fall 2018 Nuno Santos
Memory Analysis Part II. Basic Techniques and Tools for Digital Forensics CSF: Forensics Cyber-Security Fall 2018 Nuno Santos Previous classes Files, steganography, watermarking Source of digital evidence
More informationn Describe the CEH hacking methodology and system hacking steps n Describe methods used to gain access to systems
Outline n Describe the CEH hacking methodology and system hacking steps n Describe methods used to gain access to systems n Describe methods used to escalate privileges Chapter #5: n Describe methods used
More informationOperating System Services
CSE325 Principles of Operating Systems Operating System Services David Duggan dduggan@sandia.gov January 22, 2013 Reading Assignment 3 Chapter 3, due 01/29 1/23/13 CSE325 - OS Services 2 What Categories
More informationCOMPARATIVE STUDY OF TWO MODERN FILE SYSTEMS: NTFS AND HFS+
COMPARATIVE STUDY OF TWO MODERN FILE SYSTEMS: NTFS AND HFS+ Viral H. Panchal 1, Brijal Panchal 2, Heta K. Desai 3 Asst. professor, Computer Engg., S.N.P.I.T&RC, Umrakh, Gujarat, India 1 Student, Science
More informationFile System Interpretation
File System Interpretation Part III. Advanced Techniques and Tools for Digital Forensics CSF: Forensics Cyber-Security Fall 2018 Nuno Santos Previously: Introduction to Android forensics! How does Android
More informationSistemi in Tempo Reale
Laurea Specialistica in Ingegneria dell'automazione Sistemi in Tempo Reale Giuseppe Lipari Introduzione alla concorrenza Fundamentals Algorithm: It is the logical procedure to solve a certain problem It
More informationSentinelOne Technical Brief
SentinelOne Technical Brief SentinelOne unifies prevention, detection and response in a fundamentally new approach to endpoint protection, driven by machine learning and intelligent automation. By rethinking
More informationPRESENTED BY: SANTOSH SANGUMANI & SHARAN NARANG
PRESENTED BY: SANTOSH SANGUMANI & SHARAN NARANG Table of contents Introduction Binary Disassembly Return Address Defense Prototype Implementation Experimental Results Conclusion Buffer Over2low Attacks
More informationARM TrustZone for ARMv8-M for software engineers
ARM TrustZone for ARMv8-M for software engineers Ashok Bhat Product Manager, HPC and Server tools ARM Tech Symposia India December 7th 2016 The need for security Communication protection Cryptography,
More informationDisclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions of any kind. Also the views/ideas/knowledge expressed here are solely of the
More informationCS 326: Operating Systems. Process Execution. Lecture 5
CS 326: Operating Systems Process Execution Lecture 5 Today s Schedule Process Creation Threads Limited Direct Execution Basic Scheduling 2/5/18 CS 326: Operating Systems 2 Today s Schedule Process Creation
More informationLast Class: OS and Computer Architecture. Last Class: OS and Computer Architecture
Last Class: OS and Computer Architecture System bus Network card CPU, memory, I/O devices, network card, system bus Lecture 4, page 1 Last Class: OS and Computer Architecture OS Service Protection Interrupts
More informationKOSR 22 차세미나. KOSR 연역및소개 t h K o r e a O p e r a t i n g S y s t e m S e m e n a r
KOSR 22 차세미나 KOSR 연역및소개 http://www.kosr.org 1 KOSR 연혁과이념 KOSR 연혁 (2001 ~ ) - 2001.11.02 : WSP(Windows System Programmer) 커뮤니티 Open - 2003.01.19 : KSP(Korea System Programmer) 로독립 - 2004.12.01 : KOSR (Korea
More informationReview: Easy Piece 1
CS 537 Lecture 10 Threads Michael Swift 10/9/17 2004-2007 Ed Lazowska, Hank Levy, Andrea and Remzi Arpaci-Dussea, Michael Swift 1 Review: Easy Piece 1 Virtualization CPU Memory Context Switch Schedulers
More informationFile Systems. What do we need to know?
