Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # Windows Internals #
- # -----------------------------------------------------------------------------
- # -- Day 1 --
- * Versions: from Vista (6.0) programs failed to run since checked mayor >=5 && minor >= 1. Windows 10 still reports as being 6.2.
- ## Process
- * virtual address space
- * executable image
- * table of kernel objects
- * access token
- * threads (process closed when have no more threads)
- ### Task Manager
- * pid always multiples of 4
- * Suspended processes: for UWP processes (moved to background, no processor time), (if all threads suspended?)
- * Not Responding - UI app not reacting to messages for 5 seconds at least
- * ShellExperienceHost = start button
- * RuntimeBroker - allows processes different access as described in manifest
- * Session: 0 - system, services, 1 - logged on users
- * Handles - kernel object handle count
- ### Process explorer
- * run as admin to allow kernel stack tracing
- * colors:
- * green - created (1 sec)
- * red - closing (1 sec)
- * yellow - host CLR (has .NET assemblies and performance tabs)
- * pink - services (has services tab) (svchost - hosts microsoft dll services, if above 3.5gb ram, one dll per svchost)
- * cyan - uses IsImmersiveProcess (full screen in w8) from WinRT (not only UWP)
- * gray - suspended
- * fuxia? - protected processes
- * browns - jobs (has jobs tab), when process is part of job
- * hierarchy:
- * who created who
- * no effect on eatch other
- * parent stored as pid, but time started before to prevent pid reuse
- ## Virtual Memory
- * Mapping, protected mode, from NT
- * Layout - 32bit: 2gb system [absolute], 2gb user. 64bit: 128tb system [absolute], 128tb user (limited by 48 address bits, in Cove, 57 bits)
- ## Threads
- * thread id from same pool as pid, also multiple of 4
- ## Windows Architecture - Kernel & User mode
- * Subsystem DLLs - wraps native api for public winapi (kernel32.dll, user32.dll, advapi32.dll, ...)
- * [user mode] NTDLL.DLL - native API to communicate with kernel through syscall (num in eax), f.ex. NTCreateFile. Loaded by kernel
- * [kernel mode] Executive - system service dispatcher (handles syscall call), calls kernel and device drivers
- * HAL - hardware anstraction layer - interrupt controller, DMA controller
- * Win32k.sys - user interface
- * Hyper-V hypervisor - limits kernel mode capabilities
- * Subsystems - a kernel subset view to support different apis: unix (posix), os/2, and windows programs. Today, only windows subsystem exists. (XP removed os/2, 8.1 removed posix)
- * CSRSS.exe - critical process (bsod if killed), handles windows subsystem
- ## Symmetric Multiprocessing
- * Licensing: Home - 1 socket, Professional - 2 sockets
- * Symmetric - each processor can run any code, user/kernel
- * NUMA - faster access to 'node local' memory
- ## Windows Subsystem APIs
- * WinAPI, COM, .NET, WinRT
- * apiA - translates string to unicode and calls apiW
- * Windows subsystem has a flag of CUI/GUI to indicate if a console window should be created at startup.
- * Native subsystem - can only call ntdll.dll directly
- ### Native API - NTDLL.DLL (compiled together with kernel)
- * Undocumented
- * kernel dispatcher - Mirrors kernel API (so if ZwCreateFile is documented, NtCreateFile is the same)
- * Various standard functions (memset, sprintf, ...)
- * image loader, heap manager, thread pool (partial)
- ## WinDBG
- * F1 - help
- * ~ - display list of threads: '.' current thread, '#' reason for break
- * ? - evaluate (hex default, 0n123 - decimal)
- * !teb <teb_address> - display thread environment block
- * Client ID = (pid, tid)
- * same for peb - process environment block
- * dt ntdll!_teb [<teb_address>] - display data type (struct _TEB in module name) [and their value in memory at address]
- * 0:007> - current thread index in ~
- * ~7s - switch to thread
- * when attaching - adds a remote thread and calls breakpoint
- * k - show stack
- * ~1x - do command x on thread 1
- * bp <location> - add breakpoint to location
- * bl - breakpoint list
- * d_ <location> - display data, _: b - bytes, u - UTF16, location can be address, symbol, @rcx, etc...
- * u - dissassemble
- * p - step over (step)
- * t - step into (trace)
- * !error <value> - display error string of value
- * symbols: srv*c:\symbols*http://msdl.microsoft.com/download/symbols or use _NT_SYMBOL_PATH environmental variable
- * lm - loaded modules, symbol status: path or deferred (not yet needed)
- ### Kernel debugging (local kernel debug)
- * System Configuration -> boot -> debug (and restart)
- * !process 0 0 [<name>]- display process info (0 all processes, 0 minimal info, [with image name])
- * peb - is being debugged, dll list
- * patch guard - checks kernel structures and bsod if changed (like system service table)
- ## Kernel modules - (System process)
- * NtOsKrnl.exe - executive and kernel
- * Hal.dll
- ## Objects and handles
- * handle - prevents user to access kernel objects directly, referenced counted
- * !object <handle_kernel_address>
- ## Sessions
- * two sessions, 0 - services, 1 - user interactive ("winsta0")
- * session (user)
- * window stations (process)
- * desktops (threads)
- * windows, menus, hooks
- * clipboard
- * atom table
- * two desktops - default, and ctrl+alt+del desktop created by winlogon (hooks are per desktop, cannot transfer windows between desktops, win10 simulates on single desktop)
- ## System Processes
- * Idle - pid 0, no kernel structure, nr of threads is nr of logical processors
- * System - pid 4, kernel space stuff, system threads never go to user mode
- * Session Manager (Smss.exe) - first user process, waits for new sessions created, and checks csrss and winlogon to bsod, kernel monitors smss
- * Windows subsystem (Csrss.exe)
- * Logon process (Winlogon.exe)
- * Service control manager (SCM - Services.exe)
- * Local security authentication server (Lsass.exe)
- * Secure Kernel (for Hypervisor)
- * Memory Compression - saves ram by compressing ram parts - not displayed on task manager, only cpp code in kernel
- * Registry
- # -----------------------------------------------------------------------------
- # -- Day 2: Processes and Jobs --
- ## Processes
- * Priority class (Base priority)
- * starts: CreateProcess[/AsUser,/WithTokenW] (also creates thread)
- * ends: all threads close, or call ExitProcess (from within some thread), or killed with TerminateProcess (also remotely)
- * kernel ensures all resources are released, unlike drivers
- * the CRT calls ExitProcess after main thread ends (so when main thread ends, process ends if working with CRT)
- * ExitProcess calls DLL_PROCESS_DETACH, Terminate doesn't
- * DLL_THREAD_ATTACH/DETACH called whenever a thread is started/ended in the process where the dll is loaded
- * in kernel mode: EPROCESS (dt nt!_eprocess), with first field Pcb of type KPROCESS, undocummented, process structure in kernel mode, stored in double linked list: PsActiveProcessHead: LIST_ENTRY field in EPROCESS with Flink and Blink
- * in user mode: PEB
- * Process: open image
- -> create EPROCESS
- -> create thread ETHREAD
- -> notify CSRSS of new process and thread (with IPC?)
- -> Loader complete process and thread initialization
- : create Process Environment BLock (PEB)
- : create Thread Environment Block (TEB)
- : Load required DLLs, calling DLL_PROCESS_ATTACH
- *
- -> main/WinMain
- * (can create a process through WMI service)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement