Windows Security Industry Functional system

Articles reproduced with a look at the Snow forum.

I think, do an anti-virus software, probably to have the following drivers. Below I give the anti-virus software of the general design framework.
Due to the existence of some things, the program code can not be uploaded to the snow forum to avoid causing unnecessary legal disputes in the future. Here also ask friends to forgive.

If there is a wrong and insufficient place, please forgive me.


1) disk scan for computer viruses.

A scan engine mainly includes: Scan rule settings, object settings.
The scan rule setting is primarily to allow users to scan files using one or all rules.
The scan object setting is primarily to allow users to set the type of files to be scanned.

<1> determine if it is a PE file format.
If the open file is not a PE file format specification, a prompt is given to allow the user to re-select the file to be scanned.
If the open file is a PE file format specification, then: Address translation.
RVA and address are converted to each other.
The loop gets the starting RVA (relative virtual address) of each section and calculates the extent of the section based on the size of the section.
The RVA (Address of Entry Point) of the comparator entry to determine which section of the current section is in.
When the RVA is determined, the offset in the section is calculated.
Then put this offset + the offset of the section in the file = The exact address of the entry address in the file.

<2> the name of the comparison section.
A PE file format will exist with one or more sections of code, and there will be multiple non-code sections. In general, code sections are read-only and not writable, and non-code sections can be written. If a non-code section has properties for a section of code, there is code in this section, perhaps a virus code.
The properties of the Code section are 60000020H, which is executable, readable, and contains code in the section. If the section name of a section is not:. Text,. Code,. Code, and its property is 60000020H, then it can be thought that the section is not a code section and has a code section of the properties, then it is a suspicious section.
The name of each section can be read through the name field of the Image_section_header struct, and if anything is found, the suspect section can be set to the section name:. Virus or. Virus and other names.
The characteristic of the suspicious section is then saved to the database. A certain amount of weight can be set, usually between 0.1-1.
The purpose of this is to provide a data source for the scan engine and a weighted value for the correction.

The <3> file size is not the same as the end offset of the last section.
In general, the last section of a file is the end of the file, so the last section should be offset from the file header in the same size as the file. If not, you can assume that the file was added to the other content. Then you can think that this file has suspicious code, this file is a virus trojan file.

The entry point of the <4> file points to the file header, the end of the file, and other unexpected addresses.
A PE file format is composed of a combination of a file header and a section area. The entry point of a program is sure to point to a section of the file. Otherwise, it is not normal phenomenon. Then you can think that this file has suspicious code, this file is a virus trojan file.

Between <5> sections, their first and end addresses are not contiguous.
There is no gap between the two successive sections. should be connected to the end. And some viruses are in a custom way to set some size, which will cause a gap between sections and sections, so you can think that this file is a virus trojan file.
<6> a file with more than 2 file headers.
Virus Trojan is attached to the host file, there are generally 3 kinds of forms. In other words, the virus trojan program modifies the format of the PE file.
(1) The virus Trojan is attached to the back of the host file.
(2) The virus Trojan is attached to the host file.
(3) The virus Trojan is attached to the front of the host file.
Well, it can be thought that this file is a virus trojan file.

<7> get Windows kernel control.
Some programs are loaded into the c0001000h address, which allows the system to gain control of the kernel while it is running the program.
We security guard, can cycle read out the memory address RVA of each node area, and compare with c000000h, if the same, then can think this file is malicious program.


The design of the scanning algorithm.
In the design of scanning algorithm, the weights should be corrected by adding new rules. The correction of the weights of each rule can be done by the algorithm, or by the way of manual modification.
Assuming y is the scan result,
Y=1 is the right and greater than the specified value, then scan for Trojan virus.
Y=0 is the right and less than the specified value, it is not Trojan virus.
Formula Y=a+b1x1+b2x2+..........+bnxn
which
Xi is: The weight of rule I.
A is: The overall error, the error caused by the rule is not complete.

