Microsoft will provide antiviruses with the ability to monitor the activity of the Linux subsystem on Windows 10
In previous posts of our corporate blog, we touched several times on the topic of supporting the Linux subsystem on Windows 10 (WSL), and also described the features of its technical implementation. The beta version of this subsystem was delivered to users in the off state as part of the Windows 10 Redstone 1 update (Anniversary Update) in August of this year.
Recently, Microsoft began announcing changes in the Windows kernel that will help AV drivers work properly with Linux subsystem processes that run ELF executables.
It is known that prior to the emergence of callback function mechanisms for monitoring various kernel-mode operations, the authors of firewall and antivirus drivers used API interception calls in the KiServiceTable system call table , which could be detected using the kernel- stored KeServiceDescriptorTable variable. With the advent of new, already documented API calls for registering callback functions, the developers switched to using them. In addition, 64-bit versions of Windows did not allow KiServiceTable services to simply intercept the services initially.
')
Fig. WSL file system architecture. It can be seen that LXCore.sys emulates various Linux objects using Windows kernel functions.
One of the main operations controlled by antivirus or HIPS is the creation of processes and threads. A driver can register a callback function with PsSetCreateProcessNotifyRoutineEx , as well as PsSetCreateThreadNotifyRoutine . After that, when creating processes or threads in the process, the driver will receive a notification about this operation. Microsoft has upgraded these features by adding the PsSetCreateProcessNotifyRoutineEx2 and PsSetCreateThreadNotifyRoutineEx APIs . These kernel APIs will help drivers track activity inside Linux subsystem processes.
» Microsoft has published information about the implementation of VFS in the Linux subsystem on Windows 10
" Microsoft revealed the technical aspects of the implementation of the Linux subsystem in Windows 10
Microsoft has confirmed rumors about the integration of the Linux subsystem in Windows 10
» Turning on the Linux subsystem in Windows 10
Recently, Microsoft began announcing changes in the Windows kernel that will help AV drivers work properly with Linux subsystem processes that run ELF executables.
It is known that prior to the emergence of callback function mechanisms for monitoring various kernel-mode operations, the authors of firewall and antivirus drivers used API interception calls in the KiServiceTable system call table , which could be detected using the kernel- stored KeServiceDescriptorTable variable. With the advent of new, already documented API calls for registering callback functions, the developers switched to using them. In addition, 64-bit versions of Windows did not allow KiServiceTable services to simply intercept the services initially.
')
Fig. WSL file system architecture. It can be seen that LXCore.sys emulates various Linux objects using Windows kernel functions.
One of the main operations controlled by antivirus or HIPS is the creation of processes and threads. A driver can register a callback function with PsSetCreateProcessNotifyRoutineEx , as well as PsSetCreateThreadNotifyRoutine . After that, when creating processes or threads in the process, the driver will receive a notification about this operation. Microsoft has upgraded these features by adding the PsSetCreateProcessNotifyRoutineEx2 and PsSetCreateThreadNotifyRoutineEx APIs . These kernel APIs will help drivers track activity inside Linux subsystem processes.
Type = PsCreateProcessNotifySubsystems; // Status = PsSetCreateProcessNotifyRoutineEx2(Type, Callback,TRUE); // API void Callback (_In_ HANDLE ParentId, _In_ HANDLE ProcessId, _Inout_opt_ PPS_CREATE_NOTIFY_INFO CreateInfo) { if (CreateInfo->Flags.IsSubsystemProcess == 0) { /* callback */ } else { Type = ProcessSubsystemInformation; Status = NtQueryInformationProcess(ProcessHandle, Type, &Subsystem, sizeof(Subsystem), NULL); if (Subsystem == SubsystemInformationTypeWSL) { /* WSL */ } } } Type = PsCreateThreadNotifySubsystems; // Status = PsSetCreateThreadNotifyRoutineEx(Type, Callback); // API void Callback (_In_ HANDLE ProcssId, _In_ HANDLE ThreadId, _In_ BOOLEAN Create) { Type = ThreadSubsystemInformation; Status = NtQueryInformationThread(ThreadHandle, Type, &Subsystem, sizeof(Subsystem), NULL); if (Subsystem == SubsystemInformationTypeWin32) { /* callback */ } else if (Subsystem == SubsystemInformationTypeWSL) { /* WSL */ } } » Microsoft has published information about the implementation of VFS in the Linux subsystem on Windows 10
" Microsoft revealed the technical aspects of the implementation of the Linux subsystem in Windows 10
Microsoft has confirmed rumors about the integration of the Linux subsystem in Windows 10
» Turning on the Linux subsystem in Windows 10
Source: https://habr.com/ru/post/314476/
All Articles