· 6 years ago · Jun 26, 2019, 07:00 AM
1
2# Windows Internals #
3
4# -----------------------------------------------------------------------------
5# -- Day 1 --
6
7* Versions: from Vista (6.0) programs failed to run since checked mayor >=5 && minor >= 1. Windows 10 still reports as being 6.2.
8
9## Process
10
11* virtual address space
12* executable image
13* table of kernel objects
14* access token
15* threads (process closed when have no more threads)
16
17### Task Manager
18
19* pid always multiples of 4
20* Suspended processes: for UWP processes (moved to background, no processor time), (if all threads suspended?)
21* Not Responding - UI app not reacting to messages for 5 seconds at least
22* ShellExperienceHost = start button
23* RuntimeBroker - allows processes different access as described in manifest
24* Session: 0 - system, services, 1 - logged on users
25* Handles - kernel object handle count
26
27### Process explorer
28
29* run as admin to allow kernel stack tracing
30* colors:
31 * green - created (1 sec)
32 * red - closing (1 sec)
33 * yellow - host CLR (has .NET assemblies and performance tabs)
34 * pink - services (has services tab) (svchost - hosts microsoft dll services, if above 3.5gb ram, one dll per svchost)
35 * cyan - uses IsImmersiveProcess (full screen in w8) from WinRT (not only UWP)
36 * gray - suspended
37 * fuxia? - protected processes
38 * browns - jobs (has jobs tab), when process is part of job
39* hierarchy:
40 * who created who
41 * no effect on eatch other
42 * parent stored as pid, but time started before to prevent pid reuse
43
44## Virtual Memory
45
46* Mapping, protected mode, from NT
47* Layout - 32bit: 2gb system [absolute], 2gb user. 64bit: 128tb system [absolute], 128tb user (limited by 48 address bits, in Cove, 57 bits)
48
49## Threads
50
51* thread id from same pool as pid, also multiple of 4
52
53## Windows Architecture - Kernel & User mode
54
55* Subsystem DLLs - wraps native api for public winapi (kernel32.dll, user32.dll, advapi32.dll, ...)
56* [user mode] NTDLL.DLL - native API to communicate with kernel through syscall (num in eax), f.ex. NTCreateFile. Loaded by kernel
57* [kernel mode] Executive - system service dispatcher (handles syscall call), calls kernel and device drivers
58* HAL - hardware anstraction layer - interrupt controller, DMA controller
59* Win32k.sys - user interface
60* Hyper-V hypervisor - limits kernel mode capabilities
61
62* Subsystems - a kernel subset view to support different apis: unix (posix), os/2, and windows programs. Today, only windows subsystem exists. (XP removed os/2, 8.1 removed posix)
63* CSRSS.exe - critical process (bsod if killed), handles windows subsystem
64
65## Symmetric Multiprocessing
66
67* Licensing: Home - 1 socket, Professional - 2 sockets
68* Symmetric - each processor can run any code, user/kernel
69* NUMA - faster access to 'node local' memory
70
71## Windows Subsystem APIs
72
73* WinAPI, COM, .NET, WinRT
74 * apiA - translates string to unicode and calls apiW
75* Windows subsystem has a flag of CUI/GUI to indicate if a console window should be created at startup.
76* Native subsystem - can only call ntdll.dll directly
77
78### Native API - NTDLL.DLL (compiled together with kernel)
79
80* Undocumented
81* kernel dispatcher - Mirrors kernel API (so if ZwCreateFile is documented, NtCreateFile is the same)
82* Various standard functions (memset, sprintf, ...)
