2013 01-03 --ncc_group_-_crash_course_-_windows_filter_driver_security

•Download as PPTX, PDF•

1 like•731 views

A short presentation from an internal NCC Group monthly tech team meeting on Windows Filter Driver architecture, implementation, attack surfaces and security considerations.

Technology

Windows File System Filter Drivers
… plus a little about security …
A crash course in 15 minutes…

What are legacy filter drivers?
• Standard Windows
• Registers handlers / call backs during init
• Filters I/O requests for FSs or volumes
• Each I/O request is an I/O request packet (IRP)
• Their load order dictates where they filter
• … old clunky basically

What are file system mini filter drivers?

What are mini filter altitudes?
Filter 420000-429999
FSFilter Top 400000-409999
FSFilter Activity Monitor 360000-389999
FSFilter Undelete 340000-349999
FSFilter Anti-Virus 320000-329998
FSFilter Replication 300000-309998
FSFilter Continuous Backup 280000-289998
FSFilter Content Screener 260000-269998
FSFilter Quota Management 240000-249999
FSFilter System Recovery 220000-229999
FSFilter Cluster File System 200000-209999
FSFilter HSM 180000-189999
*FSFilter Imaging (ex: .ZIP) 170000-174999
FSFilter Compression 160000-169999
FSFilter Encryption 140000-149999
FSFilter Virtualization 130000-139999
FSFilter Physical Quota management 120000-129999
FSFilter Open File 100000-109999
FSFilter Security Enhancer 80000-89999
FSFilter Copy Protection 60000-69999
FSFilter Bottom 40000-49999

How it works - fltmc
• Filter Manager is a legacy filter driver which exposes:
• .FltMgr
• Standard Windows APIs then

Mini filter attack surface – msg handling
• FltCreateCommunicationPort
• Registers handlers / call backs during initialization

Mini filter attack surface – msg handling

Mini filter attack surface – msg handling
• 64bit Windows calling conventions
Using the x64 convention, the first four integer arguments
(from left to right) are passed in 64-bit registers designated for
that purpose:
RCX: 1st integer argument
RDX: 2nd integer argument
R8: 3rd integer argument
R9: 4th integer argument
Integer arguments beyond the first four are passed on the
stack.

Attacks to consider
• Logic issues / dangerous functionality in custom message
handling
• Information leakage vulnerabilities
• Memory corruption issues
• State machine problems (i.e. lack of locking / unlocking)
• Incorrect return values
• Poor handling of file system API parameters
• Issues listed on the Security Considerations for Filter Drivers
• http://msdn.microsoft.com/en-
gb/library/windows/hardware/ff556606(v=vs.85).aspx
• … the unloading of filters on breakout assessments …

Further reading
• User-Mode Library for Filter Manager
• http://msdn.microsoft.com/en-
gb/library/windows/hardware/ff557247(v=vs.85).aspx
• FltXxx (Minifilter Driver) Routines
• http://msdn.microsoft.com/en-us/library/ff544617(v=vs.85).aspx
• Enumerating Minifilter Callbacks
• http://www.inreverse.net/?p=1334
• Windows Driver Kit Samples
• http://code.msdn.microsoft.com/windowshardware/site/search?f%5B0%5D.Typ
e=Technology&f%5B0%5D.Value=File%20System
• Filter Driver Development Guide
• http://download.microsoft.com/download/e/b/a/eba1050f-a31d-436b-9281-
92cdfeae4b45/filterdriverdeveloperguide.doc

UK Offices
Manchester - Head Ofﬁce
Cheltenham
Edinburgh
Leatherhead
London
Thame
North American Offices
San Francisco
Chicago
Atlanta
New York
Seattle
Boston
Australian Offices
Sydney
European Offices
Amsterdam - Netherlands
Munich – Germany
Zurich - Switzerland
Thanks! Questions?
Ollie Whitehouse
ollie.whitehouse@nccgroup.com

Viewers also liked

From Problem to Solution: Enumerating Windows Firewall-Hook Drivers

Ollie Whitehouse

Finding The Weak Link in Windows Binaries

Ollie Whitehouse

Securing your supply chain & vicarious liability (cyber security)

Ollie Whitehouse

Windows io manager

Sisimon Soman

Assuring the Security of the Supply Chain - Designing best practices for cybe...

