Windows Internals
Brown-Bag Seminar
Chapter 1 – Concepts and Tools
Jim Fawcett
Fall 2006
Windows Internals
• Chap 1 – Concepts and Tools
•
•
•
•
•
•
Chap 2 – System Archit.
Chap 3 – System Mech.
Chap 4 – Mgmt Mech.
Chap 5 – Startup/Shutdown
Chap 6 – Processes, Threads
Chap 7 – Memory Mgmt
•
•
•
•
•
•
•
Chap 8 – Security
Chap 9 – I/O System
Chap 10 – Storage Mgmt
Chap 11 – Cache Mgr
Chap 12 – File Systems
Chap 13 – Networking
Chap 14 – Crash Dump Anal.
Resources
• Windows Internals, Fourth Edition, Russinovich, Solomon,
Microsoft Press, 2005
• Windows System Programming, Third Edition, Johnson
Hart, Addison-Wesley, 2005
• Win32 Links – a random sampling of interesting things:
–
–
–
–
–
Display Win32 and COM error strings
Accessing data in another process
Injecting and Executing code in another process
Windows Security with code examples
ShellExecute and Automation
– Windows Hooks
– Win32 Message Maps and Message Cracking
• Windows Annoyances
Windows API
•
•
•
•
•
•
Overview
Base Services
Component Services
User Interface Services
Graphics and Multimedia Services
Networking
Web Services
More Resources
•
•
•
•
•
•
•
CoreTechnologies
Overview of Windows API
Windows Data Types
Windows API Functions by category
Windows Shell
Win32 to .Net Map
Platform SDK
Windows Programming Levels
• .Net Framework Class Library
– Many namespaces of managed code
• Windows API Functions
– Documented, callable functions exported from
user32.dll, gdi32.dll, advapi32.dll, and kernel32.dll
• Native System Services
– Undocumented services callable from user mode
• Kernel Support Functions
– Windows OS routines, callable only from the
kernel.
Some Examples
• fileInfo, Nav, and Wintools
• Threads
• Creating and Loading DLLs
Windows Processes
• A process is a container of resources used
by an executing program
–
–
–
–
–
–
Private virtual address space
Executable program
List of open handles
A security context, e.g., access token
process ID
One or more threads of execution
process handle
Process
module handle
Process Code
Global Memory
shared by threads, user serialized
Thread Stack, Thread Local Storage
DLL Code
Thread Stack, Thread Local Storage
Heap Allocations
Other
Heaps
Default Process Heap
heap handle
serialized by Windows,
used by Win32 functions
Main (UI) Thread
can be
serialized by
Windows
Worker Thread
send or post
messages
only
thread handle
window
Brush handle
window
Pen Handle
window handle
window handle
heap handle
thread handle
Virtual Memory Mapping
Physical Memory
Virtual Memory
hardware
mapping
Processing Modes
• User mode
– User mode runs user application code. In user mode, a
process has access to a private virtual address space,
shared by all threads that run in the process.
• Kernel mode
– Kernel mode is used to run OS code and device drivers, as
well as a lot of the Graphics and Windowing code. In kernel
mode, threads have unlimited access to the OS’s virtual
system memory and all CPU instructions.
• More about modes
– Each page in virtual memory is tagged as to what mode the
processor must be in to read/write the page. Read only
pages, e.g., those that contain executable code, are not
writable from any mode.
– User applications switch from user mode to kernel mode
when they make system calls. These calls are validated
before execution.
Opening Visual
Studio – Now
lots of page
faults.
Windows Threads
• A scheduled entity in a process that executes
code. It has:
– Contents of a set of CPU registers
– Two stacks, one for kernel mode, one for user
mode.
– Private thread-local storage, used by Windows
subsystems and libraries
– Unique thread ID
– May have a security context (token) used for
impersonation.
Objects
• A kernel object is reference counted, and
consists of:
– A system defined data type
– Functions that operate on instances of that type
– A set of object attributes
• A process has an ID, base scheduling priority, and a
pointer to an access token.
• Many objects can be named and shared across
processes.
• Functions usually operate on object attributes.
• Example objects:
– Processes, threads, windows, files, events,
mutexes
Security
• Windows has:
– Discretionary protection for all shareable
system objects, e.g., files, directories,
processes, threads, registry keys, …
– Security auditing
– Password authentication at login
– Prevent one user from accessing
another’s deallocated memory.
Discretionary Access Control
• Methods by which owners of objects can
grant or deny access to others.
• When a user logs on, she is given a security
token (security context).
• When accessing a secured object, her
security token is compared with the access
control list of the object to determine if she
has permission for the requested operation.
Priviledged Access Control
• Priviledged access allows
administrators to take ownership of
existing kernel objects.
Registry
• The registry holds:
– Boot and system configuration info
– System-wide software settings
– Security database
– Per-user configuration settings
Registry Structure
• Hierarchal structure like a directory tree
– Each branch is called a key
– Each key can contain both keys and values
– A value contains stored information
– Value types can be: String, Binary, DWORD
Registry Structure
• HKEY_CLASSES_ROOT
– File associations and paths to COM servers
• HKEY_CURRENT_USER
– Part of HKEY_USERS for current user
• HKEY_LOCAL_MACHINE
– Hardware and software installed on your machine
• HKEY_USERS
– Preferences for each of the users of machine
• HKEY_CURRENT_CONFIG
– Part of HKEY_LOCAL_MACHINE for current configuration
End of Presentation
• Seminar Schedule