This document provides an introduction and overview of key concepts related to the Windows operating system internals. It discusses basic OS concepts, how Windows is implemented, and a simplified view of its inner workings. The document outlines user mode vs kernel mode, processes and threads, virtual memory, objects and handles, Windows design goals, core system files, the executive and kernel, and important system processes like CSRSS and Winlogon. It also covers symmetric multiprocessing, subsystems, and the Windows in Windows 64 (Wow64) subsystem that allows 32-bit apps to run on 64-bit Windows.

1. Windows Internals (introduction)Windows Internals (introduction)
John OmbagiJohn Ombagi

2. IntroductionIntroduction

3. ● Basic Operating System Concepts.
● How the Windows OS is implemented.
● Simplified inner working of this OS.
● Not a detail guide.
● Basic Operating System Concepts.
● How the Windows OS is implemented.
● Simplified inner working of this OS.
● Not a detail guide.
OverviewOverview

4. Expectation & Literature
● Knowledge gained can be applied in:
– Malware analysis & reverse engineering
– Exploit development & software
development.
● Books Required:
– Windows Internals 6 (part one and two).
– The recent Windows Internals 7 (part one).
● Knowledge gained can be applied in:
– Malware analysis & reverse engineering
– Exploit development & software
development.
● Books Required:
– Windows Internals 6 (part one and two).
– The recent Windows Internals 7 (part one).

5. User mode & Kernel modeUser mode & Kernel mode

6. ● Allows access to non-operating system code
and data only
● No access to the hardware
● Protect user application form crashing the
system
● Allows access to non-operating system code
and data only
● No access to the hardware
● Protect user application form crashing the
system
User modeUser mode

7. ● Privileged mode for use by the kernel and
device drivers only.
● Allows access to all system resources
● Can potentially crash system (BoD?)
● Privileged mode for use by the kernel and
device drivers only.
● Allows access to all system resources
● Can potentially crash system (BoD?)
Kernel modeKernel mode

8. Lab Setup
● Windows 7/8/10 (I’ll be using 32 bit).
● Windbg, OllyDbg, Immunituy, x64dbg
● IDA Pro ver. 6 or 7
● Windows System internals Suite
● Python 2.7
● Provided Workshop Tools
● Windows 7/8/10 (I’ll be using 32 bit).
● Windbg, OllyDbg, Immunituy, x64dbg
● IDA Pro ver. 6 or 7
● Windows System internals Suite
● Python 2.7
● Provided Workshop Tools

9. ProcessesProcesses

10. ● It’s a set of resources to execute a program.● It’s a set of resources to execute a program.
What’s a Process?What’s a Process?

11. ● A private Virtual Address space.
● An executable program
● A private table of handles to various kernel
objects
● A security context (access token)
● One or more threads that execute code.
● A private Virtual Address space.
● An executable program
● A private table of handles to various kernel
objects
● A security context (access token)
● One or more threads that execute code.
What constitute a process?What constitute a process?

12. ThreadsThreads

13. ● This is an entity that is scheduled by the
kernel to execute code.
● This is an entity that is scheduled by the
kernel to execute code.
What’s a Thread?What’s a Thread?

14. ● The state of CPU registers
● Current access mode
● Two stacks, (userspace and kernel space)
● Thread Local Storage (TLS)
● Optional Security Token
● Optional message queue
● The state of CPU registers
● Current access mode
● Two stacks, (userspace and kernel space)
● Thread Local Storage (TLS)
● Optional Security Token
● Optional message queue
What constitute a thread?What constitute a thread?

15. ● There are several states but the most
important ones are as follows:
– Running
– Ready
– Waiting
● There are several states but the most
important ones are as follows:
– Running
– Ready
– Waiting
Thread StateThread State

16. Demo

17. Virtual MemoryVirtual Memory

18. ● Each process "sees" a flat linear memory.
● Virtual memory may be mapped to physical
memory, but may also be stored on disk.
● Processes access memory regardless of
where it actually resides.
● The memory manager handles mapping of
virtual to physical page.
● Each process "sees" a flat linear memory.
● Virtual memory may be mapped to physical
memory, but may also be stored on disk.
● Processes access memory regardless of
where it actually resides.
● The memory manager handles mapping of
virtual to physical page.
OverviewOverview

20. ● Windows Internals, Sixth Edition, Part 1
(page 15)
– Virtual Memory Mapping
– Virtual Memory Layout
● Windows Internals, Sixth Edition, Part 1
(page 15)
– Virtual Memory Mapping
– Virtual Memory Layout
Further ReadingFurther Reading

21. Demo.

22. Object and HandlesObject and Handles

23. ● Windows is an object based system.
● Objects are run time instance of static
structures & reside in system memory space.
● Kernel code can obtain direct pointer to an
object. In user mode, code can only obtain a
handle to an object.
● Objects are reference counted.
● Windows is an object based system.
● Objects are run time instance of static
structures & reside in system memory space.
● Kernel code can obtain direct pointer to an
object. In user mode, code can only obtain a
handle to an object.
● Objects are reference counted.
DetailsDetails

24. Windows Design GoalWindows Design Goal

25. ● Separate address space per process.
● Protected Kernel.
● Pre-emptive multitasking & multithreading.
● Internationalization support using Unicode.
● Security throughout the System.
● Integrated Networking.
● Separate address space per process.
● Protected Kernel.
● Pre-emptive multitasking & multithreading.
● Internationalization support using Unicode.
● Security throughout the System.
● Integrated Networking.
OverviewOverview

26. ● Powerful File System (NTFS).
● Run most 16 bit Windows and DOS.
applications.
● Run POSIX 1003.1 and OS/2 applications.
● Portable across processors and platforms.
● Be great client as well as server platform.
● Powerful File System (NTFS).
● Run most 16 bit Windows and DOS.
applications.
● Run POSIX 1003.1 and OS/2 applications.
● Portable across processors and platforms.
● Be great client as well as server platform.
Cont.Cont.

27. Core System FilesCore System Files

28. ● On 64 bit Systems, we have Ntoskrnl.exe
● On 32 bit Systems, we have NtKrnlPa.exe
– Physical Address Extensions (PAE) kernel
● PAE uses paging tables to map the memory
greater than 4 GB.
● On 64 bit Systems, we have Ntoskrnl.exe
● On 32 bit Systems, we have NtKrnlPa.exe
– Physical Address Extensions (PAE) kernel
● PAE uses paging tables to map the memory
greater than 4 GB.
Executive and KernelExecutive and Kernel

29. ● Stands for Hardware Abstraction Layer.
● In Windows there are several Hal and the
best is chosen during installation.
● It's a layer that insulate the kernel and the
drivers from the actual hardware.
● Stands for Hardware Abstraction Layer.
● In Windows there are several Hal and the
best is chosen during installation.
● It's a layer that insulate the kernel and the
drivers from the actual hardware.
Hal.dllHal.dll

30. ● It's a Kernel mode component of the
Windows subsystem.
● It handles Windowing and GDI (Graphics).
● It's a Kernel mode component of the
Windows subsystem.
● It handles Windowing and GDI (Graphics).
Win32k.sysWin32k.sys

31. ● It's the lower layer of the user mode.
● It has System support routines and Native
API dispatcher to execute services.
● It provides functions to jump into Kernel
mode.
● Provides other simple functions that are
similar to the C runtime library.
● It's the lower layer of the user mode.
● It has System support routines and Native
API dispatcher to execute services.
● It provides functions to jump into Kernel
mode.
● Provides other simple functions that are
similar to the C runtime library.
NtDll.dllNtDll.dll

32. ● Applications don't call the Kernel or Ntdll.dll
directly, NativeAPI is undocumented.
● The way to do it, is by using the official,
documented Subsystem DLLs.
● They transition into Ntdll.dll if needed or
bypass that for GDI/Windowing calls.
● Applications don't call the Kernel or Ntdll.dll
directly, NativeAPI is undocumented.
● The way to do it, is by using the official,
documented Subsystem DLLs.
● They transition into Ntdll.dll if needed or
bypass that for GDI/Windowing calls.
Kernel32.dll, user32.dll, gdi32.dll,
advapi32.dll etc...
Kernel32.dll, user32.dll, gdi32.dll,
advapi32.dll etc...

33. CSRSS.exeCSRSS.exe
● Client Server Runtime Subsystem
● This is the process that manages the
Windows Subsystem.
● It's very important and always running
● Killing this process will result into a blue
screen of death.
● Client Server Runtime Subsystem
● This is the process that manages the
Windows Subsystem.
● It's very important and always running
● Killing this process will result into a blue
screen of death.

34. Symmetric MultiprocessingSymmetric Multiprocessing

35. ● All CPUs are the same and share main
memory and have equal access to peripheral
devices.
● No Master or Slave CPUs.
● Basic architecture supports up to 32/64
CPUs.
● All CPUs are the same and share main
memory and have equal access to peripheral
devices.
● No Master or Slave CPUs.
● Basic architecture supports up to 32/64
CPUs.
SMPSMP

36. ● It used bitmask, which was the size of the
machine WORD.
● However starting on Windows 7 64 bit and
2008 R2 support up to 256 cores.
A Processor Group can contain up to 64
Processors, there are four possible processor
groups in a 256 core system.
● It used bitmask, which was the size of the
machine WORD.
● However starting on Windows 7 64 bit and
2008 R2 support up to 256 cores.
A Processor Group can contain up to 64
Processors, there are four possible processor
groups in a 256 core system.
SMP cont.SMP cont.

37. SubsystemsSubsystems

38. ● It exposes service via subsystem DLLS.
● These subsystem DLLs expose the API of that
subsystem in a way that is fitting to that
subsystem.
● The Windows subsystem must always be
running.
● It’s loaded automatically during boots up
● It exposes service via subsystem DLLS.
● These subsystem DLLs expose the API of that
subsystem in a way that is fitting to that
subsystem.
● The Windows subsystem must always be
running.
● It’s loaded automatically during boots up
OverviewOverview

39. Subsytems cont..Subsytems cont..
● Information about Subsystems are stored in
the following registry key:
– HKLMSystemCCSControlSession
MangerSubsystems
● Subsystems DLLs are the ones exposing a
particular API.
● Information about Subsystems are stored in
the following registry key:
– HKLMSystemCCSControlSession
MangerSubsystems
● Subsystems DLLs are the ones exposing a
particular API.

40. Cont.Cont.
● An image of a certain subsystem calls API
functions exposed through the subsystem
DLLs.
● Some processes start up before the Windows
Subsystem is up.
● Most dispatcher to kernel services are using
Windows API "wrappers".
● An image of a certain subsystem calls API
functions exposed through the subsystem
DLLs.
● Some processes start up before the Windows
Subsystem is up.
● Most dispatcher to kernel services are using
Windows API "wrappers".

41. System ProcessesSystem Processes

42. Idle Process.Idle Process.
● it has an id a PID of 0 which is not a real
process.
● It's just one thread per CPU (core).
● It's a count for Idle time.
● it has an id a PID of 0 which is not a real
process.
● It's just one thread per CPU (core).
● It's a count for Idle time.

43. System ProcessSystem Process
● It's a real process and has a fixed PID of 4.
● It represent stuff going on in the Kernel
● It execute code in system space only.
● Created by PsCreateSystemThread kernel API
● The threads don't need a particular process
to maintain running (on as System is alive)
● It's a real process and has a fixed PID of 4.
● It represent stuff going on in the Kernel
● It execute code in system space only.
● Created by PsCreateSystemThread kernel API
● The threads don't need a particular process
to maintain running (on as System is alive)

44. Session manger (Smss.exe)Session manger (Smss.exe)
● It runs the windowssystem32smss.exe
● it’s the first user mode process created by
System (the kernel, part of the boot process)
● Because at this time the windows Subsystem
is not loaded yet, it uses the Native API
provided by the NtDll.dll.
● It runs the windowssystem32smss.exe
● it’s the first user mode process created by
System (the kernel, part of the boot process)
● Because at this time the windows Subsystem
is not loaded yet, it uses the Native API
provided by the NtDll.dll.

45. Session manger contd...Session manger contd...
– Creating system environment variables.
– launching the subsystem processes
– It also launches itself in other sessions
– Waits for csrss.exe instances to terminate.
– Waits for subsystem creation request.
– Waits for terminal services session creation
requests.
– Creating system environment variables.
– launching the subsystem processes
– It also launches itself in other sessions
– Waits for csrss.exe instances to terminate.
– Waits for subsystem creation request.
– Waits for terminal services session creation
requests.

46. Windows Subsystem (Csrss.exe)Windows Subsystem (Csrss.exe)
● It runs windowssystem32csrss.exe
● Provides the user mode side of the Win32
subsystem.
● CSRSS is mainly responsible for Win32
console handling and GUI shutdown.
● It is critical to system operation
● It runs windowssystem32csrss.exe
● Provides the user mode side of the Win32
subsystem.
● CSRSS is mainly responsible for Win32
console handling and GUI shutdown.
● It is critical to system operation

47. Logon Process (Winlogon.exe)Logon Process (Winlogon.exe)
● It runs windowssystem32winlogon.exe
– This handles interactive logons and logoffs. If
terminated, logs off the user session
– It's also responsible for capturing of Secure
Attention Sequence (SAS) - Ctrl + Alt + Del
– Presents username / password dialog (through
LogonUI.exe).
● It runs windowssystem32winlogon.exe
– This handles interactive logons and logoffs. If
terminated, logs off the user session
– It's also responsible for capturing of Secure
Attention Sequence (SAS) - Ctrl + Alt + Del
– Presents username / password dialog (through
LogonUI.exe).

