low level writing to ntfs file systems
play

Low-level writing to NTFS file systems Rick van Gorp 1 1System and - PowerPoint PPT Presentation

Dec 19, 2022 •228 likes •458 views

Introduction Related work Methods Windows API Hooking Write experiments Writing to files Discussion & Conclusion Future work Low-level writing to NTFS file systems Rick van Gorp 1 1System and Network Engineering Faculty of Science

  1. Introduction Related work Methods Windows API Hooking Write experiments Writing to files Discussion & Conclusion Future work Low-level writing to NTFS file systems Rick van Gorp 1 1System and Network Engineering Faculty of Science July 3, 2018 Rick van Gorp University of Amsterdam Low-level writing to NTFS file systems July 3, 2018 1 / 19

  2. Introduction Related work Methods Windows API Hooking Write experiments Writing to files Discussion & Conclusion Future work Introduction Red teams: Unwriteable files or Endpoint Security Windows API allows interaction of user-mode with kernel-mode functions Endpoint security could monitor and block I/O activity Low level-writing to NTFS drives: Bypass NTFS access lists and software hooks Allows user to overwrite or falsify data Research Question In what way can data be written to an NTFS filesystem, such that hooks in write operations in Windows are bypassed? Rick van Gorp University of Amsterdam Low-level writing to NTFS file systems July 3, 2018 2 / 19

  3. Introduction Related work Methods Windows API Hooking Write experiments Writing to files Discussion & Conclusion Future work Related work Joseph Bialek (2015) - Created Invoke-Ninjacopy 1 that opens a read handle to an NTFS volume and parses the NTFS volume to retrieve files. Cloudburst Security (2016) - Shellcode in malware bypasses Anti-Virus (AV) hooks by overwriting a function prolog the AV used to hook into the function. Blackhat USA, Udi Yavo and Tomer Bitton (2016) - Identified security issues in the Windows hooking methods and described different hooking engines. 1 https://github.com/clymb3r/PowerShell/tree/master/Invoke-NinjaCopy Rick van Gorp University of Amsterdam Low-level writing to NTFS file systems July 3, 2018 3 / 19

  4. Introduction Related work Methods Windows API Hooking Write experiments Writing to files Discussion & Conclusion Future work Methods Research environment: Windows 10 - Home Edition x64 Windows 7 - Home Edition x64 (Virtualbox and VMWare instance) Methodology: Desk research: Gather information regarding the Windows API and NTFS Static analysis with IDA Free edition: Analyse Windows API user-mode and kernel-mode Write experiments: Test whether we can write directly to a raw disk or NTFS volume Attempt to verify the found implications Rick van Gorp University of Amsterdam Low-level writing to NTFS file systems July 3, 2018 4 / 19

  5. Introduction Related work Methods Windows API Hooking Write experiments Writing to files Discussion & Conclusion Future work Windows API - Write function Figure 1: Windows API call follow-up scheme: user-mode and kernel-mode 1 IRP = Input Output Request Packet Rick van Gorp University of Amsterdam Low-level writing to NTFS file systems July 3, 2018 5 / 19

  6. Introduction Related work Methods Windows API Hooking Write experiments Writing to files Discussion & Conclusion Future work Windows API - Storage driver stack Figure 2: Processing of IRP from the filter driver by storage class driver (Microsoft 2017 2 ) 2 https://docs.microsoft.com/en-us/windows-hardware/drivers/ifs/filter-manager-concepts 2 SRB = SCSi Request Block Rick van Gorp University of Amsterdam Low-level writing to NTFS file systems July 3, 2018 6 / 19

  7. Introduction Related work Methods Windows API Hooking Write experiments Writing to files Discussion & Conclusion Future work Hooking - User-mode Listen to or modify the behavior of a process by intercepting an instruction of a program DLL-injection: Inject code into another process Import Address Table: Change memory address of target function Inline hooking: Figure 3: Inline hooking example of NtCreateFile (UserPC.net 2017 3 ) 3 https://userpc.net/wp-content/uploads/2017/12/InlineHook.png Rick van Gorp University of Amsterdam Low-level writing to NTFS file systems July 3, 2018 7 / 19

