# Windows Internals ## ---------------------------------------------------

1.  
2. # Windows Internals #
3.  
4. # -----------------------------------------------------------------------------
5. # -- Day 1 --
6.  
7. * Versions: from Vista (6.0) programs failed to run since checked mayor >=5 && minor >= 1. Windows 10 still reports as being 6.2.
8.  
9. ## Process
10.  
11. * virtual address space
12. * executable image
13. * table of kernel objects
14. * access token
15. * threads (process closed when have no more threads)
16.  
17. ### Task Manager
18.  
19. * pid always multiples of 4
20. * Suspended processes: for UWP processes (moved to background, no processor time), (if all threads suspended?)
21. * Not Responding - UI app not reacting to messages for 5 seconds at least
22. * ShellExperienceHost = start button
23. * RuntimeBroker - allows processes different access as described in manifest
24. * Session: 0 - system, services, 1 - logged on users
25. * Handles - kernel object handle count
26.  
27. ### Process explorer
28.  
29. * run as admin to allow kernel stack tracing
30. * colors:
31. * green - created (1 sec)
32. * red - closing (1 sec)
33. * yellow - host CLR (has .NET assemblies and performance tabs)
34. * pink - services (has services tab) (svchost - hosts microsoft dll services, if above 3.5gb ram, one dll per svchost)
35. * cyan - uses IsImmersiveProcess (full screen in w8) from WinRT (not only UWP)
36. * gray - suspended
37. * fuxia? - protected processes
38. * browns - jobs (has jobs tab), when process is part of job
39. * hierarchy:
40. * who created who
41. * no effect on eatch other
42. * parent stored as pid, but time started before to prevent pid reuse
43.  
44. ## Virtual Memory
45.  
46. * Mapping, protected mode, from NT
47. * Layout - 32bit: 2gb system [absolute], 2gb user. 64bit: 128tb system [absolute], 128tb user (limited by 48 address bits, in Cove, 57 bits)
48.  
49. ## Threads
50.  
51. * thread id from same pool as pid, also multiple of 4
52.  
53. ## Windows Architecture - Kernel & User mode
54.  
55. * Subsystem DLLs - wraps native api for public winapi (kernel32.dll, user32.dll, advapi32.dll, ...)
56. * [user mode] NTDLL.DLL - native API to communicate with kernel through syscall (num in eax), f.ex. NTCreateFile. Loaded by kernel
57. * [kernel mode] Executive - system service dispatcher (handles syscall call), calls kernel and device drivers
58. * HAL - hardware anstraction layer - interrupt controller, DMA controller
59. * Win32k.sys - user interface
60. * Hyper-V hypervisor - limits kernel mode capabilities
61.  
62. * Subsystems - a kernel subset view to support different apis: unix (posix), os/2, and windows programs. Today, only windows subsystem exists. (XP removed os/2, 8.1 removed posix)
63. * CSRSS.exe - critical process (bsod if killed), handles windows subsystem
64.  
65. ## Symmetric Multiprocessing
66.  
67. * Licensing: Home - 1 socket, Professional - 2 sockets
68. * Symmetric - each processor can run any code, user/kernel
69. * NUMA - faster access to 'node local' memory
70.  
71. ## Windows Subsystem APIs
72.  
73. * WinAPI, COM, .NET, WinRT
74. * apiA - translates string to unicode and calls apiW
75. * Windows subsystem has a flag of CUI/GUI to indicate if a console window should be created at startup.
76. * Native subsystem - can only call ntdll.dll directly
77.  
78. ### Native API - NTDLL.DLL (compiled together with kernel)
79.  
80. * Undocumented
81. * kernel dispatcher - Mirrors kernel API (so if ZwCreateFile is documented, NtCreateFile is the same)
82. * Various standard functions (memset, sprintf, ...)
83. * image loader, heap manager, thread pool (partial)
84.  
85. ## WinDBG
86.  