Ollie Whitehouse

Countering the Cyber Threat

Ollie Whitehouse

NCC Group Pro-active Breach Discovery: Network Threat Assessment

Ollie Whitehouse

Red Teaming and the Supply Chain

Ollie Whitehouse

This talk briefly discusses strategies and methodologies than can be employed when assessing IoT devices. We look at how to develop credible threat scenarios for different IoT device and systems, perform static and dynamic attack surface mapping, perform static firmware analysis, perform static hardware analysis, undertake a dynamic device security analysis, sources of supporting information, supporting capability requirements and establishment, Execution of dynamic device analysis and approaches around network protocol analysis.

Practical Security Assessments of IoT Devices and Systems

Ollie Whitehouse

Technical Challenges in Cyber Forensics

Ollie Whitehouse

Cyber Incident Response & Digital Forensics Lecture

Ollie Whitehouse

File systems for Embedded Linux

Emertxe Information Technologies Pvt Ltd

Private sector cyber resilience and the role of data diodes

Ollie Whitehouse

Introduction to Advanced Persistent Threats (APT) for Non-Security Engineers

Ollie Whitehouse

Viewers also liked (14)

From Problem to Solution: Enumerating Windows Firewall-Hook Drivers

Finding The Weak Link in Windows Binaries

Securing your supply chain & vicarious liability (cyber security)

Windows io manager

Assuring the Security of the Supply Chain - Designing best practices for cybe...

Countering the Cyber Threat

NCC Group Pro-active Breach Discovery: Network Threat Assessment

Red Teaming and the Supply Chain

Practical Security Assessments of IoT Devices and Systems

Technical Challenges in Cyber Forensics

Cyber Incident Response & Digital Forensics Lecture

File systems for Embedded Linux

Private sector cyber resilience and the role of data diodes

Introduction to Advanced Persistent Threats (APT) for Non-Security Engineers

Recently uploaded

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024

The Digital Insurer

Imagine a world where information flows as swiftly as thought itself, making decision-making as fluid as the data driving it. Every moment is critical, and the right tools can significantly boost your organization’s performance. The power of real-time data automation through FME can turn this vision into reality. Aimed at professionals eager to leverage real-time data for enhanced decision-making and efficiency, this webinar will cover the essentials of real-time data and its significance. We’ll explore: FME’s role in real-time event processing, from data intake and analysis to transformation and reporting An overview of leveraging streams vs. automations FME’s impact across various industries highlighted by real-life case studies Live demonstrations on setting up FME workflows for real-time data Practical advice on getting started, best practices, and tips for effective implementation Join us to enhance your skills in real-time data automation with FME, and take your operational capabilities to the next level.

From Event to Action: Accelerate Your Decision Making with Real-Time Automation

Safe Software

Automating Google Workspace (GWS) & more with Apps Script

wesley chun

Boost Fertility New Invention Ups Success Rates.pdf

sudhanshuwaghmare1

As privacy and data protection regulations evolve rapidly, organizations operating in multiple jurisdictions face mounting challenges to ensure compliance and safeguard customer data. With state-specific privacy laws coming up in multiple states this year, it is essential to understand what their unique data protection regulations will require clearly. How will data privacy evolve in the US in 2024? How to stay compliant? Our panellists will guide you through the intricacies of these states' specific data privacy laws, clarifying complex legal frameworks and compliance requirements. This webinar will review: - The essential aspects of each state's privacy landscape and the latest updates - Common compliance challenges faced by organizations operating in multiple states and best practices to achieve regulatory adherence - Valuable insights into potential changes to existing regulations and prepare your organization for the evolving landscape

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments

TrustArc

Discord is a free app offering voice, video, and text chat functionalities, primarily catering to the gaming community. It serves as a hub for users to create and join servers tailored to their interests. Discord’s ecosystem comprises servers, each functioning as a distinct online community with its own channels dedicated to specific topics or activities. Users can engage in text-based discussions, voice calls, or video chats within these channels. Understanding Discord Servers Discord servers are virtual spaces where users congregate to interact, share content, and build communities. Servers may revolve around gaming, hobbies, interests, or fandoms, providing a platform for like-minded individuals to connect. Communication Features Discord offers a range of communication tools, including text channels for messaging, voice channels for real-time audio conversations, and video channels for face-to-face interactions. These features facilitate seamless communication and collaboration. What Does NSFW Mean? The acronym NSFW stands for “Not Safe For Work,” indicating content that may be inappropriate for professional or public settings. NSFW Content NSFW content encompasses material that is sexually explicit, violent, or otherwise graphic in nature. It often includes nudity, profanity, or depictions of sensitive topics.

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf

UK Journal

Data Cloud, More than a CDP by Matt Robison

Anna Loughnan Colquhoun

Three things you will take away from the session: • How to run an effective tenant-to-tenant migration • Best practices for before, during, and after migration • Tips for using migration as a springboard to prepare for Copilot in Microsoft 365 Main ideas: Migration Overview: The presentation covers the current reality of cross-tenant migrations, the triggers, phases, best practices, and benefits of a successful tenant migration Considerations: When considering a migration, it is important to consider the migration scope, performance, customization, flexibility, user-friendly interface, automation, monitoring, support, training, scalability, data integrity, data security, cost, and licensing structure Next Wave: The next wave of change includes the launch of Copilot, which requires businesses to be prepared for upcoming changes related to Copilot and the cloud, and to consolidate data and tighten governance ShareGate: ShareGate can help with pre-migration analysis, configurable migration tool, and automated, end-user driven collaborative governance

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff

sammart93

AWS Community Day CPH - Three problems of Terraform

Andrey Devyatkin

Created by Mozilla Research in 2012 and now part of Linux Foundation Europe, the Servo project is an experimental rendering engine written in Rust. It combines memory safety and concurrency to create an independent, modular, and embeddable rendering engine that adheres to web standards. Stewardship of Servo moved from Mozilla Research to the Linux Foundation in 2020, where its mission remains unchanged. After some slow years, in 2023 there has been renewed activity on the project, with a roadmap now focused on improving the engine’s CSS 2 conformance, exploring Android support, and making Servo a practical embeddable rendering engine. In this presentation, Rakhi Sharma reviews the status of the project, our recent developments in 2023, our collaboration with Tauri to make Servo an easy-to-use embeddable rendering engine, and our plans for the future to make Servo an alternative web rendering engine for the embedded devices industry. (c) Embedded Open Source Summit 2024 April 16-18, 2024 Seattle, Washington (US) https://events.linuxfoundation.org/embedded-open-source-summit/ https://ossna2024.sched.com/event/1aBNF/a-year-of-servo-reboot-where-are-we-now-rakhi-sharma-igalia

A Year of the Servo Reboot: Where Are We Now?

Igalia

The 7 Things I Know About Cyber Security After 25 Years | April 2024

Rafal Los

What are drone anti-jamming systems? The drone anti-jamming systems and anti-spoof technology protect against interference, jamming, and spoofing of the UAVs. To protect their security, countries are beginning to research drone anti-jamming systems, also known as drone strike weapons. The anti-jam and anti-spoof technology protects against interference, jamming and spoofing. A drone strike weapon is a drone attack weapon that can attack and destroy enemy drones. So what is so unique about this amazing system?

What Are The Drone Anti-jamming Systems Technology?

Antenna Manufacturer Coco

How to Troubleshoot Apps for the Modern Connected Worker

ThousandEyes

Building Digital Trust in a Digital Economy Veronica Tan, Director - Cyber Security Agency of Singapore Apidays Singapore 2024: Connecting Customers, Business and Technology (April 17 & 18, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...

apidays

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...

Neo4j

Scaling API-first – The story of a global engineering organization Ian Reasor, Senior Computer Scientist - Adobe Radu Cotescu, Senior Computer Scientist - Adobe Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

apidays

This presentations targets students or working professionals. You may know Google for search, YouTube, Android, Chrome, and Gmail, but did you know Google has many developer tools, platforms & APIs? This comprehensive yet still high-level overview outlines the most impactful tools for where to run your code, store & analyze your data. It will also inspire you as to what's possible. This talk is 50 minutes in length.

