• Stars
    star
    155
  • Rank 240,864 (Top 5 %)
  • Language
  • Created about 7 years ago
  • Updated almost 4 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Operating Systems technical challenge based on the Windows Research Kernel

Windows Research Kernel Hacking

Introduction

As a programmer, if you stay in the game long enough, it is highly likely that you will eventually begin to ask yourself what really makes a computer tick. If you remove the processes involved in fabricating hardware and confine yourself purely to software, we can agree that the elusive kernel is the place where all the magic happens, even though many have never actually seen it. While the concepts of the kernel may be understood by many programmers from a theoretical perspective, it is rare to encounter an individual who has compiled one, even more rare to find someone who has successfully made changes to one, and almost non-existent when you consider these concepts in the perspective of the Windows Kernel (as opposed to say Linux).

This makes sense as the Windows Kernel has historically been closed-source. You couldn't see inside of it if you wanted to.

Except, this isn't entirely true…

Way back in the 2000's Microsoft released source code for something known as the "Windows Research Kernel" or WRK, here is a portion of the release notes:

"The WRK packages core Microsoft Windows XP x64/Server 2003 SP1 kernel source code with an environment for building and testing experimental versions of the Windows kernel for use in teaching and research. The WRK includes source for processes, threads, LPC, virtual memory, scheduler, object manager, I/O manager, synchronization, worker threads, kernel heap manager, and other core NTOS functionality."

This code was offered to educators under a license that mentions that following:

"Use of the Windows Research Kernel requires academic affiliation with an accredited institution of higher education and direct involvement in teaching and/or research"

Per it's intent, the WRK has been used in a variety of institutional courses focused on Operating System research, design, and development. As a result, there exists materials (ableit dated), that can provide us with a mechanism to glean knowledge of Operating Systems in general. Even more exciting is that this source code has probably seen very few eyes when compared to other kernel sources. You are truly in for a unique and intimate experience with the Windows Research Kernel.

Compiling WRK on Windows 10

Prerequisites:

Copy required dlls

*Copy msvcp71.dll & msvcr71.dll to C:\Windows\SysWow64 on the host machine. These libraries are required to successfully compile the Windows Research Kernel on Windows 10.

WARNING : If you do not copy the folder above, compilation will appear successful but will inappropriately link. This will result in issues later on when we load into Server 2003

Compling via Command-Line

Begin by navigating to the WRK-v1.2 folder in a command prompt and execute Build.bat

When executing without any parameters, this will kick off an x86 build of WRK

CompileViaCommand

Compling using VS 2017

Navigate to and open the WRK.sln

CompileVSsln

Select "Ok" to initiate the one-way project upgrade when prompted:

UpgradePrompt

You may be prompted to install missing features, if so, you should probably install them:

FeaturesPrompt

If you receive the following message, click the link area to install the tools for Windows desktop development with C++ in Visual Studio

MigratePrompt

Open the solution again, if you are prompted to migrate again, go ahead:

OpenInVS

Set the build configuration to x86 and Build, you should see success:

BuildVS

We are now ready to make some changes to the source code =)

Modifying the WRK

Expanding the WRK/base/ntos directory reveals the following structure:

cache\  - cache manager

config\ - registry implementation

dbgk\   - user-mode debugger support

ex\     - executive functions (kernel heap, synchronization, time)

fsrtl\  - file system run-time support

io\     - I/O manager

ke\     - scheduler, CPU management, low-level synchronization

lpc\    - local procedure call implementation

mm\     - virtual memory manager

ob\     - kernel object manager

ps\     - process/thread support

se\     - security functions

wmi\    - Windows Management Instrumentation

inc\    - NTOS-only include files

rtl\    - kernel run-time support

init\   - kernel startup

We will begin by modifying a syscall within WRK-v1.2/base/ntos/ex/sysinfo.c

Head to line 1721 (Ctrl+G then :1721) then add the following:

static int NumTimesCalled = 0;

ModifyVS

Shortly after this (immediately before the line "Status = STATUS_SUCCESS"), add the following line:

DbgPrint("WRK %d: Entering NTQuerySystemInformation!\n",++NumTimesCalled);

Be sure to susbstitute with your name to leave your legacy in the kernel!

Next, go ahead a recompile the WRK using the x86 configuration

AddNameVS

Setting up Windows Server 2003 in Hyper-V

Prerequisites:

Enable Hyper-V

Open Hyper-V Manager and create a new Virtual Machine

HyperV

Name the VM, then be sure to specify as Generation 1 , next you can set the memory to whatever size you prefer and skip the "Configure Networking Step"

CreateVM

In the "Connect Virtual Disk Step", select "Use an existing virtual hard disk" and point it to the path which contains "Win2k3R2EE.vhd"

AttachDisk

Select "Finish" to begin deployment of the Virtual Machine

FinishVM

Connect to the newly deployed VM

ConnectVM

Some useful commands:

Ctrl + Alt + Left = relinquish mouse capture

Ctrl + Alt + End = Send Ctrl + Alt + Delete to the VM

Go through the initial setup, then login with

Username = Administrator

Password = Evaluation1

LoginVM

Configuring Server 2003 to boot your modified kernel

Prerequisites:

A way to create an .iso, we will use ImgBurn

Install Imgburn with defaults

Use the installer included in the tools folder or acquire a copy online

Package necessary files to an ISO

Open ImgBurn and select "Create image file from files/folder"

PackageISO

Add the following files :

(Your compliled kernel)

… \OperatingSystems\Windows_OS_Internals_Curriculum_Resource_Kit-ACADEMIC\WindowsResearchKernel-WRK\WRK-v1.2\base\ntos\BUILD\EXE\wrkx86.exe

(The pre-compiled Hardware Abstraction Layer)

… \OperatingSystems\Windows_OS_Internals_Curriculum_Resource_Kit-ACADEMIC\WindowsResearchKernel-WRK\WRK-v1.2\WS03SP1HALS\x86\halacpim\halacpim.dll

(The kernel boot command for the boot.ini bootstrapper)

… \OperatingSystems\Toolz\KernelBootCommand.txt

(The entire folder for DebugView_v4.81 which includes the Windows Debugging Tools) - Use the Add Folder option

… \OperatingSystems\Toolz\DebugView_v4.81

Build the .iso

BuildISO

Load your files into the VM

Load your newly minted .iso into Server 2003 by selecting "Media => DVD Drive => Insert Disc"

You should see your files appear in the OS

LoadISO

Copy Kernel & HAL to System 32 on the VM

Copy your wrk86.ese and halacpim.dll files to C:\Windows\System32 on the virtual machine

Edit the Boot.ini file

To view and edit the Boot.ini file, follow these steps:

  1. Click Start , point to Settings , and then click Control Panel.
  2. In Control Panel, double-click System.
  3. Click the Advanced tab, and then click Settings under Startup and Recovery.
  4. Under System startup , click Edit.
  5. Copy the content from KernelBootCommand.txt and paste it at the very bottom of Boot.ini

EditBootIni

  1. Ensure that you have saved the modified Boot.ini
  2. Poweroff or reboot the Virtual Machine

Debugging your modified Kernel

On reboot, you should see a new option to boot the WRK kernel with debugger enabled, select that option and proceed as normal

BootWRK

Open Dbgview.exe and select "Capture => Capture Kernel"

OpenDBGView

Notice that your customized syscall is printed to the debugger each time it is called

CaptureSyscall

Questions

  1. Why is the NTQuerySystemInformation syscall called so often?
  2. What does the NTQuerySystemInformation syscall do?
  3. How has your understanding of kernels changed as a result of this exercise?
  4. Can you describe how the Windows Subsystem for Linux allows for execution of unmodified Linux binaries on Windows 10?
  5. Can you describe how Docker's isolation of multiple userspaces across a shared kernel allows for portability of containers?

