CSED 431 Week 2
Virtual Machines
Windows SteadyState / DeepFreeze
The schedule says:
5:15-6:45 in LT 605, 7:00-8:15 in the Emerging Technologies Lab
More like 5:15-6:30, 6:30-7:45
Virtual Machines -- How they work
Modern computers all have at least two internal privilege levels: user and kernel (sometimes also called supervisor).
(Intel processors typically have up to four privilege levels.) Any
instruction dealing with either physical I/O (ie disk read/writes) or
with changing the internal memory allocations and restrictions can only
be executed in kernel mode; changing the mode can also only be done
from kernel mode. User programs always run in user mode. When the OS
loads, it runs initially as supervisor.
If my user-mode program wants to do something privileged, it has to ask
nicely, since it cannot execute it directly. It does this by issuing a trap instruction, which ends up referring to a special trap table
in low memory (that cannot be altered by user-mode programs). Suppose,
for example, that a program wants to read block 1083 of a file (or for
that matter of a disk). It sets up parameters for the operation:
- The operation description is READ_BLOCK
- The block desired is 1083; a handle to the appropriate file or disk is also provided
- The address of a suitably sized chunk of memory to hold the new data is provided
The TRAP instruction shifts to kernel mode, but
it also jumps to a pre-determined library; that is, the user-mode
program cannot run its own code in kernel mode. The predetermined
library is in charge of carrying out user-mode requests, but is also in
charge of maintaining system integrity. In the case above, the library
will invoke its read_block() procedure, with the appropriate
parameters. That procedure will check that the file block (and file
handle) is valid, and it will check that the buffer address is valid
and appropriate, before doing anything else. File permissions would also be checked if necessary (though most OSs, including windows, check file permissions only when files are first opened).
If everything checks out, the read_block() procedure will then fetch
the appropriate data, and finally return control to the user program
with the cpu level back in user mode.
That trap-instruction library can be large and complex; it represents
(along with "interrupt handlers") the whole extent of machine code that
runs at kernel level, and to a great extent determines the character of
the operating system.
What a virtual machine does is twofold:
- the trap library of the host system is replaced with a (modified) trap library for the guest system
- the original guest OS trap library is "patched" so that now it
too typically runs in user mode, and when it needs to execute an actual
privileged instruction, a special new trap library (part of the VM) is invoked that makes
that translation to the host system.
For example, the above READ_BLOCK for the windows guest is now executed
by the windows trap library running in userland, up until the point of
the actual I/O instruction. That
instruction is "trapped" and at that point the host OS takes over,
directing the read not to be from a hardware hard-disk controller but
from a virtual-disk file instead.
Calling a conventional library (in windows, a .dll) is like the trap
library, except that no privilege escalation occurs. A user program
could, in principle, always supply its own libraries. Standard
libraries are used, however, as they are a great convenience for the
programmer.
In the real world, the trap-instruction library can be extended or modified by kernel drivers. In windows, these are *.sys files, usually in c:\windows\system32\drivers.
Windows SteadyState
This is a Microsoft-developed package for securing standalone (that is,
not on a domain) windows hosts. As of this writing, it is not yet
available for Windows 7, though it has recently been ported to Vista.
The main component of interest, for us, is Windows Disk Protection (WDP), a Microsoft alternative to DeepFreeze (DF) by Faronics, Inc.
One big difference between WDP and DF is that the former can always be
disabled by any administrator while the latter is intended to be
"hardened" against administrator activity. In fact, a common setting
for DF is in computer labs (such as Loyola) where every user is given
local administrative access.
Both WDP and DF install special "drivers" that intercept disk reads and
writes and store all new changes in a special place. WDP stores all
drive changes in a special file \Cache.WDP, which is created in size
equal to half the drive free space (and thus big enough to handle any
changes to the remaining half). I do not know where DF keeps its cache
file. All new writes go to the cache file and not
to the actual disk file hierarchy (thus the existing file hierarchy on
the disk is never changed). All reads check first in the cache file; an
entry there means that the relevant disk block was changed while no
entry there means that the data is then read from the original
filesystem. When the system is rebooted, the WDP/DF software clears the
cache entries and so the disk filesystem begins again from scratch.
