Thursday 31 July 2014

Windows Integrity Levels - Process Explorer and WinDbg

From Windows Vista onwards, Microsoft has placed a substantially greater focus on the security of the operating system, which is one of the areas most users will neglect and then later come to complain about. In this article I'm going to talk about Windows Integrity Levels, and how we can view this information in WinDbg and through some SysInternals Tools. In another article, I will going into more depth about access tokens and how they are used to increase system security.

These security measures were introduced since it was relatively easy to modify memory and remove any security identification, thus leads to code modification and injection being used to allow illegitimate access to important system data structures etc.

User-Mode processes often require the use of system services and system resources which reside within the Kernel-Mode. To stop any illegitimate access or any poor programming from creating havoc in Kernel-Mode, some security validation procedures have been introduced to Windows, these commonly are Integrity Levels and Access Tokens.

The Integrity Levels come in 5 different levels, with 4 being the highest and most privileged level.

Integrity Levels (Lowest to Highest):
  • Untrusted (0) - Blocks most write access to a majority of objects
  • Low (1) - Blocks most write access to registry keys and file objects
  • Medium (2) - This is the default setting for most processes when UAC has been enabled on the system.
  • High (3) - Most processes will have this setting if UAC is disabled and the currently logged on user is the administrator. Otherwise, administrative programs will have this setting with
  • System (4) - This is a setting reserved for system level components.
Integrity Levels are used to isolate privileged code and data from programs which do not have the correct access rights. The Integrity Levels are stored with a Access Token, which we can view in WinDbg with the _TOKEN data structure and also find with Process Explorer. Access Tokens are typically checked when a process requests access to a handle for an object.

Viewing Integrity Levels (Process Explorer):

If you haven't enabled the Integrity Level column in Process Explorer, then follow these simple steps:

Click View > Select Columns > Integrity Level > OK/Apply

Process Explorer
Viewing Integrity Levels (WinDbg):

Alternatively, we can view the Integrity Level of a process with WinDbg, and the viewing the _TOKEN data structure. I'm not sure on its effectiveness.

Using the Token Address with _TOKEN data structure, we can find the Integrity Level of the process.

Saturday 19 July 2014

Discrete Geometry - Bin Packing Problem

This post is a little irrelevant to general contents of my blog, but I found this to be a interesting geometry problem and it does have some ties with Computational Geometry, which is form a of theoretical computer science. There is additionally some connection with Computational Complexity Theory too. The Bin Packing Problem isn't difficult to explain, and yet can be difficult to find a optimal solution.

With Discrete Mathematics, I personally find that the branches within this field are more accessible but the problems are difficult enough to be interesting and form a field of serious mathematical study. I'm only a amateur mathematician and a student, so if there are any problems then please highlight them in the comments section.

Bin Packing Problem:

The Bin Packing Problem is an example of a optimization problem which has a surprisingly large number of applications, especially in logistics and data management. The Bin Packing Problem asks to minimize the number of bins needed to pack a certain number and given volume for a list of objects. These objects can vary in size, but the bin volumes will remain fixed. There are some programs which will give valid suggestions for the most optimal method, however, the problem is a NP- Hard Combinatorial class type.

The sum of the sizes of the items must be less than or equal to the total volume of the bins being used. The size of the items can never be greater than the total volume of the bins. If the volume of one bin is reached, then a new bin will need to be used. The problem looks to find a packing method which will reduce the number of bins needed to provide a optimal method.

The First-Fit Algorithm is the best algorithm which has been used for the bin packing problem. The First-Fit Algorithm is an example of a greedy approximation algorithm, in that the items will processed in any given order. The algorithm will place as many items as possible into the first bin, and then create a new bin if no other additional bins can be found. The process is then repeated for the rest of the items.

The First-Fit Algorithm has a approximation factor of 2 (APX). The approximation factor is used for NP-Hard problems, since it is very unlikely that a efficient algorithm will be produced to solve the problem directly, and therefore a P class algorithm can be developed in order to find a approximate answer. The approximation factor of 2, means that the algorithm will never use more than twice the number of least bins needed for the bin packing problem. For instance, if the number of bins needed was 2, then the algorithm will never use more than 4.


Bin Packing Problem

Saturday 12 July 2014

WinDbg Power Policy Extensions - !podev, !popolicy, !poreqlist, !pocaps, !poaction

The !podev, !poreqlist and !poaction aren't documented within WinDbg for some reason, but there is a person which has written about them thankfully. These extensions are a must for Stop 0x0A and debugging any issues related to power like Stop 0x9F.


The !popolicy displays information related to the current power policy of the current user. 


The !pocaps extensions displays information in relation to the power capabilities of the system, this is ideal for checking if drivers are attempting to use a unsupported sleep state.


The !poreqlist extension will list all outstanding power IRPs from any driver which has called the PoRequestPowerIrp function. The function will create a Power IRP and then send it to the top of the device stack for a given device object.

 The list of power IRPs will be shown under the FieldOffset field. The extension will provide the device object, driver object and the nature of the power IRP.


The !poaction extension will provide the current power action, and a list of devices which are currently being powered off or down. It also provides a list of completed IRPs. !poaction may require a Live Debugging session, but I'm not sure on this due to the lack of documentation.


The !podev will provide power related information for a PnP device object.


Debugger commands (!drvobj, !devobj, !podev, !devstack) that make my life easier (part 1)
Debugger Commands (!poaction, !poreqlist) that make my life easier (part 2)

Thursday 3 July 2014

Mathematics for Theorectical Computer Science

I thought I would create a list of Maths topics which were relevant for those who are wishing to study Computer Science. I've seen most people on online communities referring to topics which have very little relevance or completely pointless in relation to Computer Science. This list is based upon my experiences and a friend who studies Computer Science at University. I've listed the most popular Computer Science fields and their Maths topics below.

