Reverse Engineering Windows AFD.sys

Video in TIB AV-Portal: Reverse Engineering Windows AFD.sys

Formal Metadata

Reverse Engineering Windows AFD.sys
Uncovering the Intricacies of the Ancillary Function Driver
Title of Series
Part Number
Number of Parts
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
What happens when you make a socket() call in Windows? This presentation will briefly walk through the rather well documented winsock user mode framework before diving into the turmoil of ring 0. There is no map to guide us here. Our adventure will begin where MSDN ends and our first stop along the way is with an IOCTL to AFD.sys, or the awkwardly named ancillary function driver. This driver is of particular interest because it is so widely used and yet most people that use it do not even know it exists. Nearly every Windows program managing sockets depends on this driver. Even more interesting is that the device created by AFD.sys is accessible from every sandbox Google Project Zero looked at. In fact, there isn't even support to restrict access to this device until Windows 8.1. Staying true to Windows style AFD.sys is a complex driver with over 70 reachable IOCTL’s and support for everything from SAN to TCP. It is no wonder that this driver weighs in at 500KB. This complexity combined with accessibility breed a robust ring 0 attack surface. Current fuzzing efforts will also be shared in this presentation and the time we are done you should have a good idea of what happens when making a socket() call without having to spend hours in IDA to figure it out.
Information Multiplication sign Projective plane Mathematical analysis Motion capture Device driver Line (geometry) Software bug Twitter Word Process (computing) Computer animation Visualization (computer graphics) Flag Address space Reverse engineering
Torus Complex (psychology) Set (mathematics) Numbering scheme Function (mathematics) Client (computing) Mereology Kettenkomplex Computer programming Software bug Neuroinformatik Mathematics Network socket File system Cuboid Software framework Endliche Modelltheorie Office suite Error message Vulnerability (computing) Exception handling Electronic mailing list Price index Demoscene Window function Category of being Process (computing) Ring (mathematics) Volumenvisualisierung Configuration space Quicksort Escape character Reading (process) Point (geometry) Windows Registry Socket-Schnittstelle Mobile app Perfect group Computer file Token ring Device driver Rule of inference Latent heat Internet forum Internetworking Average Computer programming Logic programming Computational fluid dynamics System programming Mathematical optimization Computer architecture Default (computer science) Information First-order logic Projective plane Mathematical analysis WebDAV System call Graphical user interface Kernel (computing) Computer animation Software Personal digital assistant Blog Device driver Statement (computer science) Service-oriented architecture Communications protocol
Code Multiplication sign Archaeological field survey Parameter (computer programming) Function (mathematics) Client (computing) Open set Semiconductor memory Network socket Diagram Area Wrapper (data mining) Bit Window function Internet service provider Self-organization output Quicksort Navigation Asynchronous Transfer Mode Socket-Schnittstelle Service (economics) Computer file Device driver Translation (relic) Online help Streaming media Revision control Latent heat Structured programming Energy level Computing platform Computer architecture Multiplication Wavelet Information Cellular automaton Planning Cartesian coordinate system System call Word Kernel (computing) Software Personal digital assistant Musical ensemble Communications protocol Routing Abstraction Tuple
Windows Registry Server (computing) Web crawler Game controller Context awareness Code Multiplication sign System administrator Patch (Unix) Virtual machine Letterpress printing Set (mathematics) Device driver Client (computing) Function (mathematics) Raw image format Event horizon Tracing (software) Mathematics Structured programming Different (Kate Ryan album) Network socket Information security Address space Social class Vulnerability (computing) Default (computer science) Key (cryptography) Mapping Electronic mailing list Plastikkarte Bit System call Flow separation Window function Software Personal digital assistant Network topology Telecommunication Device driver Buffer solution Configuration space output Self-organization PRINCE2 Reading (process) Reverse engineering
Greatest element Electronic mailing list Energy level Function (mathematics) Table (information) Complete metric space Symbol table Number
Point (geometry) Dataflow Context awareness Code Length Patch (Unix) Coroutine Set (mathematics) Device driver Function (mathematics) Stack (abstract data type) Software bug Different (Kate Ryan album) Hypermedia Network socket Operator (mathematics) Automation Object-oriented programming Information security Exception handling Vulnerability (computing) Scripting language Mapping Information Mathematical analysis Bit Instance (computer science) Price index Symbol table Window function Compiler Pointer (computer programming) Process (computing) Device driver Buffer solution Bijection Right angle HTTP cookie Table (information) Buffer overflow
Web page Group action Code Multiplication sign Real-time operating system Function (mathematics) Disk read-and-write head Proper map Software bug Core dump Boundary value problem Object-oriented programming Integer Exception handling Condition number Arm Scaling (geometry) Mathematical analysis Limit (category theory) Data management Message passing Pointer (computer programming) Kernel (computing) Personal digital assistant Blog Buffer solution Order (biology) Fuzzy logic Quicksort Routing Asynchronous Transfer Mode
Scaling (geometry) Code Feedback Mathematical analysis Device driver Function (mathematics) Price index Mereology System call Digital photography Network socket Energy level Software framework Right angle Data structure Quicksort Perimeter Library (computing)