  8. Introduction Related work Methods Windows API Hooking Write experiments Writing to files Discussion & Conclusion Future work Hooking - Kernel-mode System Service Dispatch Table: Replace pointers for Nt-functions with pointers to own code. SYSENTER_EIP : Replace register address with address of detour function. Interrupt Service Routines: Map interrupt with response. Replace address of response with hooking function. IRP Major Function: Driver object contains function pointers, that are called from other drivers through IoCallDriver . Other drivers could replace those pointers to its own functions. Rick van Gorp University of Amsterdam Low-level writing to NTFS file systems July 3, 2018 8 / 19

  9. Introduction Related work Methods Windows API Hooking Write experiments Writing to files Discussion & Conclusion Future work File system filter drivers Log, monitor, modify or prevent I/O operations related to the file system. Priority controlled by altitudes: Multiple Endpoint security companies are registered with Microsoft 4 . Figure 4: Simplified I/O Stack with filter manager en three filter drivers (Microsoft, 2017 5 ) 4 https://docs.microsoft.com/en-us/windows-hardware/drivers/ifs/allocated-altitudes 5 https://docs.microsoft.com/en-us/windows-hardware/drivers/ifs/filter-manager-concepts Rick van Gorp University of Amsterdam Low-level writing to NTFS file systems July 3, 2018 9 / 19

  10. Introduction Related work Methods Windows API Hooking Write experiments Writing to files Discussion & Conclusion Future work Write experiments - Setup Attempt to write to NTFS boot sector, Master File Table and file system space Experiment 1 User-mode application 6 : Opens write-handle to volume/physical disk with CreateFile and WriteFile . Experiment 2 Kernel-mode driver 6 : Open write-handle to volume/physical disk with NtCreateFile and NtWriteFile . Experiment 3 Kernel-mode driver 6 : Write directly to storage class driver with IRP_MJ_WRITE and flag SL_FORCE_DIRECT_WRITE . 6 https://github.com/rickvg/low-level-ntfs Rick van Gorp University of Amsterdam Low-level writing to NTFS file systems July 3, 2018 10 / 19

  11. Introduction Related work Methods Windows API Hooking Write experiments Writing to files Discussion & Conclusion Future work Write experiments - Results 1 & 2 Handle to volume Handle to harddisk Write to file system ✗ ✗ Write to NTFS boot sector ✓ ✗ Write to Master File Table ✗ ✗ Alert by Endpoint security ✗ ✓ Table 1: Results of write experiments sorted by writing to volume and harddisk Handle to volume Handle to harddisk Write to file system ✗ ✗ Write to NTFS boot sector ✓ ✗ Write to Master File Table ✗ ✗ Alert by Endpoint security ✗ ✗ Table 2: Results of write experiments sorted by writing to volume and harddisk Rick van Gorp University of Amsterdam Low-level writing to NTFS file systems July 3, 2018 11 / 19

  12. Introduction Related work Methods Windows API Hooking Write experiments Writing to files Discussion & Conclusion Future work Write experiments - Results 3 IDE SATA SCSI SAS Write to file system ✗ ✗ ✓ ✓ Write to NTFS boot sector ✗ ✗ ✓ ✓ Write to Master File Table ✗ ✗ ✓ ✓ Alert by Endpoint security ✗ ✗ ✗ ✗ Table 3: Results of write experiments while directly communicating with the storage class driver, sorted by storage technology SATA & IDE: Invalid SCSI block request: No proper translation between IRP and SRB. Possible solution: Communicate with storage port drivers directly using own SRBs. Rick van Gorp University of Amsterdam Low-level writing to NTFS file systems July 3, 2018 12 / 19

  13. Introduction Related work Methods Windows API Hooking Write experiments Writing to files Discussion & Conclusion Future work Writing to files on an NTFS volume Experiments: Raw disk access possible Objective: Locate the data linked to files Open a read handle to the raw disk and read its contents Locate the NTFS volume: Identified by hex-string EB 52 90 4E 54 46 53 Parse the boot sector to identify the location of the Master File Table Parse the Master File Table (MFT) to locate the data in the volume using data runs Overwrite the file data at the location specified Rick van Gorp University of Amsterdam Low-level writing to NTFS file systems July 3, 2018 13 / 19

  14. Introduction Related work Methods Windows API Hooking Write experiments Writing to files Discussion & Conclusion Future work Writing to files on an NTFS volume - Parsing the boot sector Data in table 4 resides in the BPB-section 7 of the boot sector, starting at offset 0xB Offset (hex) Length Value 0x0B 2 bytes Bytes per sector ( S bytes ) 0x0D 1 byte Sectors per cluster ( C sectors ) 0x28 8 bytes Total amount of sectors 0x30 8 bytes Logical cluster number of MFT ( MFT clusterloc ) 0x38 8 bytes Logical cluster number copy MFT 0x40 1 byte Clusters per MFT record 0x44 1 byte Clusters per index buffer Table 4: Sector and Cluster information and MFT location information offsets within BPB of NTFS bootsector Calculate MFT position in bytes: ByteLoc MFT = S bytes ∗ C sectors ∗ MFT clusterloc 7 Bios Parameter Block Rick van Gorp University of Amsterdam Low-level writing to NTFS file systems July 3, 2018 14 / 19

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Roadmap for Section 8.2 File Systems supported by Windows NTFS Design Goals File System Driver

Roadmap for Section 8.2 File Systems supported by Windows NTFS Design Goals File System Driver

Unit OS8: File System 8.2. Windows File Systems Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze Roadmap for Section 8.2 File Systems supported by Windows NTFS Design Goals File System Driver

496 views • 34 slides
Operating Systems II Unit OS8: File System 8.3. NTFS Recovery Support Prof. Dr. Andreas Polze,

Operating Systems II Unit OS8: File System 8.3. NTFS Recovery Support Prof. Dr. Andreas Polze,

Operating Systems II Unit OS8: File System 8.3. NTFS Recovery Support Prof. Dr. Andreas Polze, Andreas Grapentin, Bernhard Rabe Roadmap for Sec.on 8.4 The Evolu.on of File Systems Recoverable

540 views • 26 slides
Transaction Support in Windows Transaction Support in Windows NTFS NTFS Surendra Verma

Transaction Support in Windows Transaction Support in Windows NTFS NTFS Surendra Verma

Transaction Support in Windows Transaction Support in Windows NTFS NTFS Surendra Verma Surendra Verma Development Manager Development Manager Windows File Systems Windows File Systems Microsoft Microsoft Transactional NTFS (TxF)

494 views • 21 slides
11-823 Conlanging Writing Writing Systems Different Writing Systems What makes a writing

11-823 Conlanging Writing Writing Systems Different Writing Systems What makes a writing

11-823 Conlanging Writing Writing Systems Different Writing Systems What makes a writing system Standardization vs Historical artifacts Constructed Writing Systems Computing and its influence on writing Types of Writing

528 views • 24 slides
File System Implementation Nima Honarmand Spring 2017 :: CSE 506 File Systems FS,

File System Implementation Nima Honarmand Spring 2017 :: CSE 506 File Systems FS,

Spring 2017 :: CSE 506 File System Implementation Nima Honarmand Spring 2017 :: CSE 506 File Systems FS, FFS, FAT, ext2/3/4, NTFS, View disk as an array of blocks Each block contains one or more disk sectors Sectors

595 views • 21 slides
What is a File? A file is a collection of data elements, grouped together for purpose of

What is a File? A file is a collection of data elements, grouped together for purpose of

CPSC-313: Introduction to Computer Systems UNIX I/O UNIX I/O Files and File Representation Basic operations: Reading / Writing Caching: File Open / Close Multiplexing: Select / Poll File Descriptors Reading: R&R,

391 views • 10 slides
CSN11121/CSN11122 System Administration and Forensics File System 28/10/2011

CSN11121/CSN11122 System Administration and Forensics File System 28/10/2011

CSN11121/CSN11122 System Administration and Forensics File System 28/10/2011 r.ludwiniak@napier.ac.uk Lecture Objectives 1. Investigative Process Analysis Framework 2. File Systems FAT NTFS Required Reading G.H. Fellow,

705 views • 51 slides
Fast File System Don Porter 1 CSE 306: Opera.ng Systems How to place a file system on disk?

Fast File System Don Porter 1 CSE 306: Opera.ng Systems How to place a file system on disk?

CSE 306: Opera.ng Systems Fast File System Don Porter 1 CSE 306: Opera.ng Systems How to place a file system on disk? Lets assume we have the following: Super block (allocaCon bitmap, FS-level metadata) Inodes (file-level

465 views • 15 slides
Compression Programs File Compression: Gzip, Bzip Archivers :Arc, Pkzip, Winrar,

Compression Programs File Compression: Gzip, Bzip Archivers :Arc, Pkzip, Winrar,

Compression Programs File Compression: Gzip, Bzip Archivers :Arc, Pkzip, Winrar, File Systems: NTFS Analysis of Algorithms Piyush Kumar (Lecture e 5: Compression) on) Welcome to 4531 Source: Guy E. Blelloch, Emad, Tseng

297 views • 12 slides
Today File Systems User interaction Virtual File Systems Nov 14, 2018 Sprenkle -

Today File Systems User interaction Virtual File Systems Nov 14, 2018 Sprenkle -

Today File Systems User interaction Virtual File Systems Nov 14, 2018 Sprenkle - CSCI330 1 Review: Course Grade (50%) OS Programming Projects (15%) Individual programming, reading, and writing assignments (15%) Midterm

640 views • 16 slides
File Systems Basics Nima Honarmand Fall 2017 :: CSE 306 File and inode File :

File Systems Basics Nima Honarmand Fall 2017 :: CSE 306 File and inode File :

Fall 2017 :: CSE 306 File Systems Basics Nima Honarmand Fall 2017 :: CSE 306 File and inode File : user-level abstraction of storage (and other) devices Sequence of bytes inode : internal OS data structure representing a file

856 views • 39 slides
Chapter 6: File Systems File systems n Files n Directories & naming n File system

Chapter 6: File Systems File systems n Files n Directories & naming n File system

Chapter 6: File Systems File systems n Files n Directories & naming n File system implementation n Example file systems Chapter 6 CS 1550, cs.pitt.edu 2 (originaly modified by Ethan Long-term information storage n Must store large amounts

1.01k views • 66 slides
Chapter 6: File Systems File systems Files Directories & naming File system

Chapter 6: File Systems File systems Files Directories & naming File system

Chapter 6: File Systems File systems Files Directories & naming File system implementation Example file systems Chapter 6 CMPS 111, UC Santa Cruz 2 Long-term information storage Must store large amounts of data

829 views • 57 slides
Real Real- -Time Systems Time Systems Low- Low -level programming level programming Low-

Real Real- -Time Systems Time Systems Low- Low -level programming level programming Low-

EDA222/DIT160 Real-Time Systems, Chalmers/GU, 2008/2009 Lecture #6 Updated 2009-02-01 Real Real- -Time Systems Time Systems Low- Low -level programming level programming Low- Low -level programming in Ada 95 enables writing level

223 views • 7 slides
File Systems: All data structures are cached for better performance Create a new file

File Systems: All data structures are cached for better performance Create a new file

File Systems: Consistency Issues What about Multiple Updates? File systems maintain many data structures Several file system operations update multiple data structures Free list/bit vector Directories Examples: File headers and inode

