A short presentation from an internal NCC Group monthly tech team meeting on Windows Filter Driver architecture, implementation, attack surfaces and security considerations.
1. Windows File System Filter Drivers
… plus a little about security …
A crash course in 15 minutes…
2. What are legacy filter drivers?
• Standard Windows
• Registers handlers / call backs during init
• Filters I/O requests for FSs or volumes
• Each I/O request is an I/O request packet (IRP)
• Their load order dictates where they filter
• … old clunky basically
14. Mini filter attack surface – msg handling
• 64bit Windows calling conventions
Using the x64 convention, the first four integer arguments
(from left to right) are passed in 64-bit registers designated for
that purpose:
RCX: 1st integer argument
RDX: 2nd integer argument
R8: 3rd integer argument
R9: 4th integer argument
Integer arguments beyond the first four are passed on the
stack.
16. Attacks to consider
• Logic issues / dangerous functionality in custom message
handling
• Information leakage vulnerabilities
• Memory corruption issues
• State machine problems (i.e. lack of locking / unlocking)
• Incorrect return values
• Poor handling of file system API parameters
• Issues listed on the Security Considerations for Filter Drivers
• http://msdn.microsoft.com/en-
gb/library/windows/hardware/ff556606(v=vs.85).aspx
• … the unloading of filters on breakout assessments …
18. UK Offices
Manchester - Head Office
Cheltenham
Edinburgh
Leatherhead
London
Thame
North American Offices
San Francisco
Chicago
Atlanta
New York
Seattle
Boston
Australian Offices
Sydney
European Offices
Amsterdam - Netherlands
Munich – Germany
Zurich - Switzerland
Thanks! Questions?
Ollie Whitehouse
ollie.whitehouse@nccgroup.com