Windows Internals BrownBag Seminar Chapter 1 Concepts and
Windows Internals Brown-Bag Seminar Chapter 1 – Concepts and Tools Jim Fawcett Fall 2006
Windows Internals • • Chap 1 – Concepts and Tools Chap 2 – System Archit. Chap 3 – System Mech. Chap 4 – Mgmt Mech. Chap 5 – Startup/Shutdown Chap 6 – Processes, Threads Chap 7 – Memory Mgmt • • Chap 8 – Security Chap 9 – I/O System Chap 10 – Storage Mgmt Chap 11 – Cache Mgr Chap 12 – File Systems Chap 13 – Networking Chap 14 – Crash Dump Anal.
Resources • Windows Internals, Fourth Edition, Russinovich, Solomon, Microsoft Press, 2005 • Windows System Programming, Third Edition, Johnson Hart, Addison-Wesley, 2005 • Win 32 Links – a random sampling of interesting things: – – – Display Win 32 and COM error strings Accessing data in another process Injecting and Executing code in another process Windows Security with code examples Shell. Execute and Automation – Windows Hooks – Win 32 Message Maps and Message Cracking • Windows Annoyances
Windows API • • • Overview Base Services Component Services User Interface Services Graphics and Multimedia Services Networking Web Services
More Resources • • Core. Technologies Overview of Windows API Windows Data Types Windows API Functions by category Windows Shell Win 32 to. Net Map Platform SDK
Windows Programming Levels • . Net Framework Class Library – Many namespaces of managed code • Windows API Functions – Documented, callable functions exported from user 32. dll, gdi 32. dll, advapi 32. dll, and kernel 32. dll • Native System Services – Undocumented services callable from user mode • Kernel Support Functions – Windows OS routines, callable only from the kernel.
Some Examples • file. Info, Nav, and Wintools • Threads • Creating and Loading DLLs
Windows Processes • A process is a container of resources used by an executing program – – – Private virtual address space Executable program List of open handles A security context, e. g. , access token process ID One or more threads of execution
Virtual Memory Mapping
Processing Modes • User mode – User mode runs user application code. In user mode, a process has access to a private virtual address space, shared by all threads that run in the process. • Kernel mode – Kernel mode is used to run OS code and device drivers, as well as a lot of the Graphics and Windowing code. In kernel mode, threads have unlimited access to the OS’s virtual system memory and all CPU instructions. • More about modes – Each page in virtual memory is tagged as to what mode the processor must be in to read/write the page. Read only pages, e. g. , those that contain executable code, are not writable from any mode. – User applications switch from user mode to kernel mode when they make system calls. These calls are validated before execution.
Opening Visual Studio – Now lots of page faults.
Windows Threads • A scheduled entity in a process that executes code. It has: – Contents of a set of CPU registers – Two stacks, one for kernel mode, one for user mode. – Private thread-local storage, used by Windows subsystems and libraries – Unique thread ID – May have a security context (token) used for impersonation.
Objects • A kernel object is reference counted, and consists of: – A system defined data type – Functions that operate on instances of that type – A set of object attributes • A process has an ID, base scheduling priority, and a pointer to an access token. • Many objects can be named and shared across processes. • Functions usually operate on object attributes. • Example objects: – Processes, threads, windows, files, events, mutexes
Security • Windows has: – Discretionary protection for all shareable system objects, e. g. , files, directories, processes, threads, registry keys, … – Security auditing – Password authentication at login – Prevent one user from accessing another’s deallocated memory.
Discretionary Access Control • Methods by which owners of objects can grant or deny access to others. • When a user logs on, she is given a security token (security context). • When accessing a secured object, her security token is compared with the access control list of the object to determine if she has permission for the requested operation.
Priviledged Access Control • Priviledged access allows administrators to take ownership of existing kernel objects.
Registry • The registry holds: – Boot and system configuration info – System-wide software settings – Security database – Per-user configuration settings
Registry Structure • Hierarchal structure like a directory tree – Each branch is called a key – Each key can contain both keys and values – A value contains stored information – Value types can be: String, Binary, DWORD
Registry Structure • HKEY_CLASSES_ROOT – File associations and paths to COM servers • HKEY_CURRENT_USER – Part of HKEY_USERS for current user • HKEY_LOCAL_MACHINE – Hardware and software installed on your machine • HKEY_USERS – Preferences for each of the users of machine • HKEY_CURRENT_CONFIG – Part of HKEY_LOCAL_MACHINE for current configuration
End of Presentation • Seminar Schedule
- Slides: 27