Scribd
Upload
108 views27 pages

Windows Internals Crash Course Overview

This document provides an overview of Windows process internals and monitoring. It discusses how processes are created in the kernel by initializing the address space, mapping required modules, and allocating the PEB. It then describes how the initial thread is created by allocating a stack and TEB before calling LdrInitializeThunk. LdrInitializeThunk loads imported DLLs, handles the loader lock, and calls TLS callbacks and DllMain. Control is then passed to ZwContinue and RtlUserThreadStart to transition to user mode. Process monitoring is also briefly discussed.

Uploaded by

potaxi7409
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
108 views27 pages

Windows Internals Crash Course Overview

This document provides an overview of Windows process internals and monitoring. It discusses how processes are created in the kernel by initializing the address space, mapping required modules, and allocating the PEB. It then describes how the initial thread is created by allocating a stack and TEB before calling LdrInitializeThunk. LdrInitializeThunk loads imported DLLs, handles the loader lock, and calls TLS callbacks and DllMain. Control is then passed to ZwContinue and RtlUserThreadStart to transition to user mode. Process monitoring is also briefly discussed.

Uploaded by

potaxi7409
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

Windows Internals

Crash Course
Duncan Ogilvie
About me
Creator and maintainer of x64dbg
Love doing open source ☭
Used to develop obfuscation
Currently a security researcher

2
Outline
Goal
Windows internals
Process monitor

3
Process
Container to separate applications from each other.

_EPROCESS
Threads
Handles
Memory
Modules
4
Process creation (kernel)
Initialize address space ