SlideShare a Scribd company logo
Windows Internals (introduction)Windows Internals (introduction)
John OmbagiJohn Ombagi
IntroductionIntroduction
● Basic Operating System Concepts.
● How the Windows OS is implemented.
● Simplified inner working of this OS.
● Not a detail guide.
● Basic Operating System Concepts.
● How the Windows OS is implemented.
● Simplified inner working of this OS.
● Not a detail guide.
OverviewOverview
Expectation & Literature
● Knowledge gained can be applied in:
– Malware analysis & reverse engineering
– Exploit development & software
development.
● Books Required:
– Windows Internals 6 (part one and two).
– The recent Windows Internals 7 (part one).
● Knowledge gained can be applied in:
– Malware analysis & reverse engineering
– Exploit development & software
development.
● Books Required:
– Windows Internals 6 (part one and two).
– The recent Windows Internals 7 (part one).
User mode & Kernel modeUser mode & Kernel mode
● Allows access to non-operating system code
and data only
● No access to the hardware
● Protect user application form crashing the
system
● Allows access to non-operating system code
and data only
● No access to the hardware
● Protect user application form crashing the
system
User modeUser mode
● Privileged mode for use by the kernel and
device drivers only.
● Allows access to all system resources
● Can potentially crash system (BoD?)
● Privileged mode for use by the kernel and
device drivers only.
● Allows access to all system resources
● Can potentially crash system (BoD?)
Kernel modeKernel mode
Lab Setup
● Windows 7/8/10 (I’ll be using 32 bit).
● Windbg, OllyDbg, Immunituy, x64dbg
● IDA Pro ver. 6 or 7
● Windows System internals Suite
● Python 2.7
● Provided Workshop Tools
● Windows 7/8/10 (I’ll be using 32 bit).
● Windbg, OllyDbg, Immunituy, x64dbg
● IDA Pro ver. 6 or 7
● Windows System internals Suite
● Python 2.7
● Provided Workshop Tools
ProcessesProcesses
● It’s a set of resources to execute a program.● It’s a set of resources to execute a program.
What’s a Process?What’s a Process?
● A private Virtual Address space.
● An executable program
● A private table of handles to various kernel
objects
● A security context (access token)
● One or more threads that execute code.
● A private Virtual Address space.
● An executable program
● A private table of handles to various kernel
objects
● A security context (access token)
● One or more threads that execute code.
What constitute a process?What constitute a process?
ThreadsThreads
● This is an entity that is scheduled by the
kernel to execute code.
● This is an entity that is scheduled by the
kernel to execute code.
What’s a Thread?What’s a Thread?
● The state of CPU registers
● Current access mode
● Two stacks, (userspace and kernel space)
● Thread Local Storage (TLS)
● Optional Security Token
● Optional message queue
● The state of CPU registers
● Current access mode
● Two stacks, (userspace and kernel space)
● Thread Local Storage (TLS)
● Optional Security Token
● Optional message queue
What constitute a thread?What constitute a thread?
● There are several states but the most
important ones are as follows:
– Running
– Ready
– Waiting
● There are several states but the most
important ones are as follows:
– Running
– Ready
– Waiting
Thread StateThread State
Demo
Virtual MemoryVirtual Memory
● Each process "sees" a flat linear memory.
● Virtual memory may be mapped to physical
memory, but may also be stored on disk.
● Processes access memory regardless of
where it actually resides.
● The memory manager handles mapping of
virtual to physical page.
● Each process "sees" a flat linear memory.
● Virtual memory may be mapped to physical
memory, but may also be stored on disk.
● Processes access memory regardless of
where it actually resides.
● The memory manager handles mapping of
virtual to physical page.
OverviewOverview
Windows internals Essentials
● Windows Internals, Sixth Edition, Part 1
(page 15)
– Virtual Memory Mapping
– Virtual Memory Layout
● Windows Internals, Sixth Edition, Part 1
(page 15)
– Virtual Memory Mapping
– Virtual Memory Layout
Further ReadingFurther Reading
Demo.
Object and HandlesObject and Handles
● Windows is an object based system.
● Objects are run time instance of static
structures & reside in system memory space.
● Kernel code can obtain direct pointer to an
object. In user mode, code can only obtain a
handle to an object.
● Objects are reference counted.
● Windows is an object based system.
● Objects are run time instance of static
structures & reside in system memory space.
● Kernel code can obtain direct pointer to an
object. In user mode, code can only obtain a
handle to an object.
● Objects are reference counted.
DetailsDetails
Windows Design GoalWindows Design Goal
● Separate address space per process.
● Protected Kernel.
● Pre-emptive multitasking & multithreading.
● Internationalization support using Unicode.
● Security throughout the System.
● Integrated Networking.
● Separate address space per process.
● Protected Kernel.
● Pre-emptive multitasking & multithreading.
● Internationalization support using Unicode.
● Security throughout the System.
● Integrated Networking.
OverviewOverview
● Powerful File System (NTFS).
● Run most 16 bit Windows and DOS.
applications.
● Run POSIX 1003.1 and OS/2 applications.
● Portable across processors and platforms.
● Be great client as well as server platform.
● Powerful File System (NTFS).
● Run most 16 bit Windows and DOS.
applications.
● Run POSIX 1003.1 and OS/2 applications.
● Portable across processors and platforms.
● Be great client as well as server platform.
Cont.Cont.
Core System FilesCore System Files
● On 64 bit Systems, we have Ntoskrnl.exe
● On 32 bit Systems, we have NtKrnlPa.exe
– Physical Address Extensions (PAE) kernel
● PAE uses paging tables to map the memory
greater than 4 GB.
● On 64 bit Systems, we have Ntoskrnl.exe
● On 32 bit Systems, we have NtKrnlPa.exe
– Physical Address Extensions (PAE) kernel
● PAE uses paging tables to map the memory
greater than 4 GB.
Executive and KernelExecutive and Kernel
● Stands for Hardware Abstraction Layer.
● In Windows there are several Hal and the
best is chosen during installation.
● It's a layer that insulate the kernel and the
drivers from the actual hardware.
● Stands for Hardware Abstraction Layer.
● In Windows there are several Hal and the
best is chosen during installation.
● It's a layer that insulate the kernel and the
drivers from the actual hardware.
Hal.dllHal.dll
● It's a Kernel mode component of the
Windows subsystem.
● It handles Windowing and GDI (Graphics).
● It's a Kernel mode component of the
Windows subsystem.
● It handles Windowing and GDI (Graphics).
Win32k.sysWin32k.sys
● It's the lower layer of the user mode.
● It has System support routines and Native
API dispatcher to execute services.
● It provides functions to jump into Kernel
mode.
● Provides other simple functions that are
similar to the C runtime library.
● It's the lower layer of the user mode.
● It has System support routines and Native
API dispatcher to execute services.
● It provides functions to jump into Kernel
mode.
● Provides other simple functions that are
similar to the C runtime library.
NtDll.dllNtDll.dll
● Applications don't call the Kernel or Ntdll.dll
directly, NativeAPI is undocumented.
● The way to do it, is by using the official,
documented Subsystem DLLs.
● They transition into Ntdll.dll if needed or
bypass that for GDI/Windowing calls.
● Applications don't call the Kernel or Ntdll.dll
directly, NativeAPI is undocumented.
● The way to do it, is by using the official,
documented Subsystem DLLs.
● They transition into Ntdll.dll if needed or
bypass that for GDI/Windowing calls.
Kernel32.dll, user32.dll, gdi32.dll,
advapi32.dll etc...
Kernel32.dll, user32.dll, gdi32.dll,
advapi32.dll etc...
CSRSS.exeCSRSS.exe
● Client Server Runtime Subsystem
● This is the process that manages the
Windows Subsystem.
● It's very important and always running
● Killing this process will result into a blue
screen of death.
● Client Server Runtime Subsystem
● This is the process that manages the
Windows Subsystem.
● It's very important and always running
● Killing this process will result into a blue
screen of death.
Symmetric MultiprocessingSymmetric Multiprocessing
● All CPUs are the same and share main
memory and have equal access to peripheral
devices.
● No Master or Slave CPUs.
● Basic architecture supports up to 32/64
CPUs.
● All CPUs are the same and share main
memory and have equal access to peripheral
devices.
● No Master or Slave CPUs.
● Basic architecture supports up to 32/64
CPUs.
SMPSMP
● It used bitmask, which was the size of the
machine WORD.
● However starting on Windows 7 64 bit and
2008 R2 support up to 256 cores.
A Processor Group can contain up to 64
Processors, there are four possible processor
groups in a 256 core system.
● It used bitmask, which was the size of the
machine WORD.
● However starting on Windows 7 64 bit and
2008 R2 support up to 256 cores.
A Processor Group can contain up to 64
Processors, there are four possible processor
groups in a 256 core system.
SMP cont.SMP cont.
SubsystemsSubsystems
● It exposes service via subsystem DLLS.
● These subsystem DLLs expose the API of that
subsystem in a way that is fitting to that
subsystem.
● The Windows subsystem must always be
running.
● It’s loaded automatically during boots up
● It exposes service via subsystem DLLS.
● These subsystem DLLs expose the API of that
subsystem in a way that is fitting to that
subsystem.
● The Windows subsystem must always be
running.
● It’s loaded automatically during boots up
OverviewOverview
Subsytems cont..Subsytems cont..
● Information about Subsystems are stored in
the following registry key:
– HKLMSystemCCSControlSession
MangerSubsystems
● Subsystems DLLs are the ones exposing a
particular API.
● Information about Subsystems are stored in
the following registry key:
– HKLMSystemCCSControlSession
MangerSubsystems
● Subsystems DLLs are the ones exposing a
particular API.
Cont.Cont.
● An image of a certain subsystem calls API
functions exposed through the subsystem
DLLs.
● Some processes start up before the Windows
Subsystem is up.
● Most dispatcher to kernel services are using
Windows API "wrappers".
● An image of a certain subsystem calls API
functions exposed through the subsystem
DLLs.
● Some processes start up before the Windows
Subsystem is up.
● Most dispatcher to kernel services are using
Windows API "wrappers".
System ProcessesSystem Processes
Idle Process.Idle Process.
● it has an id a PID of 0 which is not a real
process.
● It's just one thread per CPU (core).
● It's a count for Idle time.
● it has an id a PID of 0 which is not a real
process.
● It's just one thread per CPU (core).
● It's a count for Idle time.
System ProcessSystem Process
● It's a real process and has a fixed PID of 4.
● It represent stuff going on in the Kernel
● It execute code in system space only.
● Created by PsCreateSystemThread kernel API
● The threads don't need a particular process
to maintain running (on as System is alive)
● It's a real process and has a fixed PID of 4.
● It represent stuff going on in the Kernel
● It execute code in system space only.
● Created by PsCreateSystemThread kernel API
● The threads don't need a particular process
to maintain running (on as System is alive)
Session manger (Smss.exe)Session manger (Smss.exe)
● It runs the windowssystem32smss.exe
● it’s the first user mode process created by
System (the kernel, part of the boot process)
● Because at this time the windows Subsystem
is not loaded yet, it uses the Native API
provided by the NtDll.dll.
● It runs the windowssystem32smss.exe
● it’s the first user mode process created by
System (the kernel, part of the boot process)
● Because at this time the windows Subsystem
is not loaded yet, it uses the Native API
provided by the NtDll.dll.
Session manger contd...Session manger contd...
– Creating system environment variables.
– launching the subsystem processes
– It also launches itself in other sessions
– Waits for csrss.exe instances to terminate.
– Waits for subsystem creation request.
– Waits for terminal services session creation
requests.
– Creating system environment variables.
– launching the subsystem processes
– It also launches itself in other sessions
– Waits for csrss.exe instances to terminate.
– Waits for subsystem creation request.
– Waits for terminal services session creation
requests.
Windows Subsystem (Csrss.exe)Windows Subsystem (Csrss.exe)
● It runs windowssystem32csrss.exe
● Provides the user mode side of the Win32
subsystem.
● CSRSS is mainly responsible for Win32
console handling and GUI shutdown.
● It is critical to system operation
● It runs windowssystem32csrss.exe
● Provides the user mode side of the Win32
subsystem.
● CSRSS is mainly responsible for Win32
console handling and GUI shutdown.
● It is critical to system operation
Logon Process (Winlogon.exe)Logon Process (Winlogon.exe)
● It runs windowssystem32winlogon.exe
– This handles interactive logons and logoffs. If
terminated, logs off the user session
– It's also responsible for capturing of Secure
Attention Sequence (SAS) - Ctrl + Alt + Del
– Presents username / password dialog (through
LogonUI.exe).
● It runs windowssystem32winlogon.exe
– This handles interactive logons and logoffs. If
terminated, logs off the user session
– It's also responsible for capturing of Secure
Attention Sequence (SAS) - Ctrl + Alt + Del
– Presents username / password dialog (through
LogonUI.exe).
Local Sec. Auth. Server (Lsass.exe)Local Sec. Auth. Server (Lsass.exe)
● Running the windowssystem32lsass.exe
● It calls the appropriate authentication
packages.
● Upon successful authentication, creates a
token representing the user's security
profile.
● Returns information to Winlogon.
● Running the windowssystem32lsass.exe
● It calls the appropriate authentication
packages.
● Upon successful authentication, creates a
token representing the user's security
profile.
● Returns information to Winlogon.
Service Control Manager (SCM)Service Control Manager (SCM)
● Running windowssystem32services.exe
– Responsible for starting, stopping and
interacting with service processes.
– SERVICE : Similar to 'Unix' daemon processes;
Not running in Kernel mode in any way; Normal
Windows executable that interact with SCM; Can
run under "special" accounts (LocalSystem,
NetworkService, LocalService).
● Running windowssystem32services.exe
– Responsible for starting, stopping and
interacting with service processes.
– SERVICE : Similar to 'Unix' daemon processes;
Not running in Kernel mode in any way; Normal
Windows executable that interact with SCM; Can
run under "special" accounts (LocalSystem,
NetworkService, LocalService).
Local Session Manager (Lsm.exe)Local Session Manager (Lsm.exe)
– A helper Introduced in Windows Vista that does
some managing of the local session and
provides information to smss.exe if needed.
– Running image windowssystem32lsm.exe
– In windows 8, turned into a service.
– Manages terminal sessions on the local machine
– A helper Introduced in Windows Vista that does
some managing of the local session and
provides information to smss.exe if needed.
– Running image windowssystem32lsm.exe
– In windows 8, turned into a service.
– Manages terminal sessions on the local machine
Wow64 (Windows in Windows 64)Wow64 (Windows in Windows 64)
Wow64 allows execution of Win32 (32 bit exes)
binaries on 64-bit Windows.
– The isWow64Process function can tell whether a
process is running under Wow64.
– Filesystem:
● windowssystem32 contains 64 bit images
● windowssyswow64 containd 32 bit images
Wow64 allows execution of Win32 (32 bit exes)
binaries on 64-bit Windows.
– The isWow64Process function can tell whether a
process is running under Wow64.
– Filesystem:
● windowssystem32 contains 64 bit images
● windowssyswow64 containd 32 bit images
Wow64-ArchWow64-Arch
● Wow64 Restrictions:
– A 64 bit process cannot load a 32 bit DLLs and
vice versa except resource-only DLLs.
● Filesystem Redirection:
– WindowsSystem32 maps to
WindowsSyswow64.
– Program Files (x86) & Program Files
● Wow64 Restrictions:
– A 64 bit process cannot load a 32 bit DLLs and
vice versa except resource-only DLLs.
● Filesystem Redirection:
– WindowsSystem32 maps to
WindowsSyswow64.
– Program Files (x86) & Program Files
● Registry Redirection:
● COM components trying to register as 32 bit and 64
bit will crush.
● 32 bit components are redirected to the Wow64
registry node (Wow6432Node)
– HKYE_LOCAL_MACHINESSoftware
– HKEY_CLASSES_ROOT
– HKEY_CURRENT_USERSoftwareClasses
● New flags for Registry APIs allow access to the 64 bit
or 32 bit nodes
– KEY_WOW64_64KEY & KEY_WOW64_32KEY
● Registry Redirection:
● COM components trying to register as 32 bit and 64
bit will crush.
● 32 bit components are redirected to the Wow64
registry node (Wow6432Node)
– HKYE_LOCAL_MACHINESSoftware
– HKEY_CLASSES_ROOT
– HKEY_CURRENT_USERSoftwareClasses
● New flags for Registry APIs allow access to the 64 bit
or 32 bit nodes
– KEY_WOW64_64KEY & KEY_WOW64_32KEY
End of Part One.
John Ombagi
jayombagi@gmail.com
End of Part One.
John Ombagi
jayombagi@gmail.com