257 views • 3 slides
Distributed File Systems Distributed File Systems A distributed file system (DFS) is a

Distributed File Systems Distributed File Systems A distributed file system (DFS) is a

Distributed File Systems Distributed File Systems A distributed file system (DFS) is a distributed Definitions implementation of a classical time-sharing model of a file Distributed system - A number of loosely coupled system. machines

997 views • 8 slides
Vboot Kit: Compromising Windows Vista Security Nitin Kumar , Security Researcher and Consultant

Vboot Kit: Compromising Windows Vista Security Nitin Kumar , Security Researcher and Consultant

Black Hat Europe 2007 Vboot Kit: Compromising Windows Vista Security Nitin Kumar , Security Researcher and Consultant nitin.kumar@nvlabs.in Vipin Kumar, Security Researcher and Consultant vipin.kumar@nvlabs.in http://www.nvlabs.in

982 views • 31 slides
Re Retail: Finding Jean Baptiste de Ma Marb rbot JU JUNE E 22 2017 Outline of Presentation

Re Retail: Finding Jean Baptiste de Ma Marb rbot JU JUNE E 22 2017 Outline of Presentation

Quo Vadis Capital, Inc. Proprietary Structural Analysis & Forecasting June 2017 917-470-2073 john.zolidis@quovadiscapital.com Re Retail: Finding Jean Baptiste de Ma Marb rbot JU JUNE E 22 2017 Outline of Presentation June 2017

837 views • 47 slides
modelling and forecasting in non-life insurance Mara Dolores Martnez-Miranda Jens Perch

modelling and forecasting in non-life insurance Mara Dolores Martnez-Miranda Jens Perch

A new -package for statistical modelling and forecasting in non-life insurance Mara Dolores Martnez-Miranda Jens Perch Nielsen Richard Verrall Cass Business School London, October 2013 Background 2010 Including Count Data in

484 views • 30 slides
Reliable network booting of cluster computers Matthew Steggink July 2nd, 2008 Matthew Steggink

Reliable network booting of cluster computers Matthew Steggink July 2nd, 2008 Matthew Steggink

Outline Theory Research question Test methods Observations Alternative booting Conclusion and future work Questions Reliable network booting of cluster computers Matthew Steggink July 2nd, 2008 Matthew Steggink Reliable network booting

381 views • 26 slides
(COM OMPU PUTE TER R SCIENC IENCE) E) MAGNETIC STORAGE DEVICES

(COM OMPU PUTE TER R SCIENC IENCE) E) MAGNETIC STORAGE DEVICES

, (COM OMPU PUTE TER R SCIENC IENCE) E) MAGNETIC STORAGE DEVICES

619 views • 14 slides
Investor Presentation May 2012 1 Agenda Education & Training: Landscape Company

Investor Presentation May 2012 1 Agenda Education & Training: Landscape Company

Investor Presentation May 2012 1 Agenda Education & Training: Landscape Company Overview Individual Learning Solutions Corporate Learning Solutions School Learning Solutions Skill Building Solutions Results Update

634 views • 51 slides
Investor Presentation September 2019 Disclaimer Cautionary Statement Regarding Forward-Looking

Investor Presentation September 2019 Disclaimer Cautionary Statement Regarding Forward-Looking

Investor Presentation September 2019 Disclaimer Cautionary Statement Regarding Forward-Looking Statements This presentation contains statements reflecting assumptions, expectations, projections, intentions or beliefs about future events that are

1.11k views • 31 slides
Americas Online Jobs Conceptualizations, Measurements, and Influencing Factors Christopher

Americas Online Jobs Conceptualizations, Measurements, and Influencing Factors Christopher

Americas Online Jobs Conceptualizations, Measurements, and Influencing Factors Christopher Hooton, Ph.D. Chief Economist & Head of Research, Internet Association Senior Scholar, George Washington University Institute of Public Policy

465 views • 27 slides

More recommend