Focus (optics) Computer animation Forcing (mathematics) Physical law Projective plane Lattice (order) Quicksort Mereology Library (computing)
the who at a time that a that a thank you and issue a i i i i around the guessed word phrase the 1st Conference suburban to everything just kind of magically worked 2nd I stepped on stage so thank you very much to the audio and visual crew here for making an incredibly easy process I'm receiving but it's so I work for Google on the project 0 came a relevant contact information is here if you have questions or you want to get a hold of mere complain to me and you find my Twitter handle an e-mail address also play a lot of capture the flag so I find this samurai kept and you want to place EGFR encourage you to do so it's a great way to take reverse engineering skills and apply directly to ability analysis which is really kind of how this research and started was I was hunting for bugs and have the dances and while come away with any bugs I came away with a pretty good understanding of the driver and felt that worth documenting so line already about why even looking at
a hefty that's is to begin with and it's not because it starts with a a heightened this list all the models they will go with that 1 and will give you kind of windsock overview if is a part of this overall system architecture and Windows called windsock and will tell you something the interesting finding findings ahead in the driver itself the how how you can talk to where it initializes from and how you can pay use it to your own benefit and also about the vulnerability analysis performed on its hands the forcing work that I did and then we'll come to wrap up with some what I'd like to do this in the future and hopefully we can encourage other people get involved this kind of research well so what is a of the dancers and the default kernel moderate model isn't system 32 drivers are you can go go and look at it on the file properties on says the ancillary function driver which and there's a story behind the name actually that used to go by different name does anyone know what it is it's a another fucking driver so you can imagine the guy is sitting down programming drivers all day long and thin and you know you you had is this 38 driver program is a fucking driver any name the pattern that in the initial step foot has to change the name before release so and slurry function driver which is the the ring 0 entry point for socket so when do a psychic call you bounce around in this user architecture doesn't actually do anything for you and tell you had kernel and I will tell you more about how that works so it not not everything in Windows users AFD for network indications and there no Microsoft is sort of the torus for this of building the same systems to do different things so we could could talk to the network by at least 4 different ways so you got a the got when http which of the 3 D P that's a c . 1 9 at you got WebDAV indications we've got a more access and the rest of the client so basically networking file systems and special optimizations for Internet heavy indications but this is the 1 that was really interesting to me and you know the BSD socket API appears and why were interested in that not just as a but because it is very accessible from sandboxes so if you look at the Chrome's sandbox the renderer process for example has accessibility to read devices safety and point you can open it begins and apples to it as even a guest user interfaces yeah same with Adobe Reader and same with ID him in fact every every sandbox that project 0 looked at and really James for sure but wrote that but had this device accessible so despite the fact that you can't initialize windsock in the like Chrome send can call WC start up you can open the device they have the and Sendai apples to making network occasions without the benefit of the user road wins out framework so this is really interesting zinc its functionality and bike sort of bringing your own winds up along and shall whatever you have and for bugs there's a history of bugs and it's been about 1 good 1 year 1 of these was information make with 1 last in 2014 was a full 1 privilege escalation that was really really well documented and actually ended up being used as part of a chain of blogs to take a hundred thousand dollar prize away from Ponton competition so Google's natural interested in this as well and continue to do so in this research it as
a set and I work part 0 and so the the 1 lying mission statement of the schemes to make 0 it is hard er not impossible the more difficult so you can spend a week fuzzing something what where the 0 to get you on a hundred thousand bears right so we to make that more difficult process we have 3 approaches to do that the 1st 1 is to make sandboxes were difficult to send boxes are in a widely adopted technology already you see them you know like Chrome i.e. a reader and and office apparently not the right so that the idea behind them is to increase the packer cost so you have to use the next to get into the sandbox and then exploit to get out of the sandbox so we feel that the process of getting in is easy and that's the 2nd approach is will make that harder by parsing out low-hanging fruit and you do a lot of manual analysis on the sandbox to make getting out harder as well so it's historic of scene 3 big ways of getting out of some boxes first-order logic errors in the broker process where you know you you have a sandbox and you can't write any files you can't make a network indications Academy registry reads accepts the actually do need oppose configurations so you talk about the IPC to another process that has permissions to do what you need and then you can get and just that 1 narrow path and sometimes that there's a lot of these things that are exceptions to sandbox will find logic errors with those things and the sandbox is only as strong as a kernel that is running on or the accessible part of the kernel that's running on and I find things like 132 cases in the of 3 . 