2. Process
• Process: Program in execution.
• Processes are containers.
• A process has a virtual address space, executable code,
open handles to system objects, a security context, a
unique process identifier, environment variables, a
priority class, minimum and maximum working set sizes,
and at least one thread of execution.
• Run multiple threads with in same process: Multitasking.
3. Threads
• Light-weight process.
• Each thread maintains exception handlers, a scheduling priority,
thread local storage, a unique thread identifier.
• Microsoft Windows supports preemptive multitasking, which creates
the effect of simultaneous execution of multiple threads from
multiple processes.
• Virtual m/c abstraction: Give illusion to process of having it's own
m/c i.e. CPU, memory, O/I etc.
• Switching to a thread within a process is cheaper
• Threads within a process
• share resources
• not independent
• not protected against each other
5. Enumeration APIs
• Process status API:
– EnumProcesses
– EnumProcessModule
– GetModuleFileName
• Process32Next function
• Heap32Next function
6. Imp Data Types
• BOOL
• CHAR
• DWORD: A 32-bit unsigned integer.
• HANDLE: A handle to an object
• HINSTANCE, HMODULE: A handle to an instance. This
is the base address of the module in memory.
• WINAPI: The calling convention for system functions.
7. Windows Architectute:
• Windows is originally 16 bit graphical layer for MS-DOS.
• Windows NT and 2000 are 32 bit.
• NT kernel:
– NTOSKRNL.EXE: Kernel of OS
– HAL: Hardwere abstract layer, handle BIOS and interrupt
communication. NTOSKRNL.EXE depens on HAL.DLL.
– NTDLL.DLL: The file that contains NT kernel functions.
– Win32k.SYS: A Kernel mode driver that implements
windowing and graphics.
8. Windows Architectute:
– Win32API:
1. kernel32.dll: most system related.
2. advapi32.dll: Registry and service handling.
3. gdi32.dll: Function for drawing and shapes.
4. user32.dll: UI for windows i.e. msgbox,
programs, prompts. This perform task by
calling system call implemented by
Win32k.SYS.
9. Kernel Mode
• A processor in a computer running Windows has two
different modes: user mode and kernel mode.
• The processor switches between the two modes
depending on what type of code is running on the
processor.
• In Kernel mode, the executing code has complete and
unrestricted access to the underlying hardware. It can
execute any CPU instruction and reference any memory
address.
• Not all driver run in Kernel mode.
• Kernel mode is generally reserved for the lowest-level,
most trusted functions of the operating system. Crashes
in kernel mode can halt the entire PC.
10. User Mode
• In User mode, the executing code has no ability to
directly access hardware or reference memory. Code
running in user mode must delegate to system APIs to
access hardware or memory.
• Most of the code running on computer will execute in
user mode.
• If code executing in User mode attempts accessing a
privileged CPU instruction or modifying memory that it
has no access to then instead of entire system crashing,
only that particular application crashes. That's the value
of User mode.
11. Virtual Address Space
• The virtual address space for a process is the set of
virtual memory addresses that it can use. The address
space for each process is private and cannot be
accessed by other processes unless it is shared.
• The system maintains a page table for each process.
• The virtual address space for 32-bit Windows is 4
gigabytes (GB) in size and divided into two partitions:
one for use by the process and the other reserved for
use by the system.
• APIs used are VirtualAlloc, VirtualQuery, VirtualFree
fuction etc.
12. Registry
• The registry is a system-defined database in which
applications and system components store and retrieve
configuration data.
• Application uses the registry APIs to retrieve, modify or
delete registry data.
• Registry APIs:
– RegOpenKeyEx, RegCreateKeyEx, RegCloseKey,
RegEnumValue, RegQueryValueEx, RegDeleteValue,
RegDeleteKey
13. Registry
• Predefine keys
– HKEY_CURRENT_USER: Point to user file currently
logged in.
– HKEY_USERS: Contain subkeys of all loaded user
profile.
– HKEY_CLASS_ROOT: Contains file name extension
associations and COM class registration information
such as ProgIDs, CLSIDs, IIDs.
– HKEY_LOCAL_MACHINE: Contain all system
configuration
– HKEY_CURRENT_CONFIG: Current hardwere profile
– HKEY_PERFORMANCE_DATA: Performance
Counters.
14. Registry
• Data Types:
– REG_BINARY: Arbitrary-length binary data.
– REG_DWORD: 32-bit number
– REG_SZ: Fixed length Unicode string.
• etc..
• HIVE: On disk, the registry isn’t simply one large file but
rather a set of discrete files called hives. Each hive
contains a registry tree, which has a key that serves as
the root or starting point of the tree.
• .alt, .log, .sav are the file formats.
15. Networking
• Windows Internet (WinINet) application programming
interface (API) enables applications to interact with FTP,
and HTTP protocols to access Internet resources
• InternetOpen
• InternetOpenUrl
• InternetReadFile
• InternetWriteFile
• InternetCloseHandle
• InternetConnect
16. Networking
• HTTP and HTTPS
• Request methods:
– GET
– POST
• HTTP APIs
– HttpAddRequestHeaders
– HttpEndRequest
– HttpOpenRequest
– HttpQueryInfo
– HttpSendRequest
– HttpSendRequestEx
18. Socket programming
• A socket is a handle (abstract reference) that a local
program can pass to the networking application
programming interface (API) to use the connection.
• An Internet socket is characterized by at least the
following:
Local socket address: Local IP address and port number
Protocol: A transport protocol (e.g., TCP, UDP, raw IP)
In Windows, sockets are implemented using Winsock programming.
19. Socket programming
• Servers and Clients have different behaviors; therefore, the process of
creating them is different.
• Server
• Initialize Winsock: The WSAStartup function initiates use of the Winsock DLL by a
process.
• Create a socket: The WskSocket function creates a new socket and returns a pointer to the
associated socket object.
• Bind the socket.
• Listen on the socket for a client.
• Accept a connection from a client.
• Receive and send data.
• Disconnect.
• Client
• Initialize Winsock.
• Create a socket.
• Connect to the server.
• Send and receive data.
• Disconnect.
20. Dynamic Link Library
• A DLL file, short for Dynamic Link Library, is a type of file that
contains instructions that other programs can call upon to do certain
things.
• Multiple programs can share the abilities programmed into a single
file, and even do so simultaneously.
• Most Dynamic Link Libraries end in the file extension .DLL. Others
may use .OCX, .CPL, or .DRV.
• The word "dynamic" in Dynamic Link Library is used because the
data is only put to use in a program when the program actively calls
for it instead of having the data always be available in memory.
• Third-party programs can install them too.
• DLLs provide a way for parts of a program to be updated without
having to rebuild or reinstall the entire program all over.
21. Dynamic Link Library
• Exporting functions
– DLL file contains an exports table.
– The exports table contains the name of every function that
the DLL exports to other executables.
– These functions are the entry points into the DLL; only the
functions in the exports table can be accessed by other
executables. Any other functions in the DLL are private to the
DLL.
• DllMain entry point:
– LoadLibrary function
– FreeLibrary function
– GetProcAddress
22. Windows Services
• What is Service ?
Services are processes that runs in the background and performs tasks that don't require
user interaction.
• Service Control Manager (SCM)
• The service functions provide an interface for the following tasks performed by the
SCM:
– Maintaining the database of installed services.
• HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices
– Maintaining the database of installed services.
– Starting services and driver services either upon system startup or upon demand.
– Enumerating installed services and driver services.
– Maintaining status information for running services and driver services.
– Transmitting control requests to running services.
– Locking and unlocking the service database.