Powerful Google developer tools for immediate impact! (2023-24 C)

wesley chun

2024: Domino Containers - The Next Step. News from the Domino Container commu...

Martijn de Jong

Real Time Object Detection Using Open CV

Khem

💉💊+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHABI}}+971581248768 +971581248768 Mtp-Kit (500MG) Prices » Dubai [(+971581248768**)] Abortion Pills For Sale In Dubai, UAE, Mifepristone and Misoprostol Tablets Available In Dubai, UAE CONTACT DR.Maya Whatsapp +971581248768 We Have Abortion Pills / Cytotec Tablets /Mifegest Kit Available in Dubai, Sharjah, Abudhabi, Ajman, Alain, Fujairah, Ras Al Khaimah, Umm Al Quwain, UAE, Buy cytotec in Dubai +971581248768''''Abortion Pills near me DUBAI | ABU DHABI|UAE. Price of Misoprostol, Cytotec” +971581248768' Dr.DEEM ''BUY ABORTION PILLS MIFEGEST KIT, MISOPROTONE, CYTOTEC PILLS IN DUBAI, ABU DHABI,UAE'' Contact me now via What's App…… abortion Pills Cytotec also available Oman Qatar Doha Saudi Arabia Bahrain Above all, Cytotec Abortion Pills are Available In Dubai / UAE, you will be very happy to do abortion in Dubai we are providing cytotec 200mg abortion pill in Dubai, UAE. Medication abortion offers an alternative to Surgical Abortion for women in the early weeks of pregnancy. We only offer abortion pills from 1 week-6 Months. We then advise you to use surgery if its beyond 6 months. Our Abu Dhabi, Ajman, Al Ain, Dubai, Fujairah, Ras Al Khaimah (RAK), Sharjah, Umm Al Quwain (UAQ) United Arab Emirates Abortion Clinic provides the safest and most advanced techniques for providing non-surgical, medical and surgical abortion methods for early through late second trimester, including the Abortion By Pill Procedure (RU 486, Mifeprex, Mifepristone, early options French Abortion Pill), Tamoxifen, Methotrexate and Cytotec (Misoprostol). The Abu Dhabi, United Arab Emirates Abortion Clinic performs Same Day Abortion Procedure using medications that are taken on the first day of the office visit and will cause the abortion to occur generally within 4 to 6 hours (as early as 30 minutes) for patients who are 3 to 12 weeks pregnant. When Mifepristone and Misoprostol are used, 50% of patients complete in 4 to 6 hours; 75% to 80% in 12 hours; and 90% in 24 hours. We use a regimen that allows for completion without the need for surgery 99% of the time. All advanced second trimester and late term pregnancies at our Tampa clinic (17 to 24 weeks or greater) can be completed within 24 hours or less 99% of the time without the need surgery. The procedure is completed with minimal to no complications. Our Women's Health Center located in Abu Dhabi, United Arab Emirates, uses the latest medications for medical abortions (RU-486, Mifeprex, Mifegyne, Mifepristone, early options French abortion pill), Methotrexate and Cytotec (Misoprostol). The safety standards of our Abu Dhabi, United Arab Emirates Abortion Doctors remain unparalleled. They consistently maintain the lowest complication rates throughout the nation. Our Physicians and staff are always available to answer questions and care for women in one of the most difficult times in their lives. The decision to have an abortion at the Abortion Cl

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...

?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@

Recently uploaded (20)

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024

From Event to Action: Accelerate Your Decision Making with Real-Time Automation

Automating Google Workspace (GWS) & more with Apps Script

Boost Fertility New Invention Ups Success Rates.pdf

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf

Data Cloud, More than a CDP by Matt Robison

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff

AWS Community Day CPH - Three problems of Terraform

A Year of the Servo Reboot: Where Are We Now?

The 7 Things I Know About Cyber Security After 25 Years | April 2024

What Are The Drone Anti-jamming Systems Technology?

How to Troubleshoot Apps for the Modern Connected Worker

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

Powerful Google developer tools for immediate impact! (2023-24 C)

2024: Domino Containers - The Next Step. News from the Domino Container commu...

