Windows Internals Brown-Bag Seminar Chapter 1 – Concepts and Tools Jim Fawcett Fall 2006

Windows Internals Chap 1 – Concepts and Tools Chap 8 – Security Chap 2 – System Archit. Chap 3 – System Mech. Chap 4 – Mgmt Mech. Chap 5 – Startup/Shutdown Chap 6 – Processes, Threads Chap 7 – Memory Mgmt Chap 8 – Security Chap 9 – I/O System Chap 10 – Storage Mgmt Chap 11 – Cache Mgr Chap 12 – File Systems Chap 13 – Networking Chap 14 – Crash Dump Anal.

Resources Windows Internals, Fourth Edition, Russinovich, Solomon, Microsoft Press, 2005 Windows System Programming, Third Edition, Johnson Hart, Addison-Wesley, 2005 Win32 Links – a random sampling of interesting things: Display Win32 and COM error strings Accessing data in another process Injecting and Executing code in another process Windows Security with code examples ShellExecute and Automation Windows Hooks Win32 Message Maps and Message Cracking Windows Annoyances

Windows API Overview Base Services Component Services User Interface Services Graphics and Multimedia Services Networking Web Services

More Resources CoreTechnologies Overview of Windows API Windows Data Types Windows API Functions by category Windows Shell Win32 to .Net Map Platform SDK

Windows Programming Levels .Net Framework Class Library Many namespaces of managed code Windows API Functions Documented, callable functions exported from user32.dll, gdi32.dll, advapi32.dll, and kernel32.dll Native System Services Undocumented services callable from user mode Kernel Support Functions Windows OS routines, callable only from the kernel.

Some Examples fileInfo, Nav, and Wintools Threads Creating and Loading DLLs

Windows Processes A process is a container of resources used by an executing program Private virtual address space Executable program List of open handles A security context, e.g., access token process ID One or more threads of execution

Virtual Memory Mapping

Processing Modes User mode Kernel mode More about modes User mode runs user application code. In user mode, a process has access to a private virtual address space, shared by all threads that run in the process. Kernel mode Kernel mode is used to run OS code and device drivers, as well as a lot of the Graphics and Windowing code. In kernel mode, threads have unlimited access to the OS’s virtual system memory and all CPU instructions. More about modes Each page in virtual memory is tagged as to what mode the processor must be in to read/write the page. Read only pages, e.g., those that contain executable code, are not writable from any mode. User applications switch from user mode to kernel mode when they make system calls. These calls are validated before execution.

Opening Visual Studio – Now lots of page faults.

Windows Threads A scheduled entity in a process that executes code. It has: Contents of a set of CPU registers Two stacks, one for kernel mode, one for user mode. Private thread-local storage, used by Windows subsystems and libraries Unique thread ID May have a security context (token) used for impersonation.

Objects A kernel object is reference counted, and consists of: A system defined data type Functions that operate on instances of that type A set of object attributes A process has an ID, base scheduling priority, and a pointer to an access token. Many objects can be named and shared across processes. Functions usually operate on object attributes. Example objects: Processes, threads, windows, files, events, mutexes

Security Windows has: Discretionary protection for all shareable system objects, e.g., files, directories, processes, threads, registry keys, … Security auditing Password authentication at login Prevent one user from accessing another’s deallocated memory.

Discretionary Access Control Methods by which owners of objects can grant or deny access to others. When a user logs on, she is given a security token (security context). When accessing a secured object, her security token is compared with the access control list of the object to determine if she has permission for the requested operation.

Priviledged Access Control Priviledged access allows administrators to take ownership of existing kernel objects.

Registry The registry holds: Boot and system configuration info System-wide software settings Security database Per-user configuration settings

Registry Structure Hierarchal structure like a directory tree Each branch is called a key Each key can contain both keys and values A value contains stored information Value types can be: String, Binary, DWORD

Registry Structure HKEY_CLASSES_ROOT HKEY_CURRENT_USER File associations and paths to COM servers HKEY_CURRENT_USER Part of HKEY_USERS for current user HKEY_LOCAL_MACHINE Hardware and software installed on your machine HKEY_USERS Preferences for each of the users of machine HKEY_CURRENT_CONFIG Part of HKEY_LOCAL_MACHINE for current configuration

End of Presentation Seminar Schedule