Boot Process Flashcards
Learn the boot process
Win XP - Pre-Boot
Power On Self Test (POST)
Win XP - MBR
Loads boot code
Win XP - Bootcode
Searches partition table for boot sector and loads NTLDR
Win XP - NTLDR
Reads in boot.ini for OS choices, runs NTDETECT.com to query hardware
Stored data from NTDETECT.com in HKLM\Hardware registry key
Starts NTOSKRNL.exe and HAL.dll
Win XP - NTOSKRNL.exe
starts SMSS.exe
Win XP - SMSS.exe
Launches Winlogon.exe and CSRSS
WIn XP - Winlogon
starts LSASS, loads MSGINA, starts SCM, starts logonui.exe
WIn XP - MSGINA.dll
Graphical Identification and Authorization (GINA) dll library
Activates the user shell
Customizable identification and authentication procedures
Logon dialog
WIn XP - Winlogon
Receives credentials from MSGINA and passes them to LSASS
WIn XP - LSASS
Checks creds against LSA database cache then NTLM or Kerberos if not found
Sends user token back to Winlogon
WIn XP - Winlogon
Starts userinit in user context
WIn XP - Userinit
Loads user profile, runs startup programs, starts explorer.exe
BIOS
Basic Input/Output System
Win7 - Pre-Boot
Power On Self Test (POST)
Win7 - MBR
First 512 byte sector on hard disk
Reads and loads Volume Boot Record
Win7 - VBR
Loads bootmgr into memory
Win7 - Bootmgr
Reads Boot Config Database (BCD)
Boot menu and memtest
Calls winload (fresh boot)
Calls winresume
Win7 - Winload
Loads NTOSKRNL.exe
Loads dependencies
Loads device drive
Win7 - NTOSKRNL
SYSTEM
Prepares for running native system
Runs SMSS
Win7 - HAL.dll
Hardware Abstraction Layer (HAL)
Interfaces driver to kernel
Win7 - SMSS
Session manager
Session 0 loads Win32k.sys (kernel subsystem)
Runs WININIT
Win7 - WININIT
Starts Service Control Manager (SCM)
Starts Local Security Authority SubSystem (LSASS)
Starts Local Session Manager (LSM)
Win7 - CSRSS
Client/Server Runtime SubSystem
Client side of the win32 subsystem process
Thread creation
VBR
Volume Boot Record
CSRSS
Client/SErver Runtime SubSystem
SMSS
Session Manager SubSystem
BCD
Boot Config Database
EFI
Extensible Firmware Interface
UEFI
Unified Extensible Firmware Interface
EFI/UEFI - Step 1
Power On Self Test (POST)
EFI/UEFI - Step 2
Runs Bootloader (from NVRAM) Loads BCD (also in NVRAM)
EFI/UEFI - Step 3
Bootloader detects hardware
EFI/UEFI - Step 4
EFI boot manager gives OS boot menu
EFI/UEFI - Step 5
Winload.efi: EFI version of winload
EFI/UEFI - Step 6
Requires EFI system partition
Formatted as FAT
Up to 1GB in size
Win7 - Winlogon
Coordinates logon and useractivity
Launches logonui
Win7 - Logonui
Interactive logon dialog box
Win7 - Services
Loads auto-start drivers and services
Main difference between local and domain logon
Where the user is authenticating
Local Logon authenticates where?
Locally
Domain Logon authenticates where?
With the domain controller
Tasklist
cmd.exe : loaded modules, services, owner
Process States - New/Created
Open file (.exe)
Create initial thread
Pass to kernel32.dll to check permissions
Pass to csrss, build structure, spawns first sub-thread, inserts into windows subsystem-wide proc list
Starts execution of initial thread
For real-time systems, processes may be held in “New State” to avoid contention, otherwise moved to “Ready State”
Process States - Running
Process currently being executed (one or more threads executing)
Process States - Ready
Process ready to execute when given the opportunity (CPU Time)
Process States - Waiting
Process can’t execute until some event occurs (I/O Read)
Process States - Terminated/Exit
Termination of a process due to a halt or abort
Paging - Pages
Memory is allocated to process in distinct chunks
Paging - Page Size
Smallest unit of protection at the hardware level
4KB for small page, 2MB for large page
Paging - Overcommitted
Physical memory becomes overcommitted (threads try to use more memory than available) pages are written to the page file on disk
Paging - Page Fault
Occurs when a thread references an invalid page
if page is on disk in the page file, it can be brought back into memory
What are Windows Services?