1 megabytes of next year and or how many hundreds of system calls you can get off of that and and these are both well known things and the 1 that you don't see a whole lot of people talking about was accessible devices so if he'd accessible there's also like that your USB hub is accessible through rules and boxes as well so this is sort of a not often talked about a tax office for the Windows kernel and send last escapes in particular and he yes you can disabled this thing until Windows 8 so you can keep going it with an administering change of permissions on advice but then no 1 can make such calls on a computer which is not something you wanna do that in Windows 8 you can and you can use like an app container with box token invisible of specific file but that's not a simple process do not like say a restricted for 1 particular usage or technology it's it is something that is always there and has always been there and fact it at that she dates back to Windows 95 fire upper 95 boxall CFD that's that's running and doing much the same thing it's doing today so we have this kind of like a perfect storm of complexity complexity and accessibility and when is a complexity liking Figaro quicker quick bloodshed the Pfeiffer k most drivers so if you look at it an average of size is less than 100 k and that's not as atrocious is you know 3 . 1 megabyte driver but it's still you know quite quite sizable and it will handle 70 I Octel's possibly 1 out of the box directly after the end point and it is and it is designed to map between different protocols with handling everything from TCP-IP in IPTV 46 TCP UDP all sockets to send requests so there's quite a lot going on here that is trying to account for all at once this is a
very dated diagram but it they can it gives you an impression of where windsock lives and how it how it works and were AFT fits in the picture so across the top here you have your applications these will largely be you know windows 32 64 bit applications or talk to at the BS 232 DLL directly now is so you don't you don't see this old like when Sorkin or directly from inside 1 . 1 back in like Windows 98 2008 is the navigational call socket so if you start off your applications sockets final call yet initializes 1st the music start up to load all these deals and memory but the socket function 1st goes to various 232 the word immediately calls the WSA version of sockets Suzlon Microsoft code we you have a wrapper with 1 function call just common after another 1 with the exact same organism arguments made a couple of the and then from here but that pretty much gets out of there really quick to and goes off to MSW sort that deal which is where a lot of functionality is actually minute most of the stock then has an abstraction to say which protocol yes wanna talk to so in this case were saying we wanna talk TCP IP or that we could pass in Ayatthaya DA and we'll be speaking and you know infrared as well as a different help a DLL for each protocol you could load and I did this is all this is all very well documented and understood in and windows and how to write how to write these help allele's and so I won't spend a whole lot of time going on with it but basically we does that help a DLL them back out the mess the stock that's where applesearch happen to you a hefty dances down here and performances 1st stop in kernel mode and when you make a psychic call is actually 3 apples that happened the 1st tuple information about them the specific protocols Pacific's architect you try to open and they said the information into an area the structure that is created when we 1st opened a nifty endpoint so that will continue unique data about this is for a a fine at this is a sock stream socket and that will control how of the rocks the recipe employed is off this initial set up the so this is kind of funny to so they are Microsoft is very very good about being backwards compatible and if you go and you look at some of these files on here and there's a of the that the LL is literally an empty PE files so it's it has 1 export chimp . 2 I messed up stock but otherwise it is so that is pretty pretty well defunct and about but still exist as an artifact provide compatibility so
so in this way really acts as a translator between multiple protocols that can be specified in user mode and a lower level kernel extraction so AFD is not a network driver it's not sending sending out your packets but it is translating your calls to you the TDI or WSK and abuse cases 1 sock kernel so this sort of extended this user-mode architecture down throughout kernel mode and TDI Microsoft assisted the deprecated uh you know you should use it more and than like things like layered service providers enough these windows filtering platform it's still there and when you when you making a plane socket call this is what's going to still going to Acadia so kernel-mode called kernel clients want open socket can use WSK open socket is is actually implemented also an AFP that's a survey of the dancers becomes a a a windsock kernel provider and you can see it registering for all of these some inputs as well unfortunately cannot have the WSK code from user mode but it was really interesting things that happened and you know that would be a topic for wavelet analysis on on on my interest was simply was accessible from the sandbox cells no the the route 70 or 71 apples you can hit so you open up the driver in