More Related Content

What's hot (20)

PDF
Ch 6: Enumeration
Sam Bowne
 
PDF
LCU14-103: How to create and run Trusted Applications on OP-TEE
Linaro
 
PPT
Linux - Introductions to Linux Operating System
Vibrant Technologies & Computers
 
PDF
Using tfsec to scan your Terraform
OwenRumney1
 
PDF
Linux Internals - Part I
Emertxe Information Technologies Pvt Ltd
 
PDF
Linux Kernel Cryptographic API and Use Cases
Kernel TLV
 
PPTX
Monitoring & alerting presentation sabin&mustafa
Lama K Banna
 
PPTX
Grafana.pptx
Bhushan Rane
 
PDF
Nessus Software
Megha Sahu
 
PDF
HKG18-402 - Build secure key management services in OP-TEE
Linaro
 
PDF
U-Boot - An universal bootloader
Emertxe Information Technologies Pvt Ltd
 
PDF
Linux OS presentation
SahilGothoskar
 
PPT
Modul 2 - Footprinting Scanning Enumeration.ppt
cemporku
 
PDF
BUD17-400: Secure Data Path with OPTEE
Linaro
 
PPTX
Fast and secure protocol (fasp)
Vikrant Arya
 
PPTX
( Ethical hacking tools ) Information grathring
Gouasmia Zakaria
 
PPSX
FD.IO Vector Packet Processing
Kernel TLV
 
PPT
Wireshark Basics
Yoram Orzach
 
PPTX
Ipfs
承翰 蔡
 
PDF
Practical Malware Analysis: Ch 8: Debugging
Sam Bowne
 
Ch 6: Enumeration
Sam Bowne
 
LCU14-103: How to create and run Trusted Applications on OP-TEE
Linaro
 
Linux - Introductions to Linux Operating System
Vibrant Technologies & Computers
 
Using tfsec to scan your Terraform
OwenRumney1
 
Linux Kernel Cryptographic API and Use Cases
Kernel TLV
 
Monitoring & alerting presentation sabin&mustafa
Lama K Banna
 
Grafana.pptx
Bhushan Rane
 
Nessus Software
Megha Sahu
 
HKG18-402 - Build secure key management services in OP-TEE
Linaro
 
U-Boot - An universal bootloader
Emertxe Information Technologies Pvt Ltd
 
Linux OS presentation
SahilGothoskar
 
Modul 2 - Footprinting Scanning Enumeration.ppt
cemporku
 
BUD17-400: Secure Data Path with OPTEE
Linaro
 
Fast and secure protocol (fasp)
Vikrant Arya
 
( Ethical hacking tools ) Information grathring
Gouasmia Zakaria
 
FD.IO Vector Packet Processing
Kernel TLV
 
Wireshark Basics
Yoram Orzach
 
Practical Malware Analysis: Ch 8: Debugging
Sam Bowne
 

Viewers also liked (14)

PPTX
Information Technology Project Management - part 09
Rizwan Khurram
 
PPTX
Information Technology Project Management - part 08
Rizwan Khurram
 
PPTX
Information Technology Project Management - part 04
Rizwan Khurram
 
PPTX
Windows Internal - Ch9 memory management
Kent Huang
 
PPTX
Information Technology Project Management - part 05
Rizwan Khurram
 
PDF
Reverse eningeering
Kent Huang
 
PPTX
Information Technology Project Management - part 12
Rizwan Khurram
 
PPTX
Information Technology Project Management - part 10
Rizwan Khurram
 
PPTX
Information Technology Project Management - part 07
Rizwan Khurram
 
PPTX
Clean Code: Chapter 3 Function
Kent Huang
 
PPTX
Information Technology Project Management - part 01
Rizwan Khurram
 
PPTX
Information Technology Project Management - part 11
Rizwan Khurram
 
PPTX
Information Technology Project Management - part 02
Rizwan Khurram
 
PPSX
Information Technology Project Management
Goutama Bachtiar
 
Information Technology Project Management - part 09
Rizwan Khurram
 
Information Technology Project Management - part 08
Rizwan Khurram
 
Information Technology Project Management - part 04
Rizwan Khurram
 
Windows Internal - Ch9 memory management
Kent Huang
 
Information Technology Project Management - part 05
Rizwan Khurram
 
Reverse eningeering
Kent Huang
 
Information Technology Project Management - part 12
Rizwan Khurram
 
Information Technology Project Management - part 10
Rizwan Khurram
 
Information Technology Project Management - part 07
Rizwan Khurram
 
Clean Code: Chapter 3 Function
Kent Huang
 
Information Technology Project Management - part 01
Rizwan Khurram
 
Information Technology Project Management - part 11
Rizwan Khurram
 
Information Technology Project Management - part 02
Rizwan Khurram
 
Information Technology Project Management
Goutama Bachtiar
 
Ad

Similar to Windows internals Essentials (20)

