The Windows Process Journey — csrss.exe (Client Server Runtime Subsystem)
The goal of “csrss.exe” (Client Server Runtime Subsystem) is to be the user-mode part of the Win32 subsystem (which is responsible for providing the Windows API). “csrss.exe” is included in Windows from Windows NT 3.1. It is located at “%windir%\\System32\\csrss.exe” (which is most of the time C:\\Windows\\System32\\csrss.exe).
From Windows NT 4.0 most of the Win32 subsystem has been moved to kernel mode — “With this new release, the Window Manager, GDI, and related graphics device drivers have been moved to the Windows NT Executive running in kernel mode” (https://learn.microsoft.com/en-us/previous-versions//cc750820(v=technet.10)?redirectedfrom=MSDN#XSLTsection124121120120?redirectedfrom=MSDN#XSLTsection124121120120)). Thus “csrss.exe” manages today GUI shutdowns and windows console (today it is “cmd.exe”).
Overall, we can say that today “csrss.exe” handles things like process/threads, VDM (Visual DOS machine emulation), creating of temp files and more (https://j00ru.vexillium.org/2010/07/windows-csrss-write-up-the-basics/) . It is executed by “local system” and there is one instance per user session. Thus, at minimum we will have two (one for session 0 and on for session 1) — as shown in the screenshot below. “csrss.exe” has a handle for each process/thread in the specific session it is part of. Also, for each running process a CSR_PROCESS structure is maintained (https://www.geoffchappell.com/studies/windows/win32/csrsrv/api/process/process.htm), by the way we can leverage this fact for identifying hidden processes (like by using “psxview” from the volatility framework — https://github.com/volatilityfoundation/volatility/wiki/Command-Reference-Mal#psxview).
“smss.exe” is the process which starts “csrss.exe” together with “winlogon.exe” (more about it in a future writeup), after finishing “smss.exe” exits. In case you want to read more about “smss.exe” you can read the following link (https://medium.com/@boutnaru/the-windows-process-journey-smss-exe-session-manager-subsystem-bca2cf748d33). By the way, from Windows 7 (and later) “csrss.exe” executes “conhost.exe” instead of drawing the console windows by itself (I am going to elaborate about that in the next writeup).
Lastly, “csrss.exe” loads “csrsrv.dll”, “basesrv.dll” and “winsrv.dll” as shown in the screenshot below. If we want to go over some of the source code of “csrss.exe” we can use the ReactOS which is a “A free Windows-compatible Operating System”, which is hosted in github.com. The relevant code of the entire subsystem can be found at https://github.com/reactos/reactos/tree/master/subsystems/csr. We can also debug “csrss.exe” using WinDbg, it is important to know that since Windows “csrss.exe” is a protected process so it can be debugged form kernel mode only (https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/debugging-csrss). A list of all the “csrss.exe” API list can be found here https://j00ru.vexillium.org/csrss\_list/api\_table.html.
https://preview.redd.it/cbrjyid38n3a1.png?width=1498&format=png&auto=webp&s=614e9a773e17d29f5288d4dc9e4f191f97c46708
🗣boutnaru
🎖@malwr
The goal of “csrss.exe” (Client Server Runtime Subsystem) is to be the user-mode part of the Win32 subsystem (which is responsible for providing the Windows API). “csrss.exe” is included in Windows from Windows NT 3.1. It is located at “%windir%\\System32\\csrss.exe” (which is most of the time C:\\Windows\\System32\\csrss.exe).
From Windows NT 4.0 most of the Win32 subsystem has been moved to kernel mode — “With this new release, the Window Manager, GDI, and related graphics device drivers have been moved to the Windows NT Executive running in kernel mode” (https://learn.microsoft.com/en-us/previous-versions//cc750820(v=technet.10)?redirectedfrom=MSDN#XSLTsection124121120120?redirectedfrom=MSDN#XSLTsection124121120120)). Thus “csrss.exe” manages today GUI shutdowns and windows console (today it is “cmd.exe”).
Overall, we can say that today “csrss.exe” handles things like process/threads, VDM (Visual DOS machine emulation), creating of temp files and more (https://j00ru.vexillium.org/2010/07/windows-csrss-write-up-the-basics/) . It is executed by “local system” and there is one instance per user session. Thus, at minimum we will have two (one for session 0 and on for session 1) — as shown in the screenshot below. “csrss.exe” has a handle for each process/thread in the specific session it is part of. Also, for each running process a CSR_PROCESS structure is maintained (https://www.geoffchappell.com/studies/windows/win32/csrsrv/api/process/process.htm), by the way we can leverage this fact for identifying hidden processes (like by using “psxview” from the volatility framework — https://github.com/volatilityfoundation/volatility/wiki/Command-Reference-Mal#psxview).