the 1st class you noticed hardens of debug prints there's so they're like 113 cross-references to and there's like a thousand Functions Minister 10 % of the of the functions had the wants them and them normally think about why should remove debug Princeton release builds or our use the ETW Event Tracing for Windows which also accounts for a significant amount of code Ostrava and you see the but Prince going up over time so 23 213 between Windows 7 and Windows 8 I'm not really complaining about this that makes reverse engineering is actually a lot easier because will tell you know at this offset this registry needs to be print out and you know the value of and whatever structure offset was that will be printed to you in plain text so and this was both the it's useful for reverse engineering and for any you know turning on the debug prints come back to a crowd of city could what was happening and then the node checked all a similar things so the 1st thing it does is it creates this device and that starts reading and configuration from the registry and my best guess as to why this happens is so that you can have an AFP that is tuned for a client machine that is you the same code but tuned differently for server machine for for phone so it will and they will receive all of these different configuration settings normally things like them buffer sizes were in there that was the but if you have all security enabled so if you've ever tried open a raw socket after excuse respect your in get access denied unless you have a the grocery bit flipped here and there's 1 for of the and is also another 1 for TCP IP so this is a common configuration setting for drivers and then use the protocol-specific things coming from this configuration as well so the defaults and windows a TCP windowing and you can you can actually just that in a registry and it's very easy to find all of these configurations transferring some the binomial and you'll see all of them this fills out this AFD configured for structure that's referenced all over the place but the buffer sizes 1 for me as a vulnerability analyst and got my eye because if you if you start a driver and then it has a certain buffer size configuration and you can change that as it's running while 1 buffer size not to be the same before size between the other on the other calls to it but unfortunately I draw fortunately for security uh be the keys are properly secured yes the admin and fury admin from sandboxes lot easier ways you can do it escapes and the no a few of these configurations are registered registered as volatile configurations so that there is a a change of and notification the registries the drive will get a callback when this registry tree key changes in it will reconfigure itself and things like buffer sizes are not in that and other disabled security was out in that which is why I have to reboot after settings like if you want to make a roster communications the so what inputs but this is
this is really what what we what matters when we're talking about them was that do with the data I wanna give it drivers usually receive inputs of apples and this is indeed where you know that the majority of the cases here we can see that everything is set to a of the dispatch may have a few different uh dispatch controllers so if the dispatch device control but this 1 I focused on this WSK dispatch for intro only Event Tracing dispatched and then as facile patch with the path which mostly maps back to other dispatched by spoonfuls of course unload which is mandatory for drivers it also registers plugand-play events so when you plug in a new network card or a new infrared device if is going to get a notification about that as well and then likewise is aware of the TDI later because that's you know who it's it's it is a client to TDI as it is server for user-mode and it is aware TDI address changes so if we have a new device for organic it's an address if maintains a list of those addresses for use in other user of articles calls and as and as things developed in Microsoft RBC in the kernel and if he was not immune from this is well it it has several important master PC I haven't reversed those yet but an obvious in the crawl really something interesting thing doesn't so this is the big apple
table but again it's easy to find it's it's at the bottom of yes Trevor entry and immediately after it are the numbers of the apple so basically the 1st thing on the list for the apple table matches to the 1st function and those are the the symbols if you want to go and pull them lecture another level of indirection happening here those if you look at this if you can probably see that like some of the works
so like these are all they have the dispatch immediate and that they have different numbers associated with them but it's always going to the same function so basically what's happening there are those are the articles that will always return denial of complete repressed requesting a disability they don't say status pending this is where the FastPath things matches well and so just just an example so there's another there's
another table here and so off of all call patch there's the another table is referenced inside dispatch immediate and these mapped one-to-one with Knowles for the other items by apples come in kind of interesting here as well is that you find that there is overlap between the functions of the FastPath as well so like some of several of the IOC tools for dispatching media all point to get context a set context and is for setting different kinds of information on the on the socket in that it defines that by IOC members the right
so are static but and I mostly focused on Windows some actually 6 by what you would have started with Windows 8 the driver disassembles quite a bit easier and the symbols into the match up and give an idea you know better hints at what's going on and mostly was classic bottom-up analysis some looking for men movement copy all the you know dozen or so x allocate pool routines at our that are there and all those look good so there's this probably 200 cross references to these routines you go you will look at 1 is a is a way to make a buffer overflow with long lengthes 1st before a properly sized is aligned properly and these are extremely well documented techniques for finding bugs and kernel drivers and assist the manual slog through but the other technique I would like to use on drivers is to cross-reference security check cookie so the compiler is kind enough to tell you that 0 there's lots of stack operations here there's lots copying is large stack buffer and put a cookie there and check it on the way out I well if I go through if I go through all of those functions and guaranteed to find good and opportunities for vulnerability analysis likewise that functions with