Virus log:
Main records: Virus file name, virus source, scan level, scan date, path scan mode.

Virus scan data backup and recovery:
Mainly based on the user's choice, back up some data tables, when needed to recover.

Virus Scan History:
The main is to save the scanned scan results, to provide a source of data for the scanning engine.


2) Self-protection.
Prevent the end of malicious programs.
On a 32-bit Windows system, you can:
Hook off ntopenprocess (), ntterminateprocess (), Obreferenceobjectbyhandle ()
However, these are not the deepest functions, and our security defender program is easily ended by malicious programs.
Therefore, the pspterminatethreadbypointer () should be inline Hook to prevent the process from being ended.

On a 64-bit Windows system, you can:
Call the Microsoft-provided kernel function obregistercallbacks (). Protects the process from being ended by using the provided callback function pointer.
NOTES:
In Windows7 or later Windows systems, the callback function can have 64. If there are more than 64 callback functions in a computer, the Windows system will not mount the callback function. At this point, you need to replace other callback functions in the Windows system. These substituted callback functions may be owned by other programs.

3) Network traffic monitoring and management.
Monitor the networking of processes on your computer.
If you want to limit the speed and slowness of the network, you can intercept network packets and do the appropriate packet loss processing.
Because of the NDIS driver, you can directly manipulate the data Link layer's Ethernet packets, and you can use the NDIS driver for packet loss processing. and the packet discard processing, is to control the speed of the network fast, slow. In the program code, we can design rules to decide when to discard packets and when not to discard them.
Because NDIS is not able to get information about the process. So we need to work with the TDI and WFP drivers to get the process information.

Local port number, local IP, remote port number, remote IP, protocol type, process path, process ID number. If you want to get this information, you can get it directly from the callback function FWPM_LAYER_ALE_AUTH_CONNECT_V4 provided by WFP. The last parameter of this callback function, you can specify a value to release or intercept.
Because TDI technology has been deprecated in Windows7 or later Windows systems, WFP technology has been used instead of TDI technology. Therefore, when developing network traffic monitoring, it is best to use NDIS and WFP technology.


4) Monitor and manage Windows file system.
Monitor the status of open, create, delete, copy, paste, cut, read, write, etc. of files on Windows system.
To achieve versatility, both on 32-bit Windows systems and on 64-bit Windows systems, you use the Minifilter file system filtering-driven development technology to oversee these states of the file. Hook SSDT should not be used to monitor the management of file systems.
The main is: implementation of Irp_mj_create, Irp_mj_read, irp_mj_write and so on these IRP request
The code implementation of the pre and post functions. and decide whether to allow user action or not. is to set the code inside:
Status_access_denied, status_success such a sign.

5) Monitor the Windows Registry for management.
Monitor registry key values: Open, create, delete, copy, paste, cut, read, write, etc. state.

On a 32-bit Windows operating system:
On windowsxp and earlier Windows operating systems, SSDT hooks can be used for registry protection. The main is to hook off the following several kernel functions: Zwsetvaluekey, Zwcreatekey, Zwdeletevaluekey, Zwdeletekey, and so on. Therefore, in order to effectively manage the registry, our security guard should also hook off the Kifastcallentry () function. This function is the management broker for all SSDT hook functions. We can forbid others to hook some functions. This will effectively prevent the program from manipulating the registry.

On a 64-bit Windows operating system:
In Windows7, WINDOWS8, or later Windows systems, Microsoft Company provides registry-specific management functions----cmregistercallback, which we can use to monitor the registry.

It should be stated that:
Microsoft Corporation does not provide cmregistercallback kernel functions on windowsxp and earlier Windows operating systems, so the registry can only be managed using SSDT hooks.

In Windows7, WINDOWS8, or later Windows systems, the Cmregistercallback function is already available for both 32-bit and 64-bit Windows systems.

Cmregistercallback function, mainly provides a function pointer, in this pointer to implement the code, the Registry monitoring management.
The Cmregistercallback function is the same as the self-protection mentioned above. You also need to be aware of the number of callback functions that can be owned. If the callback function in a computer is more than the number specified by the Windows operating system, then
The Windows system will not mount the callback function. At this point, you need to replace other callback functions in the Windows system. These substituted callback functions may be owned by other programs.

6) Sandbox.
The sandbox is actually a Windows filter file driver, specifically, you write to write something to the hard disk, but actually did not write to the hard disk, but to a dump, read the content needs to determine whether the sandbox before the opening of the content or after the sandbox to write content, To read the content separately from different places, reset the place to zero after restarting.
Here are a few things to do when implementing sandbox code:
(1) File system virtualization
The path to the redirected file directory.
Rewrite a Windows file system to fully map the real Windows file system. You can refer to the WDK's own example FASTFAT Engineering code and modify it on this basis.
(2) Registry Virtualization
The path to redirect registry key values.
Re-implement the driver for a registry system. Fully map the real Windows registry. Encapsulates a kernel function for registry manipulation, defines a common hive data structure,
(3) Kernel object virtualization
The main is: The breakthrough single-instance program in the sandbox and outside the sandbox while running the restrictions. For example, some of the game's multiple open limits.
(4) Virtualization of services
The primary purpose of virtualizing the services created by the sandbox is to prevent the programs in the sandbox from penetrating the sandbox through the service process.
(5) Window visualization
Functions with kernel object virtualization.
(6) DCOM Virtualization
Make the process in the sandbox more functional, such as IE browser in many places the use of DCOM components, if not virtualized, ie some functions will not be normal.
(7) Multi-sandbox support
At the same time there are multiple sandboxes, each of which does not interfere with each other and does not know each other's existence.
(8) Logging
Support for 32-bit and 64-bit operating systems from WindowsXP to Windows8.1.
(9) Inline Hook, SSDT hook, Shadow SSDT hook, Object Hook
Implement the Hook engine. Also make sure that you can work properly with Windows x64 operation.
(10) service-side process
Used to impersonate RPC traffic. Implements the various messages that are required for RPC interaction.

Sandbox infrastructure:

The sandbox operates at the process level. Everything that needs to be packed in a sandbox needs to survive in the process. The smallest sandbox configuration requires two processes: one is permission control, called (Generation-reason), and one or more sandboxed processes, called targets. In both the document and the code, these terms always have a precise connotation. The sandbox is provided as a dynamic link library and must be linked to the generation-manager and target executable programs.

In the sandbox, Generation-manager is a browser process. The main is: a sandbox process of the rights controller/manager.
The tasks of the generation-rationale process are:
Provide policy for each target process
Generate target Process
Place sandbox policy engine service
Place Sandbox Interceptor Manager
Place sandbox IPC Service (send to target process)
The behavior allowed by the policy that executes the target process request.

The generation-manager process must be terminated after all target processes have been terminated. The sandbox IPC is a low-level mechanism that transparently sends specific Windows API calls from the target process to the generational process: These calls are evaluated for violation of the policy. The calls allowed by the policy are executed by the generation-manager process, and the results are returned to the target process through the same IPC. The interception manager's job is to adjust the Windows API calls that are sent through the IPC to the generation-manager process.

Sandbox restrictions:
The core of a sandbox relies on the protection provided by four windows mechanisms
(1) A limit token
(2) Windows Job Object
(3) Windows Desktop Objects
(4) Limited to Vista integrity level
These mechanisms are very efficient in protecting the OS, and their configuration and user data provide:
All security resources have a better descriptor than an empty security descriptor. That is, there are no critical resources that are not configured for security.

Tokens:
How to limit the tokens and jobs that have a working process.
On design, sandbox tokens do not protect the following unsafe resources:
Mounted FAT or FAT32 volumes: their security descriptors are actually empty. Malicious software running on the target process can read and write to these volumes as long as it can guess or roll out the path of the volume.

Job Object (Job Objects):
The target process runs under a Job object. With this Windows mechanism, there are some interesting restrictions that do not have a traditional object or a security descriptor to implement:
Disable the use of SystemParametersInfo for user system modification, function can switch around the mouse button, or set the screen saver time-out.
(1) Prohibit creating or switching desktops
(2) Disable modification of user display configuration such as resolution and primary display.
(3) Read-write clipboard not allowed
(4) Disable broadcasting of Windows messages
(5) Prohibit setting global hooks
(6) Prohibit reading global atom table
(7) Disable reading of user handles created outside the Job Object
(8) An active process limit (No child processes are allowed to be created)
(9) Each process has its own job object. Using Job objects, the sandbox can block
<1> Excessive CPU usage
<2> excessive use of memory
<3> over-use IO

Target process self-initiated:
The target process starts without the restrictions specified by the policy. They start with tokens that are very similar to normal user processes. The reason is that when the process starts, the OS loader reads many resources, and most of them do not have a document description and cannot be changed at any time. Similarly, most applications provide standard development tools using the standard CRT (C run-time library). The CRT also needs to be initialized after the process is started.
Therefore, two tokens are actually used during process startup: The lock token is a process token, and the initial token is set to the initial thread as an impersonation token.


7) Prevent being debugged.
Some malicious programs, may debug our Security defender program, to destroy, bypassing security guards and so on. The program being debugged can detect whether or not it is attached to the debugger, and if it detects that it is being debugged, it is certain that someone is trying to disassemble the method to hack itself.
(1) Windows API
WIN32 provides two API functions, isdebuggerpresent and checkremotedebuggerpresent can be used to detect whether the current process is being debugged.

(2) beingdebugged flag bit for query process PEB
When the process is attached by the debugger, the operating system will automatically set this flag bit, so in the program to periodically query this flag bit.

(3) Ntglobal flag bit for query process PEB
When the process is debugged, the operating system in addition to modifying the beingdebugged flag bit, the ntdll of some control heap (heap) operation function of the flag bit will be modified, so you can also query this flag bit.

(4) query process heap flag bit forceflags
As long as the process is debugged, the process allocates memory on the heap, and in the header information of the allocated heap, the FORCEFLAGS flag bit is modified so that it can be reversed by judging the flag bit. Because the process can have a lot of heaps, it is only possible to check the header information of any one heap.

(5) Operating system, hardware virtualization.
In the computer, when the computer is turned on, the BIOS will be power-on self-detection. And there's an option in the BIOS vt-x
When the status of Vt-x is enabled, it means that the computer can perform hardware virtualization operations.
When the code is implemented, because the Windows drivers are running on the RING0 layer, the Debug and counter-debug confrontations are also performed directly on the RING0 layer.
Therefore, as long as the permissions are higher than the RING0 layer, then you can completely block other programs to debug our program.
Purpose: Even if the implementation of the program code is well known, no other software can detect it.

Steps to implement hardware virtualization:

<1> check whether the CPU of the current computer supports hardware virtualization technology, use the assembly instruction Cpuid to query whether
Cpuid.1:ecx. Vmx[bit 5]=1, which is the result of the VMX bit, is 1.
Set Cr4.vmxe[bit 13]=1, and allocate vmxon zones and Vmcs control blocks in memory. They must all be allocated on a 4KB page-aligned memory area.
<2> in the driver code, through the assembly language instruction Vmxon to enter the VMX root mode, which opens the Virtual Machine Manager running environment. Then use the Vmlaunch directive to make the target system run formally in the virtual machine.
<3> inside the program code, call the Windows kernel function Mminitmanager (), Mmmapguestkernelpages (),
Mmmapguestpages () and so on to build a private page table.
<4> write code in a general-drive way to prevent debugging. Because it is lower than the RING0 layer, it can be very effective to control other programs to debug.

Windows Security Industry Functional system