Windows Research Kernel Hacking
Introduction
As a programmer, if you stay in the game long enough, it is highly likely that you will eventually begin to ask yourself what really makes a computer tick. If you remove the processes involved in fabricating hardware and confine yourself purely to software, we can agree that the elusive kernel is the place where all the magic happens, even though many have never actually seen it. While the concepts of the kernel may be understood by many programmers from a theoretical perspective, it is rare to encounter an individual who has compiled one, even more rare to find someone who has successfully made changes to one, and almost non-existent when you consider these concepts in the perspective of the Windows Kernel (as opposed to say Linux).
This makes sense as the Windows Kernel has historically been closed-source. You couldn't see inside of it if you wanted to.
Except, this isn't entirely true…
Way back in the 2000's Microsoft released source code for something known as the "Windows Research Kernel" or WRK, here is a portion of the release notes:
"The WRK packages core Microsoft Windows XP x64/Server 2003 SP1 kernel source code with an environment for building and testing experimental versions of the Windows kernel for use in teaching and research. The WRK includes source for processes, threads, LPC, virtual memory, scheduler, object manager, I/O manager, synchronization, worker threads, kernel heap manager, and other core NTOS functionality."
This code was offered to educators under a license that mentions that following:
"Use of the Windows Research Kernel requires academic affiliation with an accredited institution of higher education and direct involvement in teaching and/or research"
Per it's intent, the WRK has been used in a variety of institutional courses focused on Operating System research, design, and development. As a result, there exists materials (ableit dated), that can provide us with a mechanism to glean knowledge of Operating Systems in general. Even more exciting is that this source code has probably seen very few eyes when compared to other kernel sources. You are truly in for a unique and intimate experience with the Windows Research Kernel.
Compiling WRK on Windows 10
Prerequisites:
- Windows 10
- Visual Studio 2017
- Windows Server 2003 Evaluation Edition
- Windows Research Kernel
- msvcp71.dll
- msvcr71.dll
Copy required dlls
*Copy msvcp71.dll & msvcr71.dll to C:\Windows\SysWow64 on the host machine. These libraries are required to successfully compile the Windows Research Kernel on Windows 10.
WARNING : If you do not copy the folder above, compilation will appear successful but will inappropriately link. This will result in issues later on when we load into Server 2003
Compling via Command-Line
Begin by navigating to the WRK-v1.2 folder in a command prompt and execute Build.bat
When executing without any parameters, this will kick off an x86 build of WRK
Compling using VS 2017
Navigate to and open the WRK.sln
Select "Ok" to initiate the one-way project upgrade when prompted:
You may be prompted to install missing features, if so, you should probably install them:
If you receive the following message, click the link area to install the tools for Windows desktop development with C++ in Visual Studio
Open the solution again, if you are prompted to migrate again, go ahead:
Set the build configuration to x86 and Build, you should see success:
We are now ready to make some changes to the source code =)
Modifying the WRK
Expanding the WRK/base/ntos directory reveals the following structure:
cache\ - cache manager
config\ - registry implementation
dbgk\ - user-mode debugger support
ex\ - executive functions (kernel heap, synchronization, time)
fsrtl\ - file system run-time support
io\ - I/O manager
ke\ - scheduler, CPU management, low-level synchronization
lpc\ - local procedure call implementation
mm\ - virtual memory manager
ob\ - kernel object manager
ps\ - process/thread support
se\ - security functions
wmi\ - Windows Management Instrumentation
inc\ - NTOS-only include files
rtl\ - kernel run-time support
init\ - kernel startup
We will begin by modifying a syscall within WRK-v1.2/base/ntos/ex/sysinfo.c
Head to line 1721 (Ctrl+G then :1721) then add the following:
static int NumTimesCalled = 0;
Shortly after this (immediately before the line "Status = STATUS_SUCCESS"), add the following line:
DbgPrint("WRK %d: Entering NTQuerySystemInformation!\n",++NumTimesCalled);
Be sure to susbstitute with your name to leave your legacy in the kernel!