PPT
2337610
hantfhan
 
PPT
Evolution of the Windows Kernel Architecture, by Dave Probert
yang
 
PPT
Oct2009
guest81ab2b4
 
PDF
Understanding Windows NT Internals - Part 1
Arun Seetharaman
 
PDF
Operating Systems 1 (4/12) - Architectures (Windows)
Peter Tröger
 
PPT
Windows Kernel-
Parth Desai
 
PPT
Case Study 2: WINDOWS VISTA
Munazza-Mah-Jabeen
 
PPT
Windows internals
Piyush Jain
 
PPT
Chapter 02
Dolly Bhateja
 
PPT
Chapter 02
m25farid
 
PPT
Chapter02
Downloadssu Fullmaza
 
PPT
Case study windows
Padam Banthia
 
PPTX
Windows OS Architecture in Summery
Asanka Dilruk
 
PDF
12-Case-Study-WindowsNT.pdf in operating sysetm.
DuaRajpoot2
 
PPT
The evolution of an operating system.ppt
krishnakrishkrish100
 
PPT
the windows opereting system
Юсуф Сатторов
 
PPT
Earhart
siam hossain
 
PPTX
Windows
Ezzah
 
PPTX
Windows Architecture Explained by Stacksol
Stacksol
 
PPT
Windows 2000
Agnas Jasmine
 
2337610
hantfhan
 
Evolution of the Windows Kernel Architecture, by Dave Probert
yang
 
Oct2009
guest81ab2b4
 
Understanding Windows NT Internals - Part 1
Arun Seetharaman
 
Operating Systems 1 (4/12) - Architectures (Windows)
Peter Tröger
 
Windows Kernel-
Parth Desai
 
Case Study 2: WINDOWS VISTA
Munazza-Mah-Jabeen
 
Windows internals
Piyush Jain
 
Chapter 02
Dolly Bhateja
 
Chapter 02
m25farid
 
Case study windows
Padam Banthia
 
Windows OS Architecture in Summery
Asanka Dilruk
 
12-Case-Study-WindowsNT.pdf in operating sysetm.
DuaRajpoot2
 
The evolution of an operating system.ppt
krishnakrishkrish100
 
the windows opereting system
Юсуф Сатторов
 
Earhart
siam hossain
 
Windows
Ezzah
 
Windows Architecture Explained by Stacksol
Stacksol
 
Windows 2000
Agnas Jasmine
 
Ad

Recently uploaded (20)

PDF
CIFDAQ Token Spotlight for 9th July 2025
CIFDAQ
 
PDF
Agentic AI lifecycle for Enterprise Hyper-Automation
Debmalya Biswas
 
PDF
SWEBOK Guide and Software Services Engineering Education
Hironori Washizaki
 
PDF
[Newgen] NewgenONE Marvin Brochure 1.pdf
darshakparmar
 
PPTX
Q2 FY26 Tableau User Group Leader Quarterly Call
lward7
 
PDF
Exolore The Essential AI Tools in 2025.pdf
Srinivasan M
 
PDF
The Builder’s Playbook - 2025 State of AI Report.pdf
jeroen339954
 
PPTX
"Autonomy of LLM Agents: Current State and Future Prospects", Oles` Petriv
Fwdays
 
PPTX
COMPARISON OF RASTER ANALYSIS TOOLS OF QGIS AND ARCGIS
Sharanya Sarkar
 
PDF
Building Real-Time Digital Twins with IBM Maximo & ArcGIS Indoors
Safe Software
 
PDF
Newgen Beyond Frankenstein_Build vs Buy_Digital_version.pdf
darshakparmar
 
PDF
New from BookNet Canada for 2025: BNC BiblioShare - Tech Forum 2025
BookNet Canada
 
PPTX
UiPath Academic Alliance Educator Panels: Session 2 - Business Analyst Content
DianaGray10
 
PDF
NewMind AI - Journal 100 Insights After The 100th Issue
NewMind AI
 
PDF
Reverse Engineering of Security Products: Developing an Advanced Microsoft De...
nwbxhhcyjv
 
PDF
HubSpot Main Hub: A Unified Growth Platform
Jaswinder Singh
 
PPTX
AI Penetration Testing Essentials: A Cybersecurity Guide for 2025
defencerabbit Team
 
PDF
Timothy Rottach - Ramp up on AI Use Cases, from Vector Search to AI Agents wi...
AWS Chicago
 
PDF
"AI Transformation: Directions and Challenges", Pavlo Shaternik
Fwdays
 
PPTX
OpenID AuthZEN - Analyst Briefing July 2025
David Brossard
 
CIFDAQ Token Spotlight for 9th July 2025
CIFDAQ
 
Agentic AI lifecycle for Enterprise Hyper-Automation
Debmalya Biswas
 
SWEBOK Guide and Software Services Engineering Education
Hironori Washizaki
 
[Newgen] NewgenONE Marvin Brochure 1.pdf
darshakparmar
 
Q2 FY26 Tableau User Group Leader Quarterly Call
lward7
 
Exolore The Essential AI Tools in 2025.pdf
Srinivasan M
 
The Builder’s Playbook - 2025 State of AI Report.pdf
jeroen339954
 
"Autonomy of LLM Agents: Current State and Future Prospects", Oles` Petriv
Fwdays
 
COMPARISON OF RASTER ANALYSIS TOOLS OF QGIS AND ARCGIS
Sharanya Sarkar
 
Building Real-Time Digital Twins with IBM Maximo & ArcGIS Indoors
Safe Software
 
Newgen Beyond Frankenstein_Build vs Buy_Digital_version.pdf
darshakparmar
 
New from BookNet Canada for 2025: BNC BiblioShare - Tech Forum 2025
BookNet Canada
 
UiPath Academic Alliance Educator Panels: Session 2 - Business Analyst Content
DianaGray10
 
NewMind AI - Journal 100 Insights After The 100th Issue
NewMind AI
 
Reverse Engineering of Security Products: Developing an Advanced Microsoft De...
nwbxhhcyjv
 
HubSpot Main Hub: A Unified Growth Platform
Jaswinder Singh
 
AI Penetration Testing Essentials: A Cybersecurity Guide for 2025
defencerabbit Team
 
Timothy Rottach - Ramp up on AI Use Cases, from Vector Search to AI Agents wi...
AWS Chicago
 
"AI Transformation: Directions and Challenges", Pavlo Shaternik
Fwdays
 
OpenID AuthZEN - Analyst Briefing July 2025
David Brossard
 

Windows internals Essentials

  • 1. Windows Internals (introduction)Windows Internals (introduction) John OmbagiJohn Ombagi
  • 3. ● Basic Operating System Concepts. ● How the Windows OS is implemented. ● Simplified inner working of this OS. ● Not a detail guide. ● Basic Operating System Concepts. ● How the Windows OS is implemented. ● Simplified inner working of this OS. ● Not a detail guide. OverviewOverview
  • 4. Expectation & Literature ● Knowledge gained can be applied in: – Malware analysis & reverse engineering – Exploit development & software development. ● Books Required: – Windows Internals 6 (part one and two). – The recent Windows Internals 7 (part one). ● Knowledge gained can be applied in: – Malware analysis & reverse engineering – Exploit development & software development. ● Books Required: – Windows Internals 6 (part one and two). – The recent Windows Internals 7 (part one).
  • 5. User mode & Kernel modeUser mode & Kernel mode
  • 6. ● Allows access to non-operating system code and data only ● No access to the hardware ● Protect user application form crashing the system ● Allows access to non-operating system code and data only ● No access to the hardware ● Protect user application form crashing the system User modeUser mode
  • 7. ● Privileged mode for use by the kernel and device drivers only. ● Allows access to all system resources ● Can potentially crash system (BoD?) ● Privileged mode for use by the kernel and device drivers only. ● Allows access to all system resources ● Can potentially crash system (BoD?) Kernel modeKernel mode
  • 8. Lab Setup ● Windows 7/8/10 (I’ll be using 32 bit). ● Windbg, OllyDbg, Immunituy, x64dbg ● IDA Pro ver. 6 or 7 ● Windows System internals Suite ● Python 2.7 ● Provided Workshop Tools ● Windows 7/8/10 (I’ll be using 32 bit). ● Windbg, OllyDbg, Immunituy, x64dbg ● IDA Pro ver. 6 or 7 ● Windows System internals Suite ● Python 2.7 ● Provided Workshop Tools
  • 10. ● It’s a set of resources to execute a program.● It’s a set of resources to execute a program. What’s a Process?What’s a Process?
  • 11. ● A private Virtual Address space. ● An executable program ● A private table of handles to various kernel objects ● A security context (access token) ● One or more threads that execute code. ● A private Virtual Address space. ● An executable program ● A private table of handles to various kernel objects ● A security context (access token) ● One or more threads that execute code. What constitute a process?What constitute a process?
  • 13. ● This is an entity that is scheduled by the kernel to execute code. ● This is an entity that is scheduled by the kernel to execute code. What’s a Thread?What’s a Thread?
  • 14. ● The state of CPU registers ● Current access mode ● Two stacks, (userspace and kernel space) ● Thread Local Storage (TLS) ● Optional Security Token ● Optional message queue ● The state of CPU registers ● Current access mode ● Two stacks, (userspace and kernel space) ● Thread Local Storage (TLS) ● Optional Security Token ● Optional message queue What constitute a thread?What constitute a thread?
  • 15. ● There are several states but the most important ones are as follows: – Running – Ready – Waiting ● There are several states but the most important ones are as follows: – Running – Ready – Waiting Thread StateThread State
  • 16. Demo
  • 18. ● Each process "sees" a flat linear memory. ● Virtual memory may be mapped to physical memory, but may also be stored on disk. ● Processes access memory regardless of where it actually resides. ● The memory manager handles mapping of virtual to physical page. ● Each process "sees" a flat linear memory. ● Virtual memory may be mapped to physical memory, but may also be stored on disk. ● Processes access memory regardless of where it actually resides. ● The memory manager handles mapping of virtual to physical page. OverviewOverview
  • 20. ● Windows Internals, Sixth Edition, Part 1 (page 15) – Virtual Memory Mapping – Virtual Memory Layout ● Windows Internals, Sixth Edition, Part 1 (page 15) – Virtual Memory Mapping – Virtual Memory Layout Further ReadingFurther Reading
  • 21. Demo.
  • 23. ● Windows is an object based system. ● Objects are run time instance of static structures & reside in system memory space. ● Kernel code can obtain direct pointer to an object. In user mode, code can only obtain a handle to an object. ● Objects are reference counted. ● Windows is an object based system. ● Objects are run time instance of static structures & reside in system memory space. ● Kernel code can obtain direct pointer to an object. In user mode, code can only obtain a handle to an object. ● Objects are reference counted. DetailsDetails
  • 25. ● Separate address space per process. ● Protected Kernel. ● Pre-emptive multitasking & multithreading. ● Internationalization support using Unicode. ● Security throughout the System. ● Integrated Networking. ● Separate address space per process. ● Protected Kernel. ● Pre-emptive multitasking & multithreading. ● Internationalization support using Unicode. ● Security throughout the System. ● Integrated Networking. OverviewOverview
  • 26. ● Powerful File System (NTFS). ● Run most 16 bit Windows and DOS. applications. ● Run POSIX 1003.1 and OS/2 applications. ● Portable across processors and platforms. ● Be great client as well as server platform. ● Powerful File System (NTFS). ● Run most 16 bit Windows and DOS. applications. ● Run POSIX 1003.1 and OS/2 applications. ● Portable across processors and platforms. ● Be great client as well as server platform. Cont.Cont.
  • 27. Core System FilesCore System Files
