TUM Logo

Code Integrity Validation für Windows

The bachelor thesis deals with the validation of code for the Windows kernel at load- and runtime. The work is based on the paper from Kittel et al. . The paper describes a method to validate code in modern Linux kernels. Like Kittel et al. , we use the LibVMI library to read memory from the guest system (Windows 8.1) and afterwards check the integrity of the kernel using Xen hypervisor.The first part gives an overview about the motivation and related works.The second part of this works deals with the Portable Executable (PE) file format, which is used by Windows. So for this we give an overview about important structures used by the file format and which offsets we used to realize the program. Also the relocation section is explained in detail, to convey a deeper understanding of it.The Third part gives some background information, such as the approach from Kittel et al. and some basic functions from the operating system, which are essential for developing this framework. The next parts explain the actual implementation followed by a security feature, activated in Windows 8.1 update 3, which impaired the result of this thesis.The following chapter explains the used setup and evaluates the results.The last chapter gives a conclusion followed by an outlook.

Code Integrity Validation für Windows

Supervisor(s): Thomas Kittel
Status: finished
Topic: Monitoring (VMI etc.)
Author: Michael Kubitza
Submission: 2015-10-15
Type of Thesis: Bachelorthesis
Proof of Concept No

Astract:

The bachelor thesis deals with the validation of code for the Windows kernel at load- and runtime. The work is based on the paper from Kittel et al. . The paper describes a method to validate code in modern Linux kernels. Like Kittel et al. , we use the LibVMI library to read memory from the guest system (Windows 8.1) and afterwards check the integrity of the kernel using Xen hypervisor.The first part gives an overview about the motivation and related works.The second part of this works deals with the Portable Executable (PE) file format, which is used by Windows. So for this we give an overview about important structures used by the file format and which offsets we used to realize the program. Also the relocation section is explained in detail, to convey a deeper understanding of it.The Third part gives some background information, such as the approach from Kittel et al. and some basic functions from the operating system, which are essential for developing this framework. The next parts explain the actual implementation followed by a security feature, activated in Windows 8.1 update 3, which impaired the result of this thesis.The following chapter explains the used setup and evaluates the results.The last chapter gives a conclusion followed by an outlook.