First, preamble
Windows System Service Call is a key interface that exists in a Windows system, often referred to as System Call, Sysem Service Call, or System Service Dispatching, etc. We will call the Windows system service call, which provides operating system environment The user is switched to the function of kernel state. Although there are more discussions on Windows system service calls, few more detailed Chinese materials are rarely seen, I hope this article can be interested in Windows under the same as the author and is a friend who just contact. The article will be discussed in detail in detail to discuss the related technical details of Windows System Services in detail in the article T-ProCMON. It is also necessary to note that the techniques discussed herein apply only to the operating system based on the Windows NT core, and take Windows 2000 as an example.
Second, Windows 2000 System Architecture
Microsoft Windows 2000 is an operating system mainly facing the web server, so it is very different from the Windows 9x that is more familiar with before. But there is no great value for discussing a personal desktop operating system that occurs due to business strategies. So we will mainly introduce some details about the internal structure of the NT system. WINDOWS 2000 In the process of implementing its own goals, we need to explain some of its features.
Extensibility
The Windows 2000 operating system is a future-oriented system, so it is very important to its own scalability, because in the future, there may be many markets such as many markets, which must be added or deleted from some components of the current operating system, which must require the operating system. Have strong scalability. In order to meet the various needs of expansion / deletion, Windows 2000 provides an important design idea to be subsystems. We can add some operating system functions that need to be extended as a subsystem to Windows 2000, just like OS / 2, POSIX, etc. Of course, there is also a feature that we can modify the system's behavior by calling the system service to add hooks, which provides us with an opportunity to understand the internal and expand system features.
2. Reliability and robustness (Reliability and Robust)
The most basic requirement of a system is its stability, and there is no satisfactory product without a stable environment. In order to meet this request, Windows 2000 proposes measures based on object-based access control. Most microprocessors support two modes: user mode (user / Normal) and kernel / privileged. Operating system components and critical system components are in kernel mode, and the general user mode program can only access private address space and instructions that perform non-privileged levels. If the user wants to call some of the functions of the kernel components, they have to be implemented through system service.
3. Compatibility
Intel and Microsoft can do today's a very important factor is that they support the compatibility of the existence of systems in the past. This is very important, no one is willing to replace the system three days, of course, very few people have this economic strength. Windows 2000 has an environmental subsystem in order to achieve compatibility of other systems, such as DOS, 16-bit Windows, etc. The environment where the environment you must exist in Windows 2000 is Win32. It is the foundation of other subsystems. Other subsystems are interface interfaces, and actually call the interface provided by Win32, and Win32 is ultimately through system service. The call came to contact the kernel. Although the operating system provides different dynamic link libraries for a variety of environmental subsystems, and the API function name is often different, but this function is ultimately achieved by the same system service call into the kernel. 4. Easy maintenance (Maintainability)
As a large project, Windows 2000 maintenance has also become a large engineering. And so huge projects don't have a good maintenance, it is impossible to develop. To this end, Windows 2000 uses a hierarchical idea, which is also an operating system architecture model. Among them, the system service call offs the system's core mode code and user mode code, and the subsystem uses system service call to provide the user with the application programming interface (API), and the system service call is called down the executive implementation. Just like two modes exist in the operating system above, this is based on the processor. It is reason that the general processor can provide four processor modes from RING0 to RING3, but they must provide at least two, which is RING0 and RING3. Some special processor instructions can only be executed in kernel mode, and some address spaces must be accessed in kernel mode. Windows 2000 uses this feature, protects the operating system and other key components, only if the kernel mode can be accessed, and the general user program can only be executed in the user state, so you can avoid some user program pairs The system code is destroyed, that is, the Windows 2000 seen is significantly longer than the Windows 9X. Below we give the architecture of Windows 2000:
System support process, service process, application, environmental subsystem application programming interface based on NTDLL.DLL local system service (user mode) ------------------- -------------------- System Service Call (Kernel Mode) Performing the System System, Device Driver Hardware Abstract Layer
Third, Windows 2000 Native System Services (Native API)
Windows 2000 Native System Services is also known as a Windows Native Application Programming Interface, which is a system service set by executive (Executive) for user mode and kernel mode. It contains two types of functions: Windows executes system service scheduling plans for system services; subsystems, subsystems DLL, and other internal support functions used by other native images.
Calling the system service from the user mode is implemented by NTDLL.DLL. On the surface, the Win32 function provides a lot of interfaces for programmers to implement the features we want, but these Win32 functions are only a wrapper for this machine application programming interface, they package this API package, call this machine System service to implement user expectations. That is to say NTDLL.DLL is just a housing in the system service call interface in user mode. For information on Windows native system services in user mode, see an article I have written to "detect Windows2K / XP / 2003 System Information".
Let's talk about the system service from the kernel mode. At this time, it is not the function interface of the NTDLL.DLL export system service call, but is implemented by ntoskrnl.exe, which provides two forms of functions: Zwxxx and NTXXX, we will not say much here. Everyone should notice that system service calls in the Windows 2000 system architecture we introduced above, the actuators and kernels are present in ntoskrnl.exe (ntkrnlmp.exe in the multiprocessor), and is a layered of.
Fourth, Windows 2000 System Service Call Mechanism
The Trap Dispatch Mechanism of Windows 2000 includes: Interrupt, Deferred Procedure Call, asynchronous process call, exception dispatch, and system service call. In the Windows 2000 system of Intel X86, the processor executes the INT 0x2e instruction to activate the Windows system service call; the processor in the Windows XP system in Intel X86 is in the system service call program by executing the SYSENTER instruction; in AMD The Directive Syscall is used in Windows XP to achieve the same function. We temporarily use the X86's Windows 2000 as an example. We first give a model of a system service call: Mov Eax, ServiceId Lea Edx, ParameterTableint 2Ehret ParamTableBytes
Among them, ServiceID clearly shows the system service number passed to the system service call, the kernel uses this identifier to find the corresponding system service information in the system service schedule (System Service Dispath Table). Each of the system service scheduling table contains a pointer to the system service program, and our hook is the address that modifies this pointer to point to our customized system service. ParameterTable is the passing parameter, the system service call program KiSystemService must strict verify each parameter passed and copy its parameters from the thread's user stack to the core stack of the system for use. Since the execution of the int instruction can cause the trap that occurs, the 0x2e item in the interrupt description table in Windows 2000 points to the system service call program. The last returned paramTableBytes is information about the number of parameters.
Now we have already seen, the system service call is just an interface, which provides the function of forwarding the request in user mode to the Windows 2000 kernel, and triggers the switching of the processor mode. In the user's view, the system service call interface is an interface that implements the Windows kernel component function. The system service call interface defines a large number of services provided by the Windows kernel.
V. Windows 2000 System Service Call Type
There are two system service schedules in Windows 2000, which correspond to two different system services. These two system service schedules are: KeserviceDescriptable and KeserviceDescriptableShadow.
The Windows 2000 executable service corresponds to the system service calls we provide for NTDLL.DLL. The subsystem implements the functions they need by calling the function interfaces in NTDLL.DLL. System Service Scheduling table KeserviceDescriptable defines system services implemented in Ntoskrln.exe, which is usually in the system service schedule that is called in the kernel32.dll / advapi32.dll.
At the same time, there is also a related WIN32USER and GDI functions implemented in Win32k.sys in the Windows 2000 operating system, which are another type of system service call. The corresponding system service schedule is KeserviceDescriptAbleshadow, which provides User and GDI services implemented by kernel mode. The function keaddsystemServentable allows Win32.sys and other device drivers to add a system service table. In addition to the Win32k.sys service table, the service table added to the KeaddsystemServentable added will be copied to KeserviceDescriptable and KeserviceDescriptAbleshadow.
We can see that these two types of functions are distinguished in service scheduling: Win32 kernel API After entering NTDLL.DLL after Kernel32.dll / advent, use INT 0x2e interrupt into the kernel, and finally real functions in Ntoskrnl.exe. Call; WIN32 USER / GDI API has entered the kernel directly via user32.dll / gdi32.dll, but finally, it is true that the true function call is implemented in Win32k.sys. Here we discuss the function related to NTDLL.DLL, which is the function processed in our example. Six, the role of hook system service call
Hooking is an universal mechanism for intercepting / listening to executable code during execution. It makes us understand the internal structure of the system, the operation mechanism, and even modify system behavior. In a world like m $, many internal information we can't know because Windows is not Linux, but this does not mean that we will give up! As long as you start your brain, many things will become possible.
Event tracking
Do you want to know when WINDOWS opens a process? Do you want to know which functions have been obtained in the WINDOWS Task Manager? We can all use HOOK technology to implement these information you want. We can track the implementation of ZwopenProcess, and we can also track the execution of ZwQueryInformationProcess, including the passing parameters and the result of the return. You can see that the program related to this article T-ProCMon is a process monitoring tool that tracks the various information related to the process in the system. When some of the events we expect, the program will notify the user what happened, which is also the result we expect.
2. Modify system behavior
The operating system provides us with some universal features, such as query system process information ZWQuerySystemInformation (SystemInformationClass == 5), which returns information about all current processes / threads in the system. What should I do if we want to hide some special processes? That is to modify the system service call, that is, modify the behavior of ZwQuerySystemInformation. When the system process is queried, the system will return a process information queue, each unit corresponds to a process, if we want to hide some of the processes, you only need to modify some of the data in the queue, then return to the upper layer function, they will not The xxx.exe process will be found in the system.
3. Research system internal mechanism
Microsoft's Windows operating system is a "closed" system. Many internal information is not announced. We can detect the internal data structure and operational mechanisms of the system through hook technology, learn how to operate within the operating system. HOOK-based Windows kernel hacker technology is very popular and effective. We can use hook techniques when we have no disclosure, unknown technical details.
4. Others
Others can use hook technology when we want to debug a very troublesome program, so you can better help our tracking system actions, better understand the execution process inside the program. Similarly, in order to obtain some special performance data of the system, we can also use HOOK technology in a specific case.
7. Implementation of HOOK system service call
Here we discuss how Hook object is limited to system service calls provided by NToskrnl.exe of Windows 2000. Windows 2000 System Services calls to the code of kernel mode, so we must write the device driver to access the system service schedule. If you are not clear about the writing of the basic device driver under Windows 2000, please refer to the relevant books, not introduced here. Let's take a look at the implementation process of the Win32 kernel API.
Windows 2000 System Service Adjustment provides users with a function interface of the packaged user mode (provided by NTDLL.DLL). When the function in the kernel32.dll / advapi32.dll is executed, the corresponding related interface in NTDLL.DLL will first use the INT 0x2e instruction to enter the kernel mode, pass the relevant service number and parameter list after the parameter check. Maintain two table system service dispatch tables (System Service Parameter Table) in ntoskrnl.exe, where the INT 0x2e instruction is queried by the service number in SSDT. . Now we have clearly a service number corresponding to each system service call, and also correspond to the address of a service program! If we modify the entry address of a system service program in SSDT to point to our custom function address, after executing our code, then execute the code at the original system service address, this does not implement the system service call. HOOK? For us, the positioning system service schedule is the key to achieving hooks. In Windows 2000, there is an unapproved unit exported by ntoskrnl.exe: KeserviceDescriptable, we can complete access and modification of SSDT through it. KeserVicedScriptable corresponds to a data structure, is defined as follows:
typedef struct SystemServiceDescriptorTable {UINT * ServiceTableBase; UINT * ServiceCounterTableBase; UINT NumberOfService; UCHAR * ParameterTableBase;} SystemServiceDescriptorTable, * PSystemServiceDescriptorTable;
Where ServiceTableBase points to the address of the system service, ParameterTableBase points to the parameter address in the SSPT, which contains how many units of NumberOfService. As long as we find the system service call program we pay attention to KESERVICEDEScriptable, we can modify its service -etablebase parameters to implement HOOK called related system services!
8. T-procmon-1.0 Key Source Analysis 1. CUI-based user mode control program
Since I have already introduced the Win32 system service, I don't do more. If you have any questions, please refer to my previous article, you can go to FZ5FZ home page (http: // www .fz5fz.org) Read related articles or download the relevant source code.
2. Device-driven HOOK code
Define command code between user mode and kernel mode program:
#define PROCMON_MONITOR (ULONG) CTL_CODE (FILE_DEVICE_PROCMON, 0x01, METHOD_BUFFERED, FILE_ANY_ACCESS) #define PROCMON_HIDDEN (ULONG) CTL_CODE (FILE_DEVICE_PROCMON, 0x02, METHOD_BUFFERED, FILE_ANY_ACCESS) #define PROCMON_HOOK (ULONG) CTL_CODE (FILE_DEVICE_PROCMON, 0x03, METHOD_BUFFERED, FILE_ANY_ACCESS) #define Procmon_unhook (ulong) CTL_CODE (file_device_procmon, 0x04, method_buffered, file_any_access)
The KeServiceDescriptorTable linked with associated data structures, defined system calls: __ declspec (dllimport) ServiceDescriptorTableEntry KeServiceDescriptorTable; #define SYSCALL (_function) KeServiceDescriptorTable.ServiceTableBase [* (PULONG) ((PUCHAR) _function 1)]
Define a variety of undisclosed functions, such as ZwQuerySystemInformation:
TypedEf NTSTATUS (* ZwQuerySystemInformation) (in out pvoid systeminformation, in ulong systeminformaitonlength);
Modify the system service call, save the original entry address, modify our custom program entry address, such as ZWQuerySystemInformation:
OldZwQuerySystemInformation = (ZWQUERYSYSTEMINFORMATION) (SYSCALL (ZwQuerySystemInformation)); _ asm cli (ZWQUERYSYSTEMINFORMATION) (SYSCALL (ZwQuerySystemInformation)) = NewZwQuerySystemInformation; _asm sti
Remove the hook, restore system service call:
_ASM CLI (ZWQuerySystemInformation) = OldzwQuerySystemInformation; _ASM STI
Call the original system service program code:
NTSTATUS = (OldzwQuerySystemInformation) (SystemInformationClass, SystemInformation, SystemInFormaitonLength; ReturnLength);
The hidden process is both the offset of the related items in the data queue returned by the system, which means that the next unit that needs to be hidden, that is, the unit that we need to hide the process: