1 / 27

Windows Internals Brown-Bag Seminar Chapter 1 – Concepts and Tools

Windows Internals Brown-Bag Seminar Chapter 1 – Concepts and Tools. Jim Fawcett Fall 2006. Chap 1 – Concepts and Tools Chap 2 – System Archit. Chap 3 – System Mech. Chap 4 – Mgmt Mech. Chap 5 – Startup/Shutdown Chap 6 – Processes, Threads Chap 7 – Memory Mgmt. Chap 8 – Security

korene
Download Presentation

Windows Internals Brown-Bag Seminar Chapter 1 – Concepts and Tools

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Windows InternalsBrown-Bag SeminarChapter 1 – Concepts and Tools Jim Fawcett Fall 2006

  2. Chap 1 – Concepts and Tools Chap 2 – System Archit. Chap 3 – System Mech. Chap 4 – Mgmt Mech. Chap 5 – Startup/Shutdown Chap 6 – Processes, Threads Chap 7 – Memory Mgmt Chap 8 – Security Chap 9 – I/O System Chap 10 – Storage Mgmt Chap 11 – Cache Mgr Chap 12 – File Systems Chap 13 – Networking Chap 14 – Crash Dump Anal. Windows Internals

  3. Resources • Windows Internals, Fourth Edition, Russinovich, Solomon, Microsoft Press, 2005 • Windows System Programming, Third Edition, Johnson Hart, Addison-Wesley, 2005 • Win32 Links – a random sampling of interesting things: • Display Win32 and COM error strings • Accessing data in another process • Injecting and Executing code in another process • Windows Security with code examples • ShellExecute and Automation • Windows Hooks • Win32 Message Maps and Message Cracking • Windows Annoyances

  4. Windows API Overview • Base Services • Component Services • User Interface Services • Graphics and Multimedia Services • Networking • Web Services

  5. More Resources • CoreTechnologies • Overview of Windows API • Windows Data Types • Windows API Functions by category • Windows Shell • Win32 to .Net Map • Platform SDK

  6. Windows Programming Levels • .Net Framework Class Library • Many namespaces of managed code • Windows API Functions • Documented, callable functions exported from user32.dll, gdi32.dll, advapi32.dll, and kernel32.dll • Native System Services • Undocumented services callable from user mode • Kernel Support Functions • Windows OS routines, callable only from the kernel.

  7. Some Examples • fileInfo, Nav, and Wintools • Threads • Creating and Loading DLLs

  8. Windows Processes • A process is a container of resources used by an executing program • Private virtual address space • Executable program • List of open handles • A security context, e.g., access token • process ID • One or more threads of execution

  9. Virtual Memory Mapping

  10. Processing Modes • User mode • User mode runs user application code. In user mode, a process has access to a private virtual address space, shared by all threads that run in the process. • Kernel mode • Kernel mode is used to run OS code and device drivers, as well as a lot of the Graphics and Windowing code. In kernel mode, threads have unlimited access to the OS’s virtual system memory and all CPU instructions. • More about modes • Each page in virtual memory is tagged as to what mode the processor must be in to read/write the page. Read only pages, e.g., those that contain executable code, are not writable from any mode. • User applications switch from user mode to kernel mode when they make system calls. These calls are validated before execution.

  11. Opening Visual Studio – Now lots of page faults.

  12. Windows Threads • A scheduled entity in a process that executes code. It has: • Contents of a set of CPU registers • Two stacks, one for kernel mode, one for user mode. • Private thread-local storage, used by Windows subsystems and libraries • Unique thread ID • May have a security context (token) used for impersonation.

  13. Objects • A kernel object is reference counted, and consists of: • A system defined data type • Functions that operate on instances of that type • A set of object attributes • A process has an ID, base scheduling priority, and a pointer to an access token. • Many objects can be named and shared across processes. • Functions usually operate on object attributes. • Example objects: • Processes, threads, windows, files, events, mutexes

  14. Security • Windows has: • Discretionary protection for all shareable system objects, e.g., files, directories, processes, threads, registry keys, … • Security auditing • Password authentication at login • Prevent one user from accessing another’s deallocated memory.

  15. Discretionary Access Control • Methods by which owners of objects can grant or deny access to others. • When a user logs on, she is given a security token (security context). • When accessing a secured object, her security token is compared with the access control list of the object to determine if she has permission for the requested operation.

  16. Priviledged Access Control • Priviledged access allows administrators to take ownership of existing kernel objects.

  17. Registry • The registry holds: • Boot and system configuration info • System-wide software settings • Security database • Per-user configuration settings

  18. Registry Structure • Hierarchal structure like a directory tree • Each branch is called a key • Each key can contain both keys and values • A value contains stored information • Value types can be: String, Binary, DWORD

  19. Registry Structure • HKEY_CLASSES_ROOT • File associations and paths to COM servers • HKEY_CURRENT_USER • Part of HKEY_USERS for current user • HKEY_LOCAL_MACHINE • Hardware and software installed on your machine • HKEY_USERS • Preferences for each of the users of machine • HKEY_CURRENT_CONFIG • Part of HKEY_LOCAL_MACHINE for current configuration

  20. End of Presentation • Seminar Schedule

More Related