“smss.exe” is the process which starts “csrss.exe” together with “winlogon.exe” (more about it in a future writeup), after finishing “smss.exe” exits. In case you want to read more about “smss.exe” you can read the following link (https://medium.com/@boutnaru/the-windows-process-journey-smss-exe-session-manager-subsystem-bca2cf748d33). By the way, from Windows 7 (and later) “csrss.exe” executes “conhost.exe” instead of drawing the console windows by itself (I am going to elaborate about that in the next writeup).
Lastly, “csrss.exe” loads “csrsrv.dll”, “basesrv.dll” and “winsrv.dll” as shown in the screenshot below. If we want to go over some of the source code of “csrss.exe” we can use the ReactOS which is a “A free Windows-compatible Operating System”, which is hosted in github.com. The relevant code of the entire subsystem can be found at https://github.com/reactos/reactos/tree/master/subsystems/csr. We can also debug “csrss.exe” using WinDbg, it is important to know that since Windows “csrss.exe” is a protected process so it can be debugged form kernel mode only (https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/debugging-csrss). A list of all the “csrss.exe” API list can be found here https://j00ru.vexillium.org/csrss\_list/api\_table.html.
https://preview.redd.it/cbrjyid38n3a1.png?width=1498&format=png&auto=webp&s=614e9a773e17d29f5288d4dc9e4f191f97c46708
🗣boutnaru
🎖@malwr
j00ru//vx tech blog
Windows CSRSS write up: the basics | j00ru//vx tech blog
The following post entry opens a series of CSRSS-oriented articles, aiming at describing the uncovered CSRSS mechanism internals, present in the Windows OS for more than fifteen years now. Although some great research has already been carried out by a few…
₿uyer ₿eware: Fake Cryptocurrency Applications Serving as Front for AppleJeus Malware - North Korea in action
🗣digicat
🎖@malwr
🗣digicat
🎖@malwr
Volexity
₿uyer ₿eware: Fake Cryptocurrency Applications Serving as Front for AppleJeus Malware
Over the last few months, Volexity has observed new activity tied to a North Korean threat actor it tracks that is widely referred to as the Lazarus Group. This activity […]
DuckLogs - New Malware Strain Spotted In The Wild as part of a Malware as a Service - performs multiple malicious activities such as Stealer, Keylogger, Clipper, Remote access, etc.
🗣digicat
🎖@malwr
🗣digicat
🎖@malwr
Cyble
Cyble - DuckLogs - New Malware Strain Spotted In The Wild
Cyble analyzes DuckLogs - a new Malware-as-a-Service that provides sophisticated malware features to Threat Actors at a relatively low price.
kitabisa/teler release v2.0.0-dev
🗣dwisiswant0
Nice. So this kind of got me thinking why not just use suricata or Snort as an IPS since teler „just detects“ and basically my conclusion
Docker Compose:
Nginx (terminates HTTPS) -> Snort -> nginx-> PHP (in my case)
I mean technically you’d re-encrypt after snort and send it the rest of the way but in Docker I think it’s fine to send unencrypted from snort to Webserver (if not exposed)
👤coder_karl
🎖@malwr
🗣dwisiswant0
Nice. So this kind of got me thinking why not just use suricata or Snort as an IPS since teler „just detects“ and basically my conclusion
Docker Compose:
Nginx (terminates HTTPS) -> Snort -> nginx-> PHP (in my case)
I mean technically you’d re-encrypt after snort and send it the rest of the way but in Docker I think it’s fine to send unencrypted from snort to Webserver (if not exposed)
👤coder_karl
🎖@malwr
GitHub
GitHub - teler-sh/teler: Real-time HTTP Intrusion Detection
Real-time HTTP Intrusion Detection. Contribute to teler-sh/teler development by creating an account on GitHub.
Noob here, tried adding via hash sets, but failed. Any idea on how to add in SHA1 values in the Metadata for Autopsy while viewing a outlook.pst file? I'm able to view the MD5 & SHA256 hash values of the file, however I'm unable to view the SHA1 value. Any advise would be greatly appreciated
🗣LMJR500Army
Looks like only MD5 and SHA256 are supported as of the last revision to hashdb. See here: https://github.com/sleuthkit/autopsy/issues/175
👤positronikal
🎖@malwr
🗣LMJR500Army
Looks like only MD5 and SHA256 are supported as of the last revision to hashdb. See here: https://github.com/sleuthkit/autopsy/issues/175
👤positronikal
🎖@malwr
WindowSpy: WindowSpy is a Cobalt Strike Beacon Object File meant for targetted user surveillance. The goal of this project was to trigger surveillance capabilities only on certain targets, e.g. browser login pages, confidential documents, VPN logins etc.
🗣digicat
🎖@malwr
🗣digicat
🎖@malwr
GitHub
GitHub - CodeXTF2/WindowSpy: WindowSpy is a Cobalt Strike Beacon Object File meant for automated and targeted user surveillance.
WindowSpy is a Cobalt Strike Beacon Object File meant for automated and targeted user surveillance. - CodeXTF2/WindowSpy