Long running executable application that run in their own container (process)
Can be started automatically at boot, on demand, or when requested
Can be paused, stopped, or restarted
Run in the background, normally without a user interface
sc
cmd.exe, querying and management
Sc queryex eventlog
info for eventlog service including PID
Tasklist /FI “pid eq XXX” /v
query tasklist for PID associated with eventlog
Tasklist /FI “pid eq XXX” /svc
query tasklist for svchost services
Sc qdescription eventlog
query eventlog service description
Sc qc eventlog
show the binary command that loads the service
Threads
Basic unit to which the OS allocates processor time
Can execute any part of the process code
Including parts currently being executed by another thread
Share memory with each other as well as the process
Deadlock is possible if the threads are waiting for each other’s resources
Synchronization (semaphores, mutexes) are used to control access to shared variables
Client/Server Run-Time Subsystem (CSRSS) maintains a list of threads
Threads are part of a execution priority pool 0-31 per processor, highest executes next
Handles
Objects are data structures representing a system resource (file, thread, etc)
Applications can’t access objects directly, must obtain a handle
Handles for each process are tracked in an internal table known as the Object Manager
Handles allow a common interface to objects, regardless of underlying changes to the object
Handles allow Windows to track ACLs for objects during handle creation time
Thread States - Ready
Waiting for Execution, in priority pool
Thread States - Deferred Ready
Selected to run, but not yet executed. Optimization for scheduling database
Thread States - Standby
Next thread to run, only one per processor per system
Thread States - Running
A thread currently running on a processor
Thread States - Waiting
A period of inactivity while waiting for an event
Thread States - Transition
Ready for execution, but paging needed to bring back into memory
Thread States - Terminated
Finished execution, heading for deallocation in most cases
Thread States - Initialized
Thread is being created
Process
The primary container (memory structure) for a program being executed
Thread
Represents sequential machine-code instructions that a processor executes
Handle
Pointer to OS objects referenced within a process
What are system processes?
processes owned by, and executed by the operating system
required for the system to function
What are the two types of system processes?
User
Kernel
User mode processes
Runs in private virtual address space
Applications are isolated, one crash will not cause another to crash
Kernel mode processes
All run in a single virtual address space
Not isolated from other processes
Virus
Requires user interaction to replicate
Worm
Does not require user interaction to replicate
Trojan
Malware hidden within another legitimate program
Not usually self-replicating
Malicious Mobile Code
Transmitted from remote host to local host
Executed without user instruction (i.e. Javascript, VBScript, etc)
Blended Attack
Multiple infection/transmission methods used together
Backdoor
Malicious program that allows illegitimate access to a machine
User is unaware
Remote Access Tool (RAT)
Malicious program that provides remote command and control
Rootkit
Malicious program that is ONLY used to hide things
DOES NOT provide access or command and control alone
Keylogger
Records keyboard usage
Botnet Client
Remote administration/Command and Control of a botnet
Spyware
Monitors behavior of user
Adware
Paid for ads to infected users
Ransomware
Blocks access to a resource, requires payment from victim
Bot Herder
Person in control of the botnet
Botnet
Multiple machines infected and controlled by a bot herder
Zombie
Individual machine infected and part of the botnet
Static Analysis
Examine malware without executing it
Strings
Dynamic Analysis
Examine malware while it is running
What is virtualization?
Virtualization is technology that allows you to create multiple simulated environments or dedicated resources from a single, physical hardware system. Software called a HYPERVISOR connects directly to that hardware and allows you to split 1 system into separate, distinct, and secure environments known as VIRTUAL MACHINES (VMs).
Benefits of virtualization
One set of Hardware -> Many virtual machines (VM)
VMs can be dynamically created and allocated to users
Baseline Image can be more rapidly updated
VMs instances can easily be rolled back to undo changes
Provide fault tolerance through redundant hardware and migration
Could be used as a pivot point
Could provide persistence if data store is compromised
Lessens attribution
Configurable software solution (OS, Services, Programs, etc)
Useful for protected Malware Analysis (Malware Detonation Chamber)
Quick restoration times
Usable as Honey Pot or Tar Pit
Difficult for malware to maintain persistence
Easily manageable across enterprise
Risks of Virtualization
Typically require more upfront planning and configuration
In public cloud environments, lack of granularity in control of data at rest can lead to compliance issues (HIPPA, etc).
Some functions may not work well in a VM, such as copy/paste, printers, netstat, without additional setup effort.
Persistence can be lost if the target machine is restored
Could end up in a honey pot or tar pit
If the data store is compromised all new instances will also be compromised
Planning and initial setup cost more with virtual networks.
What is situational awareness?
A method of gaining an understanding of the current operating environment on the target machine
It applies both defensively and offensively
Allows you to get an idea of what the system is used for and what type of users use it
Used to decide what courses of action are appropriate for the system
Situational Awareness - What areas are the most important to be aware of?
Running Processes Active Users Network Configuration Network Communications Logging Scheduled Jobs Aliases
What runs SMSS
NTOSKRNL
What runs WININIT?
SMSS
What starts Service Control Manager (SCM)?
WININIT
What starts Local Security Authority SubSystem (LSAAS)?
WININT
What starts Local Session Manager (LSM)?
WININIT
What starts CSRSS?
SMSS
What starts Winlogon?
CSRSS
What starts Userint?
WInlogon
What starts Explorer?
Userinit
What starts Winload?
Bootmgr
What starts NTOSKRNL?
Winload
What starts Services.exe?
WININIT