The drivers are loaded at boot time (or by program control), basically from registry entries, eg
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\System\Wdf01000
for WDP.
For WDP, I compared the list of *.sys files in the directory
C:\windows\system32\drivers before and after installation, and found
that WDP created two new files: wdfldr.sys and wdf01000.sys. "Wdf"
likely stands for "windows driver foundation", a Microsoft framework
for writing drivers.
For both WDP and DF, if you access the drive in question other than
through the instance of Windows that has the disk protection installed,
changes can be made and are persistent. That is, both WDP and DF only
protect against changes while they are running; they do not restore the
disk from some preset "backup" location.
Here is how we can write to frozen drives:
- Physically remove the drive from the machine it is in, and
temporarily connect it in to a second machine as a second drive (eg IDE
0 Secondary or IDE 1 Primary or Secondary; IDE 0 Primary is the boot
drive). This takes a screwdriver!
- Boot from a CD (or usb) drive. I don't have any instances of
windows bootable from CD, but I do have bootable ubuntu linux CDs. I
have used these to boot DF machines and make persistent changes to the
filesystem.
- Boot from a second Windows partition. Small backup windows
partitions are an excellent place from which to attempt repairs on your
primary windows partition.
- For
VirtualBox machines, the primary virtual disk from one machine can
easily be "mounted" in other virtual machines, much like the first
option, above, that requires screwdrivers. However, I have not figured
out how to do this with snapshots; that is, you must merge/delete the
snapshot first. This means it is not so easy to make backups, in case
you render the virtual machine unbootable! One workaround is to go into
/home/pld/.VirtualBox/HardDisks and use the linux cp command to make a backup copy of medXP2.vdi:
cp medXP2.vdi medXP2.vdi.backup
Writing to frozen machines is only part of what might need to be done;
one may also need to modify the frozen machine's registry. This is done
by using regedit under another windows instance to load the appropriate "hive" file. The
main system hive files are in C:\windows\system32\config, and are SAM,
SECURITY, SYSTEM, and SOFTWARE. Note that, on a "non-live"
windows filesystem, these are ordinary files that can be copied at
will; on boot systems these registry files are "protected" by being in
use and cannot be copied. Editing hive files of another instance of Windows will be discussed below.
For both WDP and DF, note that removing the relevant driver files will
have no effect: the change is made only to the cache, and when the
system reboots the file will still be there. The file itself was loaded
into the kernel at boot time and is no longer consulted. Similarly,
deleting the registry entry that invokes the driver will have no
effect, because the registry hive file will be restored on reboot --
like any other file -- and the old entry will then reappear. Both WDP
and DF also appear to use process threads that lock some crucial
registry entries by "holding them open".
Both WDP and DF provide a software interface for unfreezing the disk.
For WDP, that interface is available to anyone running the SteadyState
console application as an Administrator. For DF, even the administrator
has to provide a special password to disable the software.
The "standard" approach to hacking DeepFreeze, that can be found by
googling for "hacking deepfreeze", is to attach a debugger to the
DeepFreeze password program and modify it so that it accepts any
password and then disables DeepFreeze. (While this will work under XP,
provided one has figured out all the executable-modification details,
it is unlikely to work under Vista and later, because those operating
systems provide for "protected processes" to which a debugger cannot be
attached.
If we go in from the outside and simply delete the driver files (eg
wdfldr.sys/wdf01000.sys), the resulting system will simply not boot.
Our approach here will be to delete the registry entry that invokes the driver. This involves the following:
- figuring out the appropriate registry entries
- booting another machine, and copying the registry hive file to that machine
- modifying that registry hive on the other machine
- copying the registry hive back to the original machine (making sure there is a backup)
Demo: using minXP to delete the wdf01000.sys file from medxp. It
fails! If we were doing this from medXP, the deletion would only affect
the "shadow copy" of the disk, and the original wdf01000.sys would be
right back on the next reboot, loaded into the kernel.
