Windows NT/2000 Internal data structure exploration (http://webcrazy.yeah.net)

Exploring the internal data structure of Windows NT/2000
WebSphere (tsu00@263.net)
Note: This article was initially found at www.nsfocus.com

Windows system implies a lot of internal data structures, which record all important information related to the system, such as threads, processes, and kernel calls, for example, ntbuildnumber and keservicedescriptortable in Windows NT/200020.ntoskrnl.exe (you can see Dependency Walker in SoftICE or Visual Studio ), the former only indicates the current Windows build number (for example, in SoftICE, the DW command can be used to find that my machine is 0893 H, that is, decimal 2195); the latter is a pointer to the following data structure:
Struct _ servicedescriptorentry {
Unsigned int * servicetablebase;
Unsigned int * servicecountertablebase;
Unsigned int numberofservices;
Unsigned char * paramtablebase;
} Servicedescriptortableentry

Its typical application is the regmon of Mark russinovich and Bryce Cognos. For details, see www.sysinternals.com.
This article only gives a preliminary introduction to Teb (thread environment block) in Windows 2000 Server (build 2195) of Intel i386.
Teb is called the Tib (thread information block) in the Windows 9x series. It records important information about the thread. Each thread corresponds to a Teb structure. The format is as follows (from the under the hood column of Matt pietrek-MSJ 1996 ):
Typedef struct _ Tib
{
Pexception_registration_record pvexcept; // 00 h head of exception record list
Pvoid pvstackusertop; // 04 H top of user Stack
Pvoid pvstackuserbase; // 08 h base of user Stack

Union // 0ch (NT/Win95 differences)
{
Struct // Win95 Fields
{
Word pvtdb; // 0ch TDB
Word pvthunkss; // 0eh SS Selector Used for thunking to 16 bits
DWORD unknown1; // 10 h
} Win95;

Struct // winnt Fields
{
Pvoid subsystemtib; // 0ch
Ulong fiberdata; // 10 h
} Winnt;
} Tib_union1;

Pvoid pvarbitrary; // 14 h available for application use
Struct _ Tib * ptibself; // 18 h linear address of TiB Structure

Union // 1ch (NT/Win95 differences)
{
Struct // Win95 Fields
{
Word tibflags; // 1ch
Word win16mutexcount; // 1eh
DWORD debugcontext; // 20 h
DWORD pcurrentpriority; // 24 h
DWORD pvqueue; // 28 h Message Queue Selector
} Win95;

Struct // winnt Fields
{
DWORD unknown1; // 1ch
DWORD processid; // 20 h
DWORD threadid; // 24 h
DWORD unknown2; // 28 h
} Winnt;
} Tib_union2;

Pvoid * pvtlsarray; // 2ch Thread Local Storage Array

Union // 30 h (NT/Win95 differences)
{
Struct // Win95 Fields
{
Pvoid * pprocess; // 30 h pointer to owning process database
} Win95;
} Tib_union3;

} Tib, * ptib;

In Windows 2000 DDK, it is defined:
Typedef struct _ nt_tib
{
Struct _ exception_registration_record * exceptionlist;
Pvoid stackbase;
Pvoid stacklimit;
Pvoid subsystemtib;
Union {
Pvoid fiberdata;
Ulong version;
};
Pvoid arbitraryuserpointer;
Struct _ nt_tib * self;
} Nt_tib;

Fortunately, when Windows is calling the process and creating a thread, the operating system will allocate Teb to each thread and the FS segment selector (i386) point to the Teb data of the current thread (only one thread is running on a single CPU machine at any time), which provides us with a way to access Teb data. In fact, Windows uses this method to provide information for your application. Let's look at an example! As we all know, the getcurrentthreadid API is used to obtain the current thread ID, which is implemented in kernel32.dll as follows:

Getcurrentthreadid:
MoV eax, FS: [00000018]; 18 h linear address of TiB structure (linear address of TiB structure)
MoV eax, [eax + 24]; 24 h threadid
RET; return the value in eax to the caller

Due to the huge structure of Teb, I only want to talk about the struct _ prediction_registration_record * predictionlist with the offset of 00h, and use it in combination with the CIH 1.3 source code. Predictionlist is mainly used to process Seh (structured exception handling. If you are not familiar with _ Try, _ partition T, and _ finally added in the C language, we recommend that you first look at Jeffery Richter's <advanced windows NT> or something like that.