48. Local Sec. Auth. Server (Lsass.exe)Local Sec. Auth. Server (Lsass.exe)
● Running the windowssystem32lsass.exe
● It calls the appropriate authentication
packages.
● Upon successful authentication, creates a
token representing the user's security
profile.
● Returns information to Winlogon.
● Running the windowssystem32lsass.exe
● It calls the appropriate authentication
packages.
● Upon successful authentication, creates a
token representing the user's security
profile.
● Returns information to Winlogon.

49. Service Control Manager (SCM)Service Control Manager (SCM)
● Running windowssystem32services.exe
– Responsible for starting, stopping and
interacting with service processes.
– SERVICE : Similar to 'Unix' daemon processes;
Not running in Kernel mode in any way; Normal
Windows executable that interact with SCM; Can
run under "special" accounts (LocalSystem,
NetworkService, LocalService).
● Running windowssystem32services.exe
– Responsible for starting, stopping and
interacting with service processes.
– SERVICE : Similar to 'Unix' daemon processes;
Not running in Kernel mode in any way; Normal
Windows executable that interact with SCM; Can
run under "special" accounts (LocalSystem,
NetworkService, LocalService).

50. Local Session Manager (Lsm.exe)Local Session Manager (Lsm.exe)
– A helper Introduced in Windows Vista that does
some managing of the local session and
provides information to smss.exe if needed.
– Running image windowssystem32lsm.exe
– In windows 8, turned into a service.
– Manages terminal sessions on the local machine
– A helper Introduced in Windows Vista that does
some managing of the local session and
provides information to smss.exe if needed.
– Running image windowssystem32lsm.exe
– In windows 8, turned into a service.
– Manages terminal sessions on the local machine

51. Wow64 (Windows in Windows 64)Wow64 (Windows in Windows 64)
Wow64 allows execution of Win32 (32 bit exes)
binaries on 64-bit Windows.
– The isWow64Process function can tell whether a
process is running under Wow64.
– Filesystem:
● windowssystem32 contains 64 bit images
● windowssyswow64 containd 32 bit images
Wow64 allows execution of Win32 (32 bit exes)
binaries on 64-bit Windows.
– The isWow64Process function can tell whether a
process is running under Wow64.
– Filesystem:
● windowssystem32 contains 64 bit images
● windowssyswow64 containd 32 bit images

52. Wow64-ArchWow64-Arch
● Wow64 Restrictions:
– A 64 bit process cannot load a 32 bit DLLs and
vice versa except resource-only DLLs.
● Filesystem Redirection:
– WindowsSystem32 maps to
WindowsSyswow64.
– Program Files (x86) & Program Files
● Wow64 Restrictions:
– A 64 bit process cannot load a 32 bit DLLs and
vice versa except resource-only DLLs.
● Filesystem Redirection:
– WindowsSystem32 maps to
WindowsSyswow64.
– Program Files (x86) & Program Files

53. ● Registry Redirection:
● COM components trying to register as 32 bit and 64
bit will crush.
● 32 bit components are redirected to the Wow64
registry node (Wow6432Node)
– HKYE_LOCAL_MACHINESSoftware
– HKEY_CLASSES_ROOT
– HKEY_CURRENT_USERSoftwareClasses
● New flags for Registry APIs allow access to the 64 bit
or 32 bit nodes
– KEY_WOW64_64KEY & KEY_WOW64_32KEY
● Registry Redirection:
● COM components trying to register as 32 bit and 64
bit will crush.
● 32 bit components are redirected to the Wow64
registry node (Wow6432Node)
– HKYE_LOCAL_MACHINESSoftware
– HKEY_CLASSES_ROOT
– HKEY_CURRENT_USERSoftwareClasses
● New flags for Registry APIs allow access to the 64 bit
or 32 bit nodes
– KEY_WOW64_64KEY & KEY_WOW64_32KEY

54. End of Part One.
John Ombagi
jayombagi@gmail.com
End of Part One.
John Ombagi
jayombagi@gmail.com