  • 28. ● On 64 bit Systems, we have Ntoskrnl.exe ● On 32 bit Systems, we have NtKrnlPa.exe – Physical Address Extensions (PAE) kernel ● PAE uses paging tables to map the memory greater than 4 GB. ● On 64 bit Systems, we have Ntoskrnl.exe ● On 32 bit Systems, we have NtKrnlPa.exe – Physical Address Extensions (PAE) kernel ● PAE uses paging tables to map the memory greater than 4 GB. Executive and KernelExecutive and Kernel
  • 29. ● Stands for Hardware Abstraction Layer. ● In Windows there are several Hal and the best is chosen during installation. ● It's a layer that insulate the kernel and the drivers from the actual hardware. ● Stands for Hardware Abstraction Layer. ● In Windows there are several Hal and the best is chosen during installation. ● It's a layer that insulate the kernel and the drivers from the actual hardware. Hal.dllHal.dll
  • 30. ● It's a Kernel mode component of the Windows subsystem. ● It handles Windowing and GDI (Graphics). ● It's a Kernel mode component of the Windows subsystem. ● It handles Windowing and GDI (Graphics). Win32k.sysWin32k.sys
  • 31. ● It's the lower layer of the user mode. ● It has System support routines and Native API dispatcher to execute services. ● It provides functions to jump into Kernel mode. ● Provides other simple functions that are similar to the C runtime library. ● It's the lower layer of the user mode. ● It has System support routines and Native API dispatcher to execute services. ● It provides functions to jump into Kernel mode. ● Provides other simple functions that are similar to the C runtime library. NtDll.dllNtDll.dll
  • 32. ● Applications don't call the Kernel or Ntdll.dll directly, NativeAPI is undocumented. ● The way to do it, is by using the official, documented Subsystem DLLs. ● They transition into Ntdll.dll if needed or bypass that for GDI/Windowing calls. ● Applications don't call the Kernel or Ntdll.dll directly, NativeAPI is undocumented. ● The way to do it, is by using the official, documented Subsystem DLLs. ● They transition into Ntdll.dll if needed or bypass that for GDI/Windowing calls. Kernel32.dll, user32.dll, gdi32.dll, advapi32.dll etc... Kernel32.dll, user32.dll, gdi32.dll, advapi32.dll etc...
  • 33. CSRSS.exeCSRSS.exe ● Client Server Runtime Subsystem ● This is the process that manages the Windows Subsystem. ● It's very important and always running ● Killing this process will result into a blue screen of death. ● Client Server Runtime Subsystem ● This is the process that manages the Windows Subsystem. ● It's very important and always running ● Killing this process will result into a blue screen of death.
  • 35. ● All CPUs are the same and share main memory and have equal access to peripheral devices. ● No Master or Slave CPUs. ● Basic architecture supports up to 32/64 CPUs. ● All CPUs are the same and share main memory and have equal access to peripheral devices. ● No Master or Slave CPUs. ● Basic architecture supports up to 32/64 CPUs. SMPSMP
  • 36. ● It used bitmask, which was the size of the machine WORD. ● However starting on Windows 7 64 bit and 2008 R2 support up to 256 cores. A Processor Group can contain up to 64 Processors, there are four possible processor groups in a 256 core system. ● It used bitmask, which was the size of the machine WORD. ● However starting on Windows 7 64 bit and 2008 R2 support up to 256 cores. A Processor Group can contain up to 64 Processors, there are four possible processor groups in a 256 core system. SMP cont.SMP cont.
  • 38. ● It exposes service via subsystem DLLS. ● These subsystem DLLs expose the API of that subsystem in a way that is fitting to that subsystem. ● The Windows subsystem must always be running. ● It’s loaded automatically during boots up ● It exposes service via subsystem DLLS. ● These subsystem DLLs expose the API of that subsystem in a way that is fitting to that subsystem. ● The Windows subsystem must always be running. ● It’s loaded automatically during boots up OverviewOverview
  • 39. Subsytems cont..Subsytems cont.. ● Information about Subsystems are stored in the following registry key: – HKLMSystemCCSControlSession MangerSubsystems ● Subsystems DLLs are the ones exposing a particular API. ● Information about Subsystems are stored in the following registry key: – HKLMSystemCCSControlSession MangerSubsystems ● Subsystems DLLs are the ones exposing a particular API.
  • 40. Cont.Cont. ● An image of a certain subsystem calls API functions exposed through the subsystem DLLs. ● Some processes start up before the Windows Subsystem is up. ● Most dispatcher to kernel services are using Windows API "wrappers". ● An image of a certain subsystem calls API functions exposed through the subsystem DLLs. ● Some processes start up before the Windows Subsystem is up. ● Most dispatcher to kernel services are using Windows API "wrappers".
  • 42. Idle Process.Idle Process. ● it has an id a PID of 0 which is not a real process. ● It's just one thread per CPU (core). ● It's a count for Idle time. ● it has an id a PID of 0 which is not a real process. ● It's just one thread per CPU (core). ● It's a count for Idle time.
  • 43. System ProcessSystem Process ● It's a real process and has a fixed PID of 4. ● It represent stuff going on in the Kernel ● It execute code in system space only. ● Created by PsCreateSystemThread kernel API ● The threads don't need a particular process to maintain running (on as System is alive) ● It's a real process and has a fixed PID of 4. ● It represent stuff going on in the Kernel ● It execute code in system space only. ● Created by PsCreateSystemThread kernel API ● The threads don't need a particular process to maintain running (on as System is alive)