General Computer Science:

These are the topics which you will typically study in your first year, and therefore will have to do.
  • Graph Theory
  • Linear Algebra (Matrices and Vectors)
  • Calculus I and maybe some Calculus II
  •  Analytical Geometry
  • Set Theory
  • Big O Notation
  • Radicals, Logarithms and Polynomials
  • Logic
Computer Graphics: 

I'm not too sure about Graphics, but these are the subjects which do have some relevance.
  • Fractal Geometry
  • Linear Algebra
  • Analytical Geometry
  • Differentiable Geometry
  • Hyperbolic Geometry
  • Differential Equations
  • Functional Analysis
Information Theory:
  • Differential Equations
  • Real and Complex Analysis - Fourier Series
  • Calculus II and Calculus III - Taylor Series
  • Probability Theory
Algorithms and Data Structures:

Most algorithms are used to solve mathematical problems, rather than the algorithms you see in commercial programs.
  • Graph Theory
  • Number Theory
  • Combinatorics
  • Probability Theory
  • Big O Notation
  • Set Theory
Cryptography and Computational Number Theory: 
  • Number Theory

Computability Theory, Computational Complexity Theory and Automata Theory:

  •  Logic
  • Set Theory
  • Calculus I
  • Recursion
  • Proof Writing Techniques
  • Number Theory
  • Big O Notation 
  • Probability Theory
In general, it's best to study Discrete Mathematics rather than Continuous Mathematics. There's some fields like Abstract Algebra which are used in Algebraic Coding Theory. Furthermore, Discrete Geometry has its applications too. Continuous Mathematics encompasses areas like Calculus/Analysis and Topology etc.

WinDbg Extensions - !tz and !tzinfo

When I was writing up my WinDbg cheat sheet, I managed to stumble upon the !tz and !tzinfo extensions in the WinDbg Help documentation. The extensions seem to be solemnly documented directly by Microsoft, but using the ACPI documentation is easily to understand what most of the fields mean.

The !tz and !tzinfo gather information from the ACPI subsystem about the currently allocated thermal zones and the cooling policies being implemented. On Windows, you can manipulate the cooling policies slightly by changing your Power Settings.

Power Settings - Windows 7
By changing the power consumption, the Active and Passive Cooling policies will be changed. I will explain the difference between Active and Passive cooling later.

The Thermal Management mostly uses a component called the OSPM (Operating System Directed Configuration and Power Management) to manage different cooling policies and check the thermal zones.

The OSPM is used to remove any device management responsibilities from the legacy devices, and therefore made thermal management more robust.

The OSPM creates logical regions called Thermal Zones. Thermal Zones are a key component within Thermal Management. The entire motherboard is one thermal zone, and is usually subdivided further into smaller thermal zones to make management more efficient. A cooling policy is set for each individual device with a thermal zone, and therefore each thermal zone will have multiple cooling policies and cooling resources (e.g. fans). An example of a thermal zone is below:

We can find the Thermal Zones on a system using the !tz extension in WinDbg.

The most useful part of the !tz output is the Thermal Info Address which we can use with the !tzinfo extension to give the trip point temperatures of the thermal zone(s).

These trip point temperatures correspond to the cooling policies implemented when that threshold is reached. Each device within a thermal zone will have its own threshold. The two main cooling modes are Active Cooling and Passive Cooling.

Passive Cooling - The operating system will decrease the power consumption of all devices, in order to reduce the temperature of the system, however, the cost is a reduction in system performance.

Active Cooling - The operating system will increase the power consumption of cooling resources such as fans, to decrease the temperature of the system. Active Cooling has better system performance, but with laptops it will reduce the battery life much faster than usual.

There is also a Critical temperature threshold, whereby if any thermal zone breaches this threshold, then the entire system will shut down. The thresholds are managed by objects called Thermal Objects. 

The _TMP object is the current temperature of a thermal zone, and is compared to the _HOT, _CRT, PSV and _AC0/_AC1 thermal objects in order to implement the different cooling policies. The thermal object thresholds can be seen in the diagram below:

If the _TMP object value reaches the _CRT (Critical Temperature Threshold), the entire system will shut down. If the _TMP reaches the _HOT value, then the system will be placed into the S4 sleep state (Hibernation) if this mode is supported. 

If the _TMP object reaches the _AC0/_AC1 (Active Cooling) then the Active Cooling policy will be implemented; there is two versions which adjust the fan speed. If the _TMP object reaches the _PSV (Passive Cooling) then the Passive Cooling policy is used. The Thermal Events are notified to the OSPM by Thermal Change Notifications.

We can check which power states are supported by using the !pocaps extension:

The power states are stored within an enumeration called _SYSTEM_POWER_STATE.

Additional Reading:

Thermal Management 

 System Power States (Windows)

Wednesday 2 July 2014

Using !kuser to find _KUSER_SHARED_DATA

The _KUSER_SHARED_DATA structure contains some interesting information related to the currently logged on user, we can obtain the address of this data structure by using the !kuser extension in WinDbg. Most of the fields aren't officially documented from what I can find, but you should be easily be able to work out what they mean from their names.

Using the address with the _KUSER_SHARED_DATA will provide the following (omitted structure):

There is some debugging bit fields within this structure, so you can check what debugging features have been enabled for that user. It also contains some basic system information.

Additional Reading:

The System Call Dispatcher on x86