Extra Challenges

  1. Modify and track calls to a different syscall within the WRK
  2. Create your own syscall – see: https://www.dcl.hpi.uni-potsdam.de/research/WRK/2009/03/implementation-of-a-new-system-service-call-2009-update/
  3. Demonstrate porting a Linux syscall to an NT syscall a la the Windows Subsystem for Linux – see: https://blogs.msdn.microsoft.com/wsl/2016/06/08/wsl-system-calls/?WT.mc_id=iot-0000-pdecarlo

More Repositories

1

psx-pi-smbshare

A swiss army knife for enhancing classic game consoles with Raspberry Pi
Shell
398
star
2

Intelligent-Video-Analytics-with-NVIDIA-Jetson-and-Microsoft-Azure

A repository demonstrating an end-to-end architecture for Intelligent Video Analytics using NVIDIA hardware with Microsoft Azure
TypeScript
144
star
3

IntelligentEdgeHOL

The IntelligentEdgeHOL walks through the process of deploying an IoT Edge module to an Nvidia Jetson Nano device to allow for detection of objects in YouTube videos, RTSP streams, or an attached web cam
Python
93
star
4

XPlatformCloudKit

A framework for creating your very own multi-platform app which serves up data provided by any combination of RSS feed, Local XML file, or Azure Mobile Services.
C#
83
star
5

UWPStreamer

An NTR CFW streaming client targeting UWP (Xbox One, Hololens, Windows 10, and Windows Phone 10) and WPF (.NET v4.5.2)
C#
77
star
6

IoTEdge-DevOps

A living repository of best practices and examples for developing AzureIoT Edge solutions doubly presented as a hands-on-lab.
Shell
63
star
7

azure-iot-edge-device-container

An Azure IoT Edge Device in a Docker container
Shell
42
star
8

azure-iot-edge-deepstream-module-with-iot-central

Demonstration using the the Nvidia DeepStream Module from the Azure Marketplace with Azure IoT Central
25
star
9

RetroArch-AI-with-IoTEdge

Using IoTEdge with Cognitive Services Containers to enhance Retro Video Games 🧠+🎮
C#
23
star
10

azure-iot-nvidia-jetson-deepstream-pnp

Azure IoT PnP application to enable remote interaction and telemetry in IoT Central for DeepStream on Nvidia Jetson Devices
C
21
star
11

Cloud-Powered-App-Development-Curriculum

A five day hands-on course for teaching cloud development concepts in college institutions
15
star
12

Jenkins-AKS-CI-CD

An example pipeline for deploying a version controlled application from Jenkins to AKS
C#
12
star
13

azure-iot-edge-bogus-data-generator

An IoT Edge Module that generates sample data using [Bogus](https://github.com/bchavez/Bogus)
C#
10
star
14

stripe-function

Automated deployment of stripe services in an Azure Function
JavaScript
6
star
15

Kinect4NES

Control your classic NES console with the Kinect V2 sensor
C#
6
star
16

HockeyApp-Integration-for-Xamarin.Forms

Hockey App-Integration for Xamarin.Forms using Dependecy Injection
C#
4
star
17

NAS-VPN-Downloader-Automation-Pack

Download things over VPN directly from your Docker compatible NAS
2
star
18

MotorMonitor

Windows IoT Core Application for Monitor MPH and Power Supply to DC Motor with Reed Sensor and SoftPWM
C#
2
star
19

botframework.connector.irc

Enables Microsoft Bot Framework interactions over IRC
JavaScript
2
star
20

NVIDIA-DeepStream-6.0-Development-on-Azure

2
star
21

BitCoinSensor

An IoT solution for monitoring the price of Bitcoin with Visual and Auditory cues pertaining to the volatility of the the CoinDesk exchange over a given time interval.
Arduino
2
star
22

CapacitiveTouchScreenClicker

Produce rapid click gestures on capactive touch screens through use of rapid changes in capacitance.
C#
2
star
23

IoTEdge-SoC_FPGA

Azure IoT Edge Module for controlling an Intel® Cyclone® V SoC FPGA
C
1
star
24

IoTEdge-DeepStream

Azure IoT Edge Module for Nvidia Deepstream
1
star
25

Searchler

Peruse the contents of the Musicbrainz Archive and play song results via Youtube
C#
1
star
26

downloadyoutube

Xamarin-Compatible Portable Class Library for accessing MP4 and FLV steams from Youtube URLs based on gantt/downloadyoutube
C#
1
star
27

MusicNet

Universal App for controlling PiMusicBox via Cortana and XboxOne client
JavaScript
1
star
28

musicbrainz-conversation-bot

A bot for interacting with the Musicbrainz database using natural language
C#
1
star
29

CounselorBot

Intelligent counselor for assisting individuals with resources and information related to a variety of personal health topics
JavaScript
1
star