  • 44. Session manger (Smss.exe)Session manger (Smss.exe) ● It runs the windowssystem32smss.exe ● it’s the first user mode process created by System (the kernel, part of the boot process) ● Because at this time the windows Subsystem is not loaded yet, it uses the Native API provided by the NtDll.dll. ● It runs the windowssystem32smss.exe ● it’s the first user mode process created by System (the kernel, part of the boot process) ● Because at this time the windows Subsystem is not loaded yet, it uses the Native API provided by the NtDll.dll.
  • 45. Session manger contd...Session manger contd... – Creating system environment variables. – launching the subsystem processes – It also launches itself in other sessions – Waits for csrss.exe instances to terminate. – Waits for subsystem creation request. – Waits for terminal services session creation requests. – Creating system environment variables. – launching the subsystem processes – It also launches itself in other sessions – Waits for csrss.exe instances to terminate. – Waits for subsystem creation request. – Waits for terminal services session creation requests.
  • 46. Windows Subsystem (Csrss.exe)Windows Subsystem (Csrss.exe) ● It runs windowssystem32csrss.exe ● Provides the user mode side of the Win32 subsystem. ● CSRSS is mainly responsible for Win32 console handling and GUI shutdown. ● It is critical to system operation ● It runs windowssystem32csrss.exe ● Provides the user mode side of the Win32 subsystem. ● CSRSS is mainly responsible for Win32 console handling and GUI shutdown. ● It is critical to system operation
  • 47. Logon Process (Winlogon.exe)Logon Process (Winlogon.exe) ● It runs windowssystem32winlogon.exe – This handles interactive logons and logoffs. If terminated, logs off the user session – It's also responsible for capturing of Secure Attention Sequence (SAS) - Ctrl + Alt + Del – Presents username / password dialog (through LogonUI.exe). ● It runs windowssystem32winlogon.exe – This handles interactive logons and logoffs. If terminated, logs off the user session – It's also responsible for capturing of Secure Attention Sequence (SAS) - Ctrl + Alt + Del – Presents username / password dialog (through LogonUI.exe).
  • 48. Local Sec. Auth. Server (Lsass.exe)Local Sec. Auth. Server (Lsass.exe) ● Running the windowssystem32lsass.exe ● It calls the appropriate authentication packages. ● Upon successful authentication, creates a token representing the user's security profile. ● Returns information to Winlogon. ● Running the windowssystem32lsass.exe ● It calls the appropriate authentication packages. ● Upon successful authentication, creates a token representing the user's security profile. ● Returns information to Winlogon.
  • 49. Service Control Manager (SCM)Service Control Manager (SCM) ● Running windowssystem32services.exe – Responsible for starting, stopping and interacting with service processes. – SERVICE : Similar to 'Unix' daemon processes; Not running in Kernel mode in any way; Normal Windows executable that interact with SCM; Can run under "special" accounts (LocalSystem, NetworkService, LocalService). ● Running windowssystem32services.exe – Responsible for starting, stopping and interacting with service processes. – SERVICE : Similar to 'Unix' daemon processes; Not running in Kernel mode in any way; Normal Windows executable that interact with SCM; Can run under "special" accounts (LocalSystem, NetworkService, LocalService).
  • 50. Local Session Manager (Lsm.exe)Local Session Manager (Lsm.exe) – A helper Introduced in Windows Vista that does some managing of the local session and provides information to smss.exe if needed. – Running image windowssystem32lsm.exe – In windows 8, turned into a service. – Manages terminal sessions on the local machine – A helper Introduced in Windows Vista that does some managing of the local session and provides information to smss.exe if needed. – Running image windowssystem32lsm.exe – In windows 8, turned into a service. – Manages terminal sessions on the local machine
  • 51. Wow64 (Windows in Windows 64)Wow64 (Windows in Windows 64) Wow64 allows execution of Win32 (32 bit exes) binaries on 64-bit Windows. – The isWow64Process function can tell whether a process is running under Wow64. – Filesystem: ● windowssystem32 contains 64 bit images ● windowssyswow64 containd 32 bit images Wow64 allows execution of Win32 (32 bit exes) binaries on 64-bit Windows. – The isWow64Process function can tell whether a process is running under Wow64. – Filesystem: ● windowssystem32 contains 64 bit images ● windowssyswow64 containd 32 bit images
  • 52. Wow64-ArchWow64-Arch ● Wow64 Restrictions: – A 64 bit process cannot load a 32 bit DLLs and vice versa except resource-only DLLs. ● Filesystem Redirection: – WindowsSystem32 maps to WindowsSyswow64. – Program Files (x86) & Program Files ● Wow64 Restrictions: – A 64 bit process cannot load a 32 bit DLLs and vice versa except resource-only DLLs. ● Filesystem Redirection: – WindowsSystem32 maps to WindowsSyswow64. – Program Files (x86) & Program Files
  • 53. ● Registry Redirection: ● COM components trying to register as 32 bit and 64 bit will crush. ● 32 bit components are redirected to the Wow64 registry node (Wow6432Node) – HKYE_LOCAL_MACHINESSoftware – HKEY_CLASSES_ROOT – HKEY_CURRENT_USERSoftwareClasses ● New flags for Registry APIs allow access to the 64 bit or 32 bit nodes – KEY_WOW64_64KEY & KEY_WOW64_32KEY ● Registry Redirection: ● COM components trying to register as 32 bit and 64 bit will crush. ● 32 bit components are redirected to the Wow64 registry node (Wow6432Node) – HKYE_LOCAL_MACHINESSoftware – HKEY_CLASSES_ROOT – HKEY_CURRENT_USERSoftwareClasses ● New flags for Registry APIs allow access to the 64 bit or 32 bit nodes – KEY_WOW64_64KEY & KEY_WOW64_32KEY
  • 54. End of Part One. John Ombagi [email protected] End of Part One. John Ombagi [email protected]