87. * F1 - help
88. * ~ - display list of threads: '.' current thread, '#' reason for break
89. * ? - evaluate (hex default, 0n123 - decimal)
90. * !teb <teb_address> - display thread environment block
91. * Client ID = (pid, tid)
92. * same for peb - process environment block
93. * dt ntdll!_teb [<teb_address>] - display data type (struct _TEB in module name) [and their value in memory at address]
94. * 0:007> - current thread index in ~
95. * ~7s - switch to thread
96. * when attaching - adds a remote thread and calls breakpoint
97. * k - show stack
98. * ~1x - do command x on thread 1
99. * bp <location> - add breakpoint to location
100. * bl - breakpoint list
101. * d_ <location> - display data, _: b - bytes, u - UTF16, location can be address, symbol, @rcx, etc...
102. * u - dissassemble
103. * p - step over (step)
104. * t - step into (trace)
105. * !error <value> - display error string of value
106. * symbols: srv*c:\symbols*http://msdl.microsoft.com/download/symbols or use _NT_SYMBOL_PATH environmental variable
107. * lm - loaded modules, symbol status: path or deferred (not yet needed)
108.  
109. ### Kernel debugging (local kernel debug)
110.  
111. * System Configuration -> boot -> debug (and restart)
112. * !process 0 0 [<name>]- display process info (0 all processes, 0 minimal info, [with image name])
113. * peb - is being debugged, dll list
114. * patch guard - checks kernel structures and bsod if changed (like system service table)
115.  
116. ## Kernel modules - (System process)
117.  
118. * NtOsKrnl.exe - executive and kernel
119. * Hal.dll
120.  
121. ## Objects and handles
122.  
123. * handle - prevents user to access kernel objects directly, referenced counted
124. * !object <handle_kernel_address>
125.  
126. ## Sessions
127.  
128. * two sessions, 0 - services, 1 - user interactive ("winsta0")
129. * session (user)
130. * window stations (process)
131. * desktops (threads)
132. * windows, menus, hooks
133. * clipboard
134. * atom table
135. * two desktops - default, and ctrl+alt+del desktop created by winlogon (hooks are per desktop, cannot transfer windows between desktops, win10 simulates on single desktop)
136.  
137. ## System Processes
138.  
139. * Idle - pid 0, no kernel structure, nr of threads is nr of logical processors
140. * System - pid 4, kernel space stuff, system threads never go to user mode
141. * Session Manager (Smss.exe) - first user process, waits for new sessions created, and checks csrss and winlogon to bsod, kernel monitors smss
142. * Windows subsystem (Csrss.exe)
143. * Logon process (Winlogon.exe)
144. * Service control manager (SCM - Services.exe)
145. * Local security authentication server (Lsass.exe)
146. * Secure Kernel (for Hypervisor)
147. * Memory Compression - saves ram by compressing ram parts - not displayed on task manager, only cpp code in kernel
148. * Registry
149.  
150. # -----------------------------------------------------------------------------
151. # -- Day 2: Processes and Jobs --
152.  
153. ## Processes
154.  
155. * Priority class (Base priority)
156. * starts: CreateProcess[/AsUser,/WithTokenW] (also creates thread)
157. * ends: all threads close, or call ExitProcess (from within some thread), or killed with TerminateProcess (also remotely)
158. * kernel ensures all resources are released, unlike drivers
159. * the CRT calls ExitProcess after main thread ends (so when main thread ends, process ends if working with CRT)
160. * ExitProcess calls DLL_PROCESS_DETACH, Terminate doesn't
161. * DLL_THREAD_ATTACH/DETACH called whenever a thread is started/ended in the process where the dll is loaded
162. * in kernel mode: EPROCESS (dt nt!_eprocess), with first field Pcb of type KPROCESS, undocummented, process structure in kernel mode, stored in double linked list: PsActiveProcessHead: LIST_ENTRY field in EPROCESS with Flink and Blink
163. * in user mode: PEB
164. * Process: open image
165. -> create EPROCESS
166. -> create thread ETHREAD
167. -> notify CSRSS of new process and thread (with IPC?)
168. -> Loader complete process and thread initialization
169. : create Process Environment BLock (PEB)
170. : create Thread Environment Block (TEB)
171. : Load required DLLs, calling DLL_PROCESS_ATTACH
172. *
173. -> main/WinMain
174. * (can create a process through WMI service)