280 likes | 571 Views
Windows Internals Brown-Bag Seminar Chapter 1 – Concepts and Tools. Jim Fawcett Fall 2006. Chap 1 – Concepts and Tools Chap 2 – System Archit. Chap 3 – System Mech. Chap 4 – Mgmt Mech. Chap 5 – Startup/Shutdown Chap 6 – Processes, Threads Chap 7 – Memory Mgmt. Chap 8 – Security
E N D
Windows InternalsBrown-Bag SeminarChapter 1 – Concepts and Tools Jim Fawcett Fall 2006
Chap 1 – Concepts and Tools Chap 2 – System Archit. Chap 3 – System Mech. Chap 4 – Mgmt Mech. Chap 5 – Startup/Shutdown Chap 6 – Processes, Threads Chap 7 – Memory Mgmt Chap 8 – Security Chap 9 – I/O System Chap 10 – Storage Mgmt Chap 11 – Cache Mgr Chap 12 – File Systems Chap 13 – Networking Chap 14 – Crash Dump Anal. Windows Internals
Resources • Windows Internals, Fourth Edition, Russinovich, Solomon, Microsoft Press, 2005 • Windows System Programming, Third Edition, Johnson Hart, Addison-Wesley, 2005 • Win32 Links – a random sampling of interesting things: • Display Win32 and COM error strings • Accessing data in another process • Injecting and Executing code in another process • Windows Security with code examples • ShellExecute and Automation • Windows Hooks • Win32 Message Maps and Message Cracking • Windows Annoyances
Windows API Overview • Base Services • Component Services • User Interface Services • Graphics and Multimedia Services • Networking • Web Services
More Resources • CoreTechnologies • Overview of Windows API • Windows Data Types • Windows API Functions by category • Windows Shell • Win32 to .Net Map • Platform SDK
Windows Programming Levels • .Net Framework Class Library • Many namespaces of managed code • Windows API Functions • Documented, callable functions exported from user32.dll, gdi32.dll, advapi32.dll, and kernel32.dll • Native System Services • Undocumented services callable from user mode • Kernel Support Functions • Windows OS routines, callable only from the kernel.
Some Examples • fileInfo, Nav, and Wintools • Threads • Creating and Loading DLLs
Windows Processes • A process is a container of resources used by an executing program • Private virtual address space • Executable program • List of open handles • A security context, e.g., access token • process ID • One or more threads of execution
Processing Modes • User mode • User mode runs user application code. In user mode, a process has access to a private virtual address space, shared by all threads that run in the process. • Kernel mode • Kernel mode is used to run OS code and device drivers, as well as a lot of the Graphics and Windowing code. In kernel mode, threads have unlimited access to the OS’s virtual system memory and all CPU instructions. • More about modes • Each page in virtual memory is tagged as to what mode the processor must be in to read/write the page. Read only pages, e.g., those that contain executable code, are not writable from any mode. • User applications switch from user mode to kernel mode when they make system calls. These calls are validated before execution.
Windows Threads • A scheduled entity in a process that executes code. It has: • Contents of a set of CPU registers • Two stacks, one for kernel mode, one for user mode. • Private thread-local storage, used by Windows subsystems and libraries • Unique thread ID • May have a security context (token) used for impersonation.
Objects • A kernel object is reference counted, and consists of: • A system defined data type • Functions that operate on instances of that type • A set of object attributes • A process has an ID, base scheduling priority, and a pointer to an access token. • Many objects can be named and shared across processes. • Functions usually operate on object attributes. • Example objects: • Processes, threads, windows, files, events, mutexes
Security • Windows has: • Discretionary protection for all shareable system objects, e.g., files, directories, processes, threads, registry keys, … • Security auditing • Password authentication at login • Prevent one user from accessing another’s deallocated memory.
Discretionary Access Control • Methods by which owners of objects can grant or deny access to others. • When a user logs on, she is given a security token (security context). • When accessing a secured object, her security token is compared with the access control list of the object to determine if she has permission for the requested operation.
Priviledged Access Control • Priviledged access allows administrators to take ownership of existing kernel objects.
Registry • The registry holds: • Boot and system configuration info • System-wide software settings • Security database • Per-user configuration settings
Registry Structure • Hierarchal structure like a directory tree • Each branch is called a key • Each key can contain both keys and values • A value contains stored information • Value types can be: String, Binary, DWORD
Registry Structure • HKEY_CLASSES_ROOT • File associations and paths to COM servers • HKEY_CURRENT_USER • Part of HKEY_USERS for current user • HKEY_LOCAL_MACHINE • Hardware and software installed on your machine • HKEY_USERS • Preferences for each of the users of machine • HKEY_CURRENT_CONFIG • Part of HKEY_LOCAL_MACHINE for current configuration
End of Presentation • Seminar Schedule