Note that when installing SteadyState (the Microsoft package that
contains WDP), the software attempts to contact Microsoft during the
process. I did not notice until attempting to do install this offline
that if the software cannot reach Microsoft then it still does go ahead
with the installation, but it takes a lot longer. Also, note that the
act of installing SteadyState disables Fast User Switching. This
probably relates to the "basic six" security features that SteadyState
enables by default. It may have more to do with the fact that the
software enables the "Welcome screen".
Disabling Windows Disk Protection
Warning: almost all the steps here will break future removal or reinstallation of WDP.
We know we can disable WDP from the Steady State application. We will
investigate disabling WDP by tweaking the filesystem and registry
directly. In this sense, we are using WDP as an example of a potential
virus, that we also might need to disable manually.
First, note that if we do the following to a clean copy of windows
- make copies of the registry files (booting from a second windows instance)
- install SteadyState and enable Windows Disk Protection
- restore the registry (again booting from a second windows instance)
then WDP will be disabled. (The desktop icon will still be there, but
it will not run.) The disk cache file will have to be deleted manually. (Note that we will be unable to reinstall SteadyState successfully.)
Second, note that if we instead attempt to delete the drivers, wdfldr.sys and wdf01000.sys, the system will be unbootable.
A third attempt might be to remove the cache file. Attempting this is part of today's lab.
A fourth attempt is to edit the registry remotely, from another instance of windows (remember that editing the registry on a system with WDP enabled is useless).
To edit the registry remotely, first open regedit as usual. Then select
HKEY_USERS, and choose File => Load Hive. Select the registry hive
file you wish to edit, eg E:\windows\system32\config\system, or
E:\Docs&Settings\owner\ntuser.dat. You will then have to provide a
"mount point" name that represents the "link-in" point to the existing
registry; a nonsense name is fine or, if you are editing a user
profile, you can use the username. Now you can browse or search the
registry hive, and make changes as appropriate. When searching,
remember that the search will continue on into the rest of the registry.
If you are accessing a frozen machine via a linux boot CD, you will
have to copy the registry hive file onto, say, a USB drive, and use
that to carry the file to a real windows installation for editing.
Reverse the steps to get the modified registry hive file back to its
original location. And always leave a copy of the original, perhaps
with the suffix ".backup", in its original directory.
Lab
1. Disable the user zack's ability to write to the Desktop. See how that affects saving files. Is windows at all "friendly" about its notification here?
2. Enable Windows Disk Protection on medXP ("medium-sized XP")
3. Verify that it works, eg by creating some folders on the owner desktop
4. Shut down medXP2, and boot minXP to access the medXP disk (as drive e:). Remove the cache file e:/Cache.WDP. Shut down minXP and reboot medXP. What happens? What does Windows Disk Protection do? Does it recover?
5. Remove windows disk protection (by using the option in SteadyState to disable it). Through what hoops must you jump?
6. Can you now re-enable it successfully?
7. Use remote-registry editing
to change the wallpaper of owner, on medXP. Set the following registry
value. which you can find more quickly by searching for "wallpaper":
[owner]\Control Panel\Desktop\Wallpaper = C:\WINDOWS\web\wallpaper\Autumn.bmp
Verify that this survives reboot. (Note that Windows comes with Autumn.jpg, but that jpeg files can not be used for wallpaper directly, so I have made the conversion to .bmp format.)
To edit the registry remotely, first open regedit as usual. Then select
HKEY_USERS, and choose File => Load Hive. Select the registry hive
file you wish to edit, in this case
E:\Docs&Settings\owner\ntuser.dat. You will then have to provide a
"mount point" name that represents the "link-in" point to the existing
registry; the simplest is to use "owner" or "ownerreg". Now you can
browse or search the
registry hive, and make changes as appropriate. Note that the [owner]
in the previous paragraph represents the "mount point" you just
selected. When searching,
remember that the search will continue on into the rest of the registry.