large that buffers it may not have a cookie on them for 1 reason or another also target for analysis and the 1 that the I really love to have a solid automated story for what I don't is object reference counting and bugs in this there there several instances where the references are increasing every every code path data-flow analysis on intra-flow Nelson show that these used appropriately so magazine did a really good job on this drive you could tell that it been looked at many we could tell it had been farthest a going through it the and this is kind of indicative of the bugs that they were getting out of it but last year was a dangling pointer reference so this was a an object reference issue uh so there's a there's a couple scripts a wrote that would not be automate checking for returns like when you call the exotic pool can you verify that you get a pointer back and there is 1 that really kind of the comic comic for a little that was take priority which actually doesn't return about value when it has a problem it raises an exception which is different from all the other it's like a pool retains so I went through all
the reachable active I apples I did not know the K and I do not but the sand is you have to have the same device enabled reach a lot of them but and they were they very good attention to data alignment and proper size restrictions on any buffers you past and and the majority of the articles were passed this method neither so metadata you get a and you know basically the I O Manager doesn't copy in your data you get pointers directly mode is sort of the the reason why I have a lot of bugs and of 132 cases is because many of those apples are also method neither in can get into time of check from of use but very quickly and so I manually checked for these as well along with integer integer issues the the
fuzzing that I that so I I bang my head against us in 3 or 4 weeks and I had a I had a frustrating time of it that I wasn't finding bugs so when you get frustrated arms enough for all cracked the thing and see what happens to a aspire and I had a pretty good understanding of the you know what was action doing with apples with the limits were that you know you couldn't pass in more than 256 bytes for a hefty buying request so I built these kind of this knowledge into the fossa when I went to fuzzy object so it had it wasn't wasting a whole lot of time forcing things were kicked out you know at 1st glance the function and this is my preference I I usually like to do is static and analysis over fuzzing because you get a better understanding and if you're going to go the route of housing I would encourage the static analysis 1st is undergoing to write a better frozen and having some knowledge of what it's doing so I had 2 weeks a 1st time off of it and I did not scale it had a single core running this we had to use 1 running my father 1 doing a kernel of order a back to it so 1 at 1 if an exception happens to catch it the above analyzes in real time I had a that was x is kind of a simple fuzzy with maybe 1 little novel technique it would it would hit all the apples and it would that it would then have the buffers that were passed into these Octel's mutated by separate user-mode thread so that we could we could attempt to find from a check from these blogs there was a race condition they're not like little unless you line things on page boundaries but you know if you're going to scale as I think that you're likely to have at least once or twice so the the father did not turn up anything from which was not terribly surprising given that the quality of the code but I wouldn't have at least a poker so for
for global of future work from it's really interesting to say that you can have this the sandbox and you can't make socket calls but but it is it is technically possible to write and native AFT library messy native-like you could you could that Lincoln AFD underscore socket and even though you don't have a whole windsock framework supporting you so long as you can talk to this driver in the in the right way you'll be able to get some you know exact indication of sandbox of 10 you could compels run into show code and the really cool thing about about doing something like this is that it would apply feedback into a more intelligent father some sort of falls in with these articles and photos of the library and that something of what happened committed before we we start research on this so the intent was to provide some level of assurance that no at the 2nd fall over with you know 3 or 4 weeks of analysis we I think we could I think it falls better would force at scale and we give and build up the data structures it it's expecting a little bit more and if it's useful or don't know how many devices are out that have sand sand axis in them we could we could follows same functions as well so um that's my talk is a
perimeter parts of short short brief intro into 1 stop and have the thanks to Google and front 0 and James for sure for supporting this research and encouraging me along the way I'm happy to take any
questions you have but part 0 at the meeting on the nautical yes however right the it is I just wanted to ask a good about PASOK was he ever tried to do some of these kind of the research again with the end and the AIDS at the borrowing the soccer can divided no so we were not they're not so much interested in that under the sandbox sort of focus thank you the larger I Island I guess a general question the diluted you're doing on did this document UFOs is the law of you know can find the of baselines which is a doing there yes so we we certainly released forces to Microsoft in the past and we've released well not part of 0 specifically but the team members on projects there have released open-source forces and are Spencer said that what was set on the shelf so that's something we strive to do if it is requested certainly we can release I think for this 1 in particular uh ever going to go back to focus on the native uh if the library 1st and then delivers around that and possibly release of OK thank you very much uh
to this