File Systems Chapter 4 1 What do we need to know? How are files viewed on different OS s? What is a file system from the programmer s viewpoint? You mostly know this, but we ll review the main points.
More informationECE 598 Advanced Operating Systems Lecture 18
ECE 598 Advanced Operating Systems Lecture 18 Vince Weaver http://web.eece.maine.edu/~vweaver vincent.weaver@maine.edu 5 April 2016 Homework #7 was posted Project update Announcements 1 More like a 571
More informationShellcode Analysis. Chapter 19
Shellcode Analysis Chapter 19 What is Shellcode Shellcode a payload of raw executable code, attackers use this code to obtain interactive shell access. A binary chunk of data Can be generally referred
More informationRoadmap for This Lecture
File Systems (I) 2 Roadmap for This Lecture File Systems supported by Windows NTFS Design Goals File System Driver Architecture NTFS Operation Windows File System On-Disk Structure 3 Windows File System
More informationW4118: interrupt and system call. Junfeng Yang
W4118: interrupt and system call Junfeng Yang Outline Motivation for protection Interrupt System call 2 Need for protection Kernel privileged, cannot trust user processes User processes may be malicious
More informationOperating Systems (2INC0) 2018/19. Introduction (01) Dr. Tanir Ozcelebi. Courtesy of Prof. Dr. Johan Lukkien. System Architecture and Networking Group
Operating Systems (2INC0) 20/19 Introduction (01) Dr. Courtesy of Prof. Dr. Johan Lukkien System Architecture and Networking Group Course Overview Introduction to operating systems Processes, threads and
More informationServer. Client LSA. Winlogon LSA. Library SAM SAM. Local logon NTLM. NTLM/Kerberos. EIT060 - Computer Security 2
Local and Domain Logon User accounts and groups Access tokens Objects and security descriptors The Register Some features in Windows 7 and Windows 8 Windows XP evolved from Windows 2000 Windows 10, 8,
More informationOPERATING SYSTEM OVERVIEW
OPERATING SYSTEM OVERVIEW Contents Basic hardware elements Interrupts Most I/O devices are much slower than the processor Active waiting cycle (polling) Interrupt request signal Interrupt mechanism An
More informationJava Internals. Frank Yellin Tim Lindholm JavaSoft
Java Internals Frank Yellin Tim Lindholm JavaSoft About This Talk The JavaSoft implementation of the Java Virtual Machine (JDK 1.0.2) Some companies have tweaked our implementation Alternative implementations
More informationObjectives. Chapter 2: Operating-System Structures. 2.1 Operating System Services
Objectives Chapter 2: Operating-System Structures To describe the services an operating system provides to users, processes, and other systems To discuss the various ways of structuring an operating system
More informationA+ Guide to Managing and Maintaining Your PC, 7e. Chapter 14 Optimizing Windows
A+ Guide to Managing and Maintaining Your PC, 7e Chapter 14 Optimizing Windows Objectives Learn about Windows utilities and tools you can use to solve problems with Windows Learn how to optimize Windows
More informationWindows Registry Analysis
Windows Registry Analysis Omveer Singh Additional Director / Scientist E omveer@cert-in.org.in Cyber Forensics Lab Indian Computer Emergency Response Team (CERT-In) Department of Information Technology
More informationRootkits n Stuff
Rootkits n Stuff www.sigmil.org What a rootkit is(n t) IS Software intended to conceal running processes, files, etc from the OS A way to maintain control of a system after compromising it. ISN T A buffer
More informationTowards full NTFS semantics in Samba. Andrew Tridgell
Towards full NTFS semantics in Samba Andrew Tridgell tridge@samba.org About Samba Started in 1991 as a side project in my spare time Now have about 25 "Samba Team" members Ported to a wide variety of OSes
More informationHackveda Training - Ethical Hacking, Networking & Security
Hackveda Training - Ethical Hacking, Networking & Security Day1: Hacking windows 7 / 8 system and security Part1 a.) Windows Login Password Bypass manually without CD / DVD b.) Windows Login Password Bypass
More informationPointers and Handles. A Story of Unchecked Assumptions in the Windows Kernel. Alex Ionescu Black Hat USA 08
Pointers and Handles A Story of Unchecked Assumptions in the Windows Kernel Alex Ionescu bh08@alex-ionescu.com Black Hat USA 08 1 About Me Former lead kernel developer of ReactOS Open source implementation
More informationLet s Tune Oracle8 for NT
Let s Tune Oracle8 for NT ECO March 20, 2000 Marlene Theriault Cahill Agenda Scope A Look at the Windows NT system About Oracle Services The NT Registry About CPUs, Memory, and Disks Configuring NT as
More informationCSE 4/521 Introduction to Operating Systems. Lecture 29 Windows 7 (History, Design Principles, System Components, Programmer Interface) Summer 2018
CSE 4/521 Introduction to Operating Systems Lecture 29 Windows 7 (History, Design Principles, System Components, Programmer Interface) Summer 2018 Overview Objective: To explore the principles upon which
More informationCIS 21 Final Study Guide. Final covers ch. 1-20, except for 17. Need to know:
CIS 21 Final Study Guide Final covers ch. 1-20, except for 17. Need to know: I. Amdahl's Law II. Moore s Law III. Processes and Threading A. What is a process? B. What is a thread? C. Modes (kernel mode,
More informationA process. the stack
A process Processes Johan Montelius What is a process?... a computation KTH 2017 a program i.e. a sequence of operations a set of data structures a set of registers means to interact with other processes
More informationLecture 2 Operating System Structures (chapter 2)
Bilkent University Department of Computer Engineering CS342 Operating Systems Lecture 2 Operating System Structures (chapter 2) Dr. İbrahim Körpeoğlu http://www.cs.bilkent.edu.tr/~korpe 1 References The
More informationSHADOW WALKER Raising The Bar For Rootkit Detection. By Sherri Sparks Jamie Butler
SHADOW WALKER Raising The Bar For Rootkit Detection By Sherri Sparks ssparks@longwood.cs.ucf.edu Jamie Butler james.butler@hbgary.com What Is A Rootkit? Defining characteristic is stealth. Viruses reproduce,
More informationCSE451 Winter 2012 Project #4 Out: February 8, 2012 Due: March 5, 2011 by 11:59 PM (late assignments will lose ½ grade point per day)
CSE451 Winter 2012 Project #4 Out: February 8, 2012 Due: March 5, 2011 by 11:59 PM (late assignments will lose ½ grade point per day) Objectives This project introduces you to the Windows FAT file system.
More informationPool Allocations in Windows Memory Forensics. Andreas Schuster Deutsche Telekom AG Group Security
Pool Allocations in Windows Memory Forensics. Deutsche Telekom AG Group Security andreas.schuster@telekom.de . Agenda. 1. Introduction 2. Memory Management 3. Proof of Concept - PoolFinder 3.1 Usage 3.2
More informationChapter 2: System Structures
Chapter 2: System Structures Chapter 2: System Structures 2.1 Operating-System Services 2.2 User and Operating-System Interface 2.3 System Calls 2.4 Types of System Calls 2.5 System Programs 2.6 Operating-System
More informationPE Infection How to Inject a dll
PE Infection How to Inject a dll In association with www.mihanit.net Thank you to my friends who help me in this research (K053,Heli, L U C I F E R(Bl4ck_Ic3)) Author: Nightmare(BioHazard) Date: 03.05.2009(88.02.13)
More informationModule 23: Windows NT. Windows NT
Module 23: Windows NT History Design Principles System Components Environmental Subsystems File System Networking Programmer Interface Operating System Concepts 23.1 Silberschatz and Galvin c 1998 Windows
More informationChapter 1. Windows NT: An Inside Look
Chapter 1 Windows NT: An Inside Look Abstract This chapter begins with an evaluation of Windows NT and then examines the overall architecture of the operating system. THIS BOOK IS AN EXPLORATION of the
More informationProcesses. Process Management Chapter 3. When does a process gets created? When does a process gets terminated?