83* image loader, heap manager, thread pool (partial)
84
85## WinDBG
86
87* F1 - help
88* ~ - display list of threads: '.' current thread, '#' reason for break
89* ? - evaluate (hex default, 0n123 - decimal)
90* !teb <teb_address> - display thread environment block
91 * Client ID = (pid, tid)
92* same for peb - process environment block
93* dt ntdll!_teb [<teb_address>] - display data type (struct _TEB in module name) [and their value in memory at address]
94* 0:007> - current thread index in ~
95* ~7s - switch to thread
96* when attaching - adds a remote thread and calls breakpoint
97* k - show stack
98* ~1x - do command x on thread 1
99* bp <location> - add breakpoint to location
100* bl - breakpoint list
101* d_ <location> - display data, _: b - bytes, u - UTF16, location can be address, symbol, @rcx, etc...
102* u - dissassemble
103* p - step over (step)
104* t - step into (trace)
105* !error <value> - display error string of value
106* symbols: srv*c:\symbols*http://msdl.microsoft.com/download/symbols or use _NT_SYMBOL_PATH environmental variable
107* lm - loaded modules, symbol status: path or deferred (not yet needed)
108
109### Kernel debugging (local kernel debug)
110
111* System Configuration -> boot -> debug (and restart)
112* !process 0 0 [<name>]- display process info (0 all processes, 0 minimal info, [with image name])
113* peb - is being debugged, dll list
114* patch guard - checks kernel structures and bsod if changed (like system service table)
115
116## Kernel modules - (System process)
117
118* NtOsKrnl.exe - executive and kernel
119* Hal.dll
120
121## Objects and handles
122
123* handle - prevents user to access kernel objects directly, referenced counted
124* !object <handle_kernel_address>
125
126## Sessions
127
128* two sessions, 0 - services, 1 - user interactive ("winsta0")
129* session (user)
130 * window stations (process)
131 * desktops (threads)
132 * windows, menus, hooks
133 * clipboard
134 * atom table
135* two desktops - default, and ctrl+alt+del desktop created by winlogon (hooks are per desktop, cannot transfer windows between desktops, win10 simulates on single desktop)
136
137## System Processes
138
139* Idle - pid 0, no kernel structure, nr of threads is nr of logical processors
140* System - pid 4, kernel space stuff, system threads never go to user mode
141* Session Manager (Smss.exe) - first user process, waits for new sessions created, and checks csrss and winlogon to bsod, kernel monitors smss
142* Windows subsystem (Csrss.exe)
143* Logon process (Winlogon.exe)
144* Service control manager (SCM - Services.exe)
145* Local security authentication server (Lsass.exe)
146* Secure Kernel (for Hypervisor)
147* Memory Compression - saves ram by compressing ram parts - not displayed on task manager, only cpp code in kernel
148* Registry
149
150# -----------------------------------------------------------------------------
151# -- Day 2: Processes and Jobs --
152
153## Processes
154
155* Priority class (Base priority)
156* starts: CreateProcess[/AsUser,/WithTokenW] (also creates thread)
157* ends: all threads close, or call ExitProcess (from within some thread), or killed with TerminateProcess (also remotely)
158 * kernel ensures all resources are released, unlike drivers
159 * the CRT calls ExitProcess after main thread ends (so when main thread ends, process ends if working with CRT)
160 * ExitProcess calls DLL_PROCESS_DETACH, Terminate doesn't
161 * DLL_THREAD_ATTACH/DETACH called whenever a thread is started/ended in the process where the dll is loaded
162 * in kernel mode: EPROCESS (dt nt!_eprocess), with first field Pcb of type KPROCESS, undocummented, process structure in kernel mode, stored in double linked list: PsActiveProcessHead: LIST_ENTRY field in EPROCESS with Flink and Blink
163 * in user mode: PEB
164* Process: open image
165 -> create EPROCESS
166 -> create thread ETHREAD
167 -> notify CSRSS of new process and thread (with IPC?)
168 -> Loader complete process and thread initialization
169 : create Process Environment BLock (PEB)
170 : create Thread Environment Block (TEB)
171 : Load required DLLs, calling DLL_PROCESS_ATTACH
172 *
173 -> main/WinMain
174* (can create a process through WMI service)