First, let's take a look at the _ exception_registration_record structure. In the source code of CRT (C ++ Runtime Library), it is defined as follows:

// Exsup. inc --- Microsoft Visual C ++ CRT source file

_ Prediction_registration struc
Prev dd?
Handler dd?
_ Prediction_registration ends

Here, Prev is a pointer to the previous _ prediction_registration, forming a chain structure, so that it will be in excpt. h has the definition of exception_continue_search (see & T; <advanced windows NT>); handler points to the exception handling code.

CIH uses this mechanism to direct handler to its own program. The following code is provided at the entrance:

.
.
.

; **************************************** *****************
; * Ring3 virus game initial program *
; **************************************** *****************

Myvirusstart:; ring3 code entry point
Push EBP

;*************************************
; * Let's modify structured exception *
; * Handing, prevent Exception error *
; * Occurrence, especially in NT .*
;*************************************

Lea eax, [esp-04h * 2]; Allocate an 8-byte storage in the stack _ prediction_registration Structure
; Equivalent to stack-based data in C, that is, local variables (completed in C compiler)
In this way, eax points to the _ exception_registration pointer.
; _ Exception_registration structure not initialized
The specific implementation mechanism can be read through the compilation principles book and the article by the Matt pietrek master.

　　　　　　　　　　　　　　　　　　　　　　　　　　　　　
Xor ebx, EBX; 0-> EBX
Xchg eax, FS: [EBX]; FS: [0] <-> eax; in this case, eax stores the original exception handling code, and FS: [0] points to Teb.
; Predictionlist (FS points to Teb, And the predictionlist offset is 0, that is, FS: [0])

Call @ 0
@ 0:
Pop EBX; the three lines of computing code entry. In this case, EBX is the address of @ 0.
Lea ECx, stoptorunviruscode-@ 0 [EBX]; point ECx to your internal code
Push ECx; fill in the handler of the _ exception_registration Structure
; In the event of an exception, the operating system will automatically call it, which is the CIH code

Push eax; eax is the original Exception Handling Code
; Fill in the prev of the _ prediction_registration Structure

.
.
.

After that, CIH calls INT 3 to make the system abnormal and still enter its own code. This can be confirmed by the following comments in the CIH source code:

;*************************************
; * Generate exception to get ring0 *
;*************************************

Int hookexceptionnumber; generateexception
Hookexceptionnumber is defined as 3. This code segment will generate an exception. For details, see the CIH source code.

Because the above Code is abstract, I specifically modified it for ease of understanding (PE format can be executed directly in Windows ):

// Testcih. C have any questions contact tsu00@263.net

# Include <windows. h>
# Include <stdio. h>

Exception_disposition _ cdecl _ except_handler (// exception handler segment
Struct _ prediction_record * predictionrecord,
Void * establisherframe,
Struct _ context * contextrecord,
Void * dispatchercontext)
{
Printf ("CIH run here.../N ");
Exit (0); // because the stack has been disrupted by the program, if you are interested, you can restore it by yourself. Here I just exit.
}

Void main (void)
{
_ ASM
{
Push EBP

MoV eax, ESP
Sub eax, 8 // The two rows are equivalent to lea eax, [esp-04h * 2]
Xor ebx, EBX
Xchg eax, FS: [EBX]

Call next
Next:
Pop EBX // these three rows do not really make sense here, just to compare them with CIH

Lea ECx, _ effect_handler // SET _ effect_handler as the exception handling entry
Push ECx

Push eax
}

_ ASM
{
MoV eax, 0
MoV [eax], 0 // The status_access_violation exception occurs and the operating system calls _ effect_handler.
}
}

For more information about the _ effect_handler callback function, see excpt. h.
In the main function, the first _ ASM segment is basically the same as the CIH code discussed earlier, while the second _ ASM segment tries to write the system reserved memory address, and an exception occurs.
Compile with Visual C ++ as follows:
C:> Cl testcih. c
C:> testcih
CIH run here...
In Windows 2000, when this code segment is run, the operating system gives control to _ t_t_handler for execution after an exception occurs, in this way, when the system modifies the protected memory address (IDT region) of the CIH code in the NT/2000 environment, there will be no prompts such as illegal operations to protect itself!

I always think that to understand system security, we must first have a sufficient understanding of the system, just like understanding the CIH virus. At present, there are very few materials in China in this regard, this article only describes some of my personal practices in this regard. Mistakes are inevitable. If you have any findings, if you are more interested in this, please contact tsu00@263.net.

Finally, I would like to thank the Green Alliance experts for their guidance and help!

References:

1. Jeffrey Richter <advanced windows NT>
2. Matt pietrek <a crash course on the depths of Win32 structured exception handling>
3. CIH 1.3 source code