Real Time Object Detection Using Open CV

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...

2013 01-03 --ncc_group_-_crash_course_-_windows_filter_driver_security

1. Windows File System Filter Drivers … plus a little about security … A crash course in 15 minutes…

2. What are legacy filter drivers? • Standard Windows • Registers handlers / call backs during init • Filters I/O requests for FSs or volumes • Each I/O request is an I/O request packet (IRP) • Their load order dictates where they filter • … old clunky basically

3. What are file system mini filter drivers?

4. What are mini filter altitudes? Filter 420000-429999 FSFilter Top 400000-409999 FSFilter Activity Monitor 360000-389999 FSFilter Undelete 340000-349999 FSFilter Anti-Virus 320000-329998 FSFilter Replication 300000-309998 FSFilter Continuous Backup 280000-289998 FSFilter Content Screener 260000-269998 FSFilter Quota Management 240000-249999 FSFilter System Recovery 220000-229999 FSFilter Cluster File System 200000-209999 FSFilter HSM 180000-189999 *FSFilter Imaging (ex: .ZIP) 170000-174999 FSFilter Compression 160000-169999 FSFilter Encryption 140000-149999 FSFilter Virtualization 130000-139999 FSFilter Physical Quota management 120000-129999 FSFilter Open File 100000-109999 FSFilter Security Enhancer 80000-89999 FSFilter Copy Protection 60000-69999 FSFilter Bottom 40000-49999

5. Why do we care?

6. Enumeration - fltmc

7. Enumeration - fltmc

8. Enumeration - sc

9. How it works - fltmc

10. How it works - fltmc • Filter Manager is a legacy filter driver which exposes: • .FltMgr • Standard Windows APIs then

11.

12. Mini filter attack surface – msg handling • FltCreateCommunicationPort • Registers handlers / call backs during initialization

13. Mini filter attack surface – msg handling

14. Mini filter attack surface – msg handling • 64bit Windows calling conventions Using the x64 convention, the first four integer arguments (from left to right) are passed in 64-bit registers designated for that purpose: RCX: 1st integer argument RDX: 2nd integer argument R8: 3rd integer argument R9: 4th integer argument Integer arguments beyond the first four are passed on the stack.

15. Mini filter attack surface – msg handling

16. Attacks to consider • Logic issues / dangerous functionality in custom message handling • Information leakage vulnerabilities • Memory corruption issues • State machine problems (i.e. lack of locking / unlocking) • Incorrect return values • Poor handling of file system API parameters • Issues listed on the Security Considerations for Filter Drivers • http://msdn.microsoft.com/en- gb/library/windows/hardware/ff556606(v=vs.85).aspx • … the unloading of filters on breakout assessments …

17. Further reading • User-Mode Library for Filter Manager • http://msdn.microsoft.com/en- gb/library/windows/hardware/ff557247(v=vs.85).aspx • FltXxx (Minifilter Driver) Routines • http://msdn.microsoft.com/en-us/library/ff544617(v=vs.85).aspx • Enumerating Minifilter Callbacks • http://www.inreverse.net/?p=1334 • Windows Driver Kit Samples • http://code.msdn.microsoft.com/windowshardware/site/search?f%5B0%5D.Typ e=Technology&f%5B0%5D.Value=File%20System • Filter Driver Development Guide • http://download.microsoft.com/download/e/b/a/eba1050f-a31d-436b-9281- 92cdfeae4b45/filterdriverdeveloperguide.doc

18. UK Offices Manchester - Head Ofﬁce Cheltenham Edinburgh Leatherhead London Thame North American Offices San Francisco Chicago Atlanta New York Seattle Boston Australian Offices Sydney European Offices Amsterdam - Netherlands Munich – Germany Zurich - Switzerland Thanks! Questions? Ollie Whitehouse ollie.whitehouse@nccgroup.com

2013 01-03 --ncc_group_-_crash_course_-_windows_filter_driver_security

Recommended

Recommended

More Related Content

Viewers also liked

Viewers also liked (14)

Recently uploaded

Recently uploaded (20)

2013 01-03 --ncc_group_-_crash_course_-_windows_filter_driver_security