Processes Process Management Chapter 3 1 A process is a program in a state of execution (created but not terminated) Program is a passive entity one on your disk (survivor.class, kelly.out, ) Process is
More informationT Jarkko Turkulainen, F-Secure Corporation
T-110.6220 2010 Emulators and disassemblers Jarkko Turkulainen, F-Secure Corporation Agenda Disassemblers What is disassembly? What makes up an instruction? How disassemblers work Use of disassembly In
More informationModule 23: Windows NT
Module 23: Windows NT History Design Principles System Components Environmental Subsystems File System Networking Programmer Interface Operating System Concepts 23.1 Silberschatz and Galvin c 1998 Windows
More informationECE 598 Advanced Operating Systems Lecture 14
ECE 598 Advanced Operating Systems Lecture 14 Vince Weaver http://www.eece.maine.edu/~vweaver vincent.weaver@maine.edu 19 March 2015 Announcements Homework #4 posted soon? 1 Filesystems Often a MBR (master
More informationWindows Memory Analysis. Jesse Kornblum
C Y B E R S E C T O R Windows Memory Analysis Jesse Kornblum Why Memory Analysis Windows without Windows Gathering Information Parsing the Processes The Rootkit Paradox Address Translation Recovering Executables
More informationReverse Engineering Malware Dynamic Analysis of Binary Malware II
Reverse Engineering Malware Dynamic Analysis of Binary Malware II Jarkko Turkulainen F-Secure Corporation Protecting the irreplaceable f-secure.com Advanced dynamic analysis Debugger scripting Hooking
More informationOS lpr. www. nfsd gcc emacs ls 1/27/09. Process Management. CS 537 Lecture 3: Processes. Example OS in operation. Why Processes? Simplicity + Speed
Process Management CS 537 Lecture 3: Processes Michael Swift This lecture begins a series of topics on processes, threads, and synchronization Today: processes and process management what are the OS units
More informationAppendix C: Windows Operating System Concepts Essentials 8 th Edition
Appendix C: Windows 2000 Silberschatz, Galvin and Gagne 2011 Module C: Windows 2000 History Design Principles System Components Environmental Subsystems File system Networking Programmer Interface c.2
More informationMechanisms for entering the system
Mechanisms for entering the system Yolanda Becerra Fontal Juan José Costa Prats Facultat d'informàtica de Barcelona (FIB) Universitat Politècnica de Catalunya (UPC) BarcelonaTech 2017-2018 QP Content Introduction
More informationx86 segmentation, page tables, and interrupts 3/17/08 Frans Kaashoek MIT
x86 segmentation, page tables, and interrupts 3/17/08 Frans Kaashoek MIT kaashoek@mit.edu Outline Enforcing modularity with virtualization Virtualize processor and memory x86 mechanism for virtualization
More informationModule 21: Windows 2000
Module 21: Windows 2000 History Design Principles System Components Environmental Subsystems File system Networking Programmer Interface 21.1 Windows 2000 32-bit preemptive multitasking operating system
More informationModule 21: Windows 2000
Module 21: Windows 2000 History Design Principles System Components Environmental Subsystems File system Networking Programmer Interface 21.1 Windows 2000 32-bit preemptive multitasking operating system
More informationRicardo Rocha. Department of Computer Science Faculty of Sciences University of Porto
Ricardo Rocha Department of Computer Science Faculty of Sciences University of Porto Slides based on the book Operating System Concepts, 9th Edition, Abraham Silberschatz, Peter B. Galvin and Greg Gagne,
More information