Next, go ahead a recompile the WRK using the x86 configuration
Setting up Windows Server 2003 in Hyper-V
Prerequisites:
Open Hyper-V Manager and create a new Virtual Machine
Name the VM, then be sure to specify as Generation 1 , next you can set the memory to whatever size you prefer and skip the "Configure Networking Step"
In the "Connect Virtual Disk Step", select "Use an existing virtual hard disk" and point it to the path which contains "Win2k3R2EE.vhd"
Select "Finish" to begin deployment of the Virtual Machine
Connect to the newly deployed VM
Some useful commands:
Ctrl + Alt + Left = relinquish mouse capture
Ctrl + Alt + End = Send Ctrl + Alt + Delete to the VM
Go through the initial setup, then login with
Username = Administrator
Password = Evaluation1
Configuring Server 2003 to boot your modified kernel
Prerequisites:
A way to create an .iso, we will use ImgBurn
Install Imgburn with defaults
Use the installer included in the tools folder or acquire a copy online
Package necessary files to an ISO
Open ImgBurn and select "Create image file from files/folder"
Add the following files :
(Your compliled kernel)
… \OperatingSystems\Windows_OS_Internals_Curriculum_Resource_Kit-ACADEMIC\WindowsResearchKernel-WRK\WRK-v1.2\base\ntos\BUILD\EXE\wrkx86.exe
(The pre-compiled Hardware Abstraction Layer)
… \OperatingSystems\Windows_OS_Internals_Curriculum_Resource_Kit-ACADEMIC\WindowsResearchKernel-WRK\WRK-v1.2\WS03SP1HALS\x86\halacpim\halacpim.dll
(The kernel boot command for the boot.ini bootstrapper)
… \OperatingSystems\Toolz\KernelBootCommand.txt
(The entire folder for DebugView_v4.81 which includes the Windows Debugging Tools) - Use the Add Folder option
… \OperatingSystems\Toolz\DebugView_v4.81
Build the .iso
Load your files into the VM
Load your newly minted .iso into Server 2003 by selecting "Media => DVD Drive => Insert Disc"
You should see your files appear in the OS
Copy Kernel & HAL to System 32 on the VM
Copy your wrk86.ese and halacpim.dll files to C:\Windows\System32 on the virtual machine
Edit the Boot.ini file
To view and edit the Boot.ini file, follow these steps:
- Click Start , point to Settings , and then click Control Panel.
- In Control Panel, double-click System.
- Click the Advanced tab, and then click Settings under Startup and Recovery.
- Under System startup , click Edit.
- Copy the content from KernelBootCommand.txt and paste it at the very bottom of Boot.ini
- Ensure that you have saved the modified Boot.ini
- Poweroff or reboot the Virtual Machine
Debugging your modified Kernel
On reboot, you should see a new option to boot the WRK kernel with debugger enabled, select that option and proceed as normal
Open Dbgview.exe and select "Capture => Capture Kernel"
Notice that your customized syscall is printed to the debugger each time it is called
Questions
- Why is the NTQuerySystemInformation syscall called so often?
- What does the NTQuerySystemInformation syscall do?
- How has your understanding of kernels changed as a result of this exercise?
- Can you describe how the Windows Subsystem for Linux allows for execution of unmodified Linux binaries on Windows 10?
- Can you describe how Docker's isolation of multiple userspaces across a shared kernel allows for portability of containers?
Extra Challenges
- Modify and track calls to a different syscall within the WRK
- Create your own syscall – see: https://www.dcl.hpi.uni-potsdam.de/research/WRK/2009/03/implementation-of-a-new-system-service-call-2009-update/
- Demonstrate porting a Linux syscall to an NT syscall a la the Windows Subsystem for Linux – see: https://blogs.msdn.microsoft.com/wsl/2016/06/08/wsl-system-calls/?WT.mc_id=iot-0000-pdecarlo