Scribd
Upload
118 views

Windows For Reverse Engineers OS Internals

The document discusses key system mechanisms in Windows including memory management, processes and threads, applications, the Windows API, WOW64, services, file systems, and the I/O subsystem. Memory management maps virtual memory to physical memory using paging. Processes contain executable code and resources while threads facilitate execution. Applications use the Windows API and native API to interface with the OS. WOW64 allows 32-bit apps to run on 64-bit Windows. Services are background processes that perform tasks. Common file systems are FAT, exFAT, and NTFS. The I/O subsystem manages access to devices via drivers, the I/O manager, and other components.

Uploaded by

magic_fyodor
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
118 views

Windows For Reverse Engineers OS Internals

The document discusses key system mechanisms in Windows including memory management, processes and threads, applications, the Windows API, WOW64, services, file systems, and the I/O subsystem. Memory management maps virtual memory to physical memory using paging. Processes contain executable code and resources while threads facilitate execution. Applications use the Windows API and native API to interface with the OS. WOW64 allows 32-bit apps to run on 64-bit Windows. Services are background processes that perform tasks. Common file systems are FAT, exFAT, and NTFS. The I/O subsystem manages access to devices via drivers, the I/O manager, and other components.

Uploaded by

magic_fyodor
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 39

Windows for Reverse Engineers

OS Internals
CS-E4330 - Special Course in Information Security
Reverse Engineering Malware
Course 2017
System Mechanisms
Service Dispatching
Service Dispatching
Memory Management
Memory Manager
• Each process sees a large and contiguous private virtual address space
• This virtual address space is known as virtual memory
• As virtual memory can exceed the available physical memory
• The memory manager has two important tasks
• Mapping the access to virtual memory into physical memory
• Paging contents of the memory to disk as physical memory runs out; and
paging the data back into the memory when needed
Virtual Memory
• Every process has its own virtual address space
• Virtual memory provides a logical view of the memory that might not correspond to
its physical layout
• By default, only the lower half can be used by the process for its own private storage
• The OS takes the upper half for its own protected memory utilization
• The memory mappings of the lower half is changed to match the virtual address
space of the next process to be run at every context switch
Virtual Memory
Virtual address spaces between user mode applications 32-bit Windows virtual address space

Source: https://msdn.microsoft.com/windows/hardware/drivers/gettingstarted/virtual-address-spaces
Virtual Memory
64-bit Windows virtual address space System dynamic memory allocation pools

Source: https://msdn.microsoft.com/windows/hardware/drivers/gettingstarted/virtual-address-spaces
Processes and Threads
Process
• A process is an abstraction of a running program
• A process consists of the following essential components:
• A private virtual address space
• An executable program (“the base image”)
• A private list of open handles to resources allocated by the operating system
• An access token, which uniquely identifies the owner, security groups, and
privileges associated with the process
• A process ID
• One or more threads
• Important structures: EPROCESS (kernel mode) and PEB (user mode)
Thread
• A thread is an entity scheduled for execution on the CPU
• A thread consists of the following essential components:
• The CPU state
• Two stacks, one for kernel mode and one for user mode
• Thread-Local Storage (TLS), a private storage area that can be used by certain
Windows subsystems, run-time libraries, and DLLs
• A thread ID
• An access token, which uniquely identifies the owner, security groups, and
privileges associated with the thread
• Important structures: ETHREAD (kernel mode) and TEB (user mode)
Processes and Threads
Applications on Windows
PE - Portable Executable Format
• Object and executables files follow the PE (Portable
Executable) file format
• Full specification available online
• PECOFF.mspx
• Use a hex editor (HT) or specialized PE viewer (PE
Explorer) to explore it
• File extensions commonly used by executables:
• EXE, DLL and SYS

PE Format: http://www.microsoft.com/whdc/system/platform/firmware/PECOFF.mspx
Native API
• Undocumented user mode interface to OS
functionality
• One layer below the Windows API
• Some low-level functionality is only in the Native
API
• See “Windows NT/2000 Native API Reference” by
Nebbettor for further reference
Windows API
• Windows API is the OS interface for applications
• Exposed by a set of system libraries: kernel32.dll, user32.dll, …
• Windows 7 and above refactored the system libraries (kernelbase.dll)
• Several subcategories
• Administration and management (WMI, …)
• Diagnostics (event logging, …)
• Networking
• Security
• System services (access to processes, threads, registry…)
• MSDN is the best source of information for Windows APIs reference
MSDN: https://msdn.microsoft.com
WOW64
• 32-bit process running on
Windows 64-bit OS
• Win32 API emulation
• Implemented as a set of
user mode DLLs, with kernel
support
WOW64 - File System Redirection
• Folder \Windows\System32 stores native 64-bit file images
• Calls from 32-bit code are redirected to \Windows\SysWOW64
• Some subdirectories are excluded for compatibility
• %windir%\system32\drivers\etc and %windir%\system32\spool
• %windir%\system32\catroot and %windir%\system32\catroot2
• %windir%\system32\logfiles and %windir%\system32\driverstore
• Other common folders are handled via environment variables
• 64-bit: %ProgramFiles% -> ”C:\Program Files”
• 32-bit: %ProgramFiles% -> ”C:\Program Files(x86)”
• Automatic redirections can be controlled per thread by using certain APIs
• APIs: Wow64DisableWow64FsRedirection, Wow64RevertWow64FsRedirection

File System Redirector: https://msdn.microsoft.com/en-us/library/windows/desktop/aa384187(v=vs.85).aspx


WOW64 - Registry Redirection
• Two separate logical views of the Windows Registry are provided
• Some Registry keys are redirected and others are shared
• The Wow6432Node key is a special key use by the OS to support the
physical redirection for 32-bit processes
• HKEY_LOCAL_MACHINE\Software ->
HKEY_LOCAL_MACHINE\Software\Wow6432Node
• Accessing one or another view can be controlled with certain APIs
• APIs: RegOpenKeyEx, RegDeleteKeyEx, RegCreateKeyEx
• Flags: KEY_WOW64_64KEY, KEY_WOW64_32KEY

Registry Redirector: https://msdn.microsoft.com/en-us/library/windows/desktop/aa384232(v=vs.85).aspx


Management Mechanisms
Windows Registry
• A tree that contains all settings and configuration data for the OS and
other applications
• Basic concepts: hive, key, value
• Contains in-memory volatile data
• Current HW configuration, ...
• Hives are just files
• %SystemRoot%\System32\Config\
• To explore the Windows Registry use Regedit.exe
Registry Hive
Registry Roots
• HKEY_LOCAL_MACHINE
• System-related information
• HKEY_USERS
• User-specific information for all accounts
• HKEY_CURRENT_USER
• User-specific info for current user, links to HKEY_USERS
• HKEY_CLASSES_ROOT
• File associations and COM registration, links to HKLM\Software\Classes
• HKEY_CURRENT_CONFIG
• Current hardware profile, links to HKLM\System\CurrentControlSet\Hardware
Profiles\Current
Services
• Services are background processes which usually perform a specific
task and require no user-interaction
• Automatic Updates, Remote Desktop Configuration,…
• Controlled by the Service Control Manager (SCM), run under
services.exe
• Registry key HKLM\System\CurrentControlSet\Services
• Different types of services are provided by different components
• Kernel drivers
• Separate process
• Shared process (svchost.exe)
File Systems
File System Formats
• Some of the most common Windows file system formats are:
• FAT32
• Limited to 4GB file size
• exFAT
• Optimized for flash drives with support for larger disks and file sizes
• NTFS
• The native Windows file system format
NTFS
• Designed to improve performance, security and reliability over FAT
• 21 years old and still the Windows standard today
• NTFS features
• Disk quotas
• Encrypting File System (EFS)
• Multiple data streams
• Unicode-based naming
• Enhanced Compression and Recovery
I/O Subsystem
The Subsystem
• A set of kernel components which manage the applications access to
hardware (physical) and software (logical or virtual) devices
• I/O Manager
• Device drivers
• Plug and Play Manager
• Power Manager
• Hardware Abstraction Layer (HAL)
• Key concepts
• Driver
• Device
• I/O requests
Source: https://blogs.msdn.microsoft.com/microsoft_press/2012/10/01/new-book-windows-internals-sixth-edition-part-2/
I/O Manager
• The core of the I/O subsystem
• Provides a framework for other components to have device
independent I/O services
• Responsible for dispatching the service requests to the appropriate
device drivers
• Packet-driven (IRPs, I/O request packets)
• Handles creation and destruction of IRPs
• Offers an uniform interface for drivers that handle IRPs
Source: https://blogs.msdn.microsoft.com/microsoft_press/2012/10/01/new-book-windows-internals-sixth-edition-part-2/
Device Drivers
• Drivers are loadable kernel mode components
• Code in drivers gets executed in different contexts
• In the user mode thread that initiated a given I/O request
• In a system thread running in kernel mode
• To handle an interrupt (any thread)
• Different types
• File system drivers
• Protocol drivers
• Hardware drivers
• Layered drivers
• User mode drivers
Source: https://blogs.msdn.microsoft.com/microsoft_press/2012/10/01/new-book-windows-internals-sixth-edition-part-2/

You might also like