Rachit Arora

Windows Internals: Theory

Jan 18, 2024

Contents

Resources

Windows is a vast topic, some resources before I start

Architecture

Line is dividing the user-mode and kernel-mode which are parts of the Windows OS. The boxes above the line represent user-mode processes, and the components below the line are kernel-mode OS services.

https://media.discordapp.net/attachments/791571025368186890/1201264836353478707/image.png?ex=65c9300f&is=65b6bb0f&hm=a05e613f016a29871cc0d1bd504c20e01ca80c9c1c0f94a68ff552c89d677672&=&format=webp&quality=lossless&width=1104&height=627

  1. User Processes - A program/application executed by the user such as Notepad, Google Chrome or Microsoft Word.
  2. Subsystem DLLs - DLLs that contain API functions that are called by user processes.
  3. Ntdll.dll - A system-wide DLL which is the lowest layer available in user mode. This is a special DLL that creates the transition from user mode to kernel mode. This is often referred to as the Native API or NTAPI.
  4. Executive Kernel - This is what is known as the Windows Kernel and it calls other drivers and modules available within kernel mode to complete tasks. The Windows kernel is partially stored in a file called ntoskrnl.exe under “C:\Windows\System32”

Kernel Mode vs User Mode

Processors may distinguish between these modes using various terms such as code privilege level, ring level, supervisor mode, and application mode. However, regardless of the terminology used, the processor grants the operating system kernel a higher privilege level compared to user mode applications. This differentiation in privilege levels provides a crucial foundation for operating system designers to guarantee that a malfunctioning application cannot compromise the stability of the entire system.

https://media.discordapp.net/attachments/791571025368186890/1201268962596499516/image.png?ex=65c933e7&is=65b6bee7&hm=b91b9d7f8abed0707a0d5ed4eb743f6342c15c9e9383116920110f0d44a125a7&=&format=webp&quality=lossless&width=918&height=685

Here’s the arrangement of the process described:

  1. User Application: Initiates the file creation process by calling the CreateFile function from the WinAPI.
  2. Kernel32.dll: Contains the CeateFile function. It’s a crucial DLL that provides access to WinAPI functions and is commonly loaded by applications.
  3. Ntdll.dll: Contains the equivalent NTAPI function NtCreateFile. CreateFilei nternally calls NtCreateFile.
  4. Assembly Instruction Execution: Ntdll.dll executes an assembly sysenter (x86) or syscall (x64) instruction, transitioning the execution to kernel mode.
  5. Kernel Mode Execution: The kernel NtCreateFile function is invoked. It interfaces with kernel drivers and modules to execute the requested file creation operation.

It is noteworthy that applications have the capability to directly call syscalls (i.e., NTDLL functions) without needing to utilize the Windows API. The Windows API essentially serves as a facade for the Native API. However, it’s worth mentioning that the Native API is more challenging to use since it lacks official documentation from Microsoft.

Most internal Windows strings are implemented in Unicode, when you use the ANSI version of an API, Windows have to convert it to unicode and also when returning back from the API, this have a small performance impact.

Process

A process is an instance of a program in execution. Batch systems work in terms of “jobs”. Many modern process concepts are still expressed in terms of jobs, ( e.g. job scheduling ), and the two terms are often used interchangeably.

A Process Consists of

Process are isolated from one another
The executable cannot be considered a unique identifier because there are multiple processes, associated with the same executable.

At the highest level of abstraction, a Windows process comprises the following:

https://media.discordapp.net/attachments/791571025368186890/1201244654532837466/image.png?ex=65c91d43&is=65b6a843&hm=a78b953a0bf8113ea461c451ca6f6e33def6087f299f2af37dc15d772b36e2f5&=&format=webp&quality=lossless&width=1144&height=441

Processes may be in one of 5 states,

Other details include:

Thread

A thread is a basic unit of CPU utilization, consisting of a program counter, a stack, and a set of registers, ( and a thread ID. )

A thread includes the following essential components:

https://www.cs.uic.edu/~jbell/CourseNotes/OperatingSystems/images/Chapter4/4_01_ThreadDiagram.jpg

Traditional ( heavyweight ) processes have a single thread of control - There is one program counter, and one sequence of instructions that can be carried out at any given time.

Multi-threaded applications have multiple threads within a single process, each having their own program counter, stack and set of registers, but sharing common code, data, and certain structures such as open files.

Virtual Memory

https://connormcgarr.github.io/images/PAGE_1.png

In modern operating systems, memory is not directly mapped to physical memory (i.e., RAM). Instead, processes utilize virtual memory addresses that are mapped to physical memory addresses. The primary aim of this approach is to conserve physical memory. Virtual memory may reside in physical memory or be stored on disk. With virtual memory addressing, multiple processes can share the same physical address while possessing unique virtual memory addresses.

Virtual memory operates on the principle of Memory paging, which segments memory into 4kb-sized chunks called “pages”.

Each process maintains its own private virtual address space, yet they can share physical memory, especially when they utilize the same code.

x86 vs x64 Memory Space

https://media.discordapp.net/attachments/791571025368186890/1201253335613845715/image.png?ex=65c92559&is=65b6b059&hm=c3efa1a2cfb62b9ae1267dd023be0a9453a2ed56a31d72bb228fb33d4597d58b&=&format=webp&quality=lossless&width=987&height=423

When working with Windows processes, it’s important to note whether the process is x86 or x64.

On 32-bit x86, a process can address 4GB of memory space.

64-bit Windows provides a much larger address space for processes:

Memory Protection Modern operating systems generally have built-in memory protections to thwart exploits and attacks. These are also important to keep in mind as they will likely be encountered when building or debugging the malware.

Data Execution Prevention (DEP) DEP is a system-level memory protection feature that is built into the operating system starting with Windows XP and Windows Server 2003. If the page protection option is set to PAGE_READONLY, then DEP will prevent code from executing in that memory region.

Address space layout randomization (ASLR) ASLR is a memory protection technique used to prevent the exploitation of memory corruption vulnerabilities. ASLR randomly arranges the address space positions of key data areas of a process, including the base of the executable and the positions of the stack, heap and libraries

DLL

A dynamic link library (DLL) is a collection of small programs that larger programs can load when needed to complete specific tasks. The small program, called a DLL file, contains instructions that help the larger program handle what may not be a core function of the original program.

https://cdn.discordapp.com/attachments/791571025368186890/1201270329234968709/image.png?ex=65c9352d&is=65b6c02d&hm=5d8fa1178e6665d783a33e0397aeef785202976fa9d8eba9d982f4a02386d99f&

Job

Objects and Handles

Registry

The registry is effectively a database that consists of a massive number of keys with associated values. These keys are sorted hierarchically using subkeys

Security

Windows has three forms of access control over objects:

Sysinternals Tools