05: Chapter 2 | LAB Exercise Playbook
In this exercise we will get a feel for user mode, kernel mode, native functions, syscalls, syscall stub, etc. To do this, the student must complete the following tasks.
| Task Nr. | Task Description |
|---|---|
| 1 | Use WindDbg on your DEV/LAB machine and open or attach to a process like x64 notepad.exe. |
| 2 | Debug the syscall IDs (System Service Numbers SSNs) for the following four native APIs that we will need later in the Direct Syscalls and Indirect Syscalls chapters: NtAllocateVirtualMemory, NtWriteVirtualMemory, NtCreateThreadEx, NtWaitForSingleObject
|
| 3 | Make a note of the debugged syscall IDs, we will need them later. |
| Task Nr. | Task Description |
|---|---|
| 4 | Open Procmon and open a new instance of notepad.exe |
| 5 | Type some text into notepad.exe and save the file to disk. |
| 6 | Using Procmon, search for the operation WriteFile and analyse the call stack for:
|
In the first step we will use WinDbg and want to debug the syscall ID's for NtAllocateVirtualMemory, NtWriteVirtualMemory, NtCreateThreadEx and NtWaitForSingleObject. So we have to use the x command to extract the memory address from the native API and then use the u command to unassemble or disassemble the address to get the contents of the syscall stub from the native function. In this case, Windows 10 Enterprise 22H2 was used.
To begin debugging, run notepad.exe, open WindDbg, and attach to the notepad.exe process.
Then we can start debugging the SSN for the first API, e.g. NtAllocateVirtualMemory. First we need to extract the necessary information for the API from ntdll.dll. Why ntdll.dll? Remember that many or most native APIs are located in ntdll.dll.
x ntdll!NtAPI
x ntdll!NtAllocateVirtualMemory
Then, in the second step, we use the memory address from the respective native API, e.g. NtAllocateMemory, to unassemble or disassemble the memory and thereby show the assembly instructions for the syscall stub, which also includes the System Service Number (SSN).
u memory address
u 00007ff8`c318d350
Solution
The second step is to use Procmon to analyse the privileged mode switch in the context of the notepad.exe process from user mode to kernel mode. To do this, we open notepad.exe, write the file to disk by saving it, and then use Procmon to look for the WriteFile operation in the context of notepad.exe.
- Process Name is notepad.exe
- Operation is WriteFile
Solution
In the following diagram we can clearly see the transition from user mode to kernel mode in the context of saving the file to disk using notepad.exe. First the Win32 API WriteFile is called, then the native function NtWriteFile is called, which includes the syscall stub consisting of syscall ID, syscall etc, and finally the syscall command itself is executed. The kernel, in turn, needs to interact with the appropriate device driver to do the writing to the disc. This is where IofCallDriver is called and is also shown in the figure.
- We can use a debugger such as WinDbg or x64 to debug the System Service Numbers (SSN) of Native APIs.
- First we need to extract the memory address of a Native API in ntdll.dll.
- Second, we need to disassemble the memory address to get the contents of the syscall stub, which includes the SSN.
- We can use Procmon to visualize the privilege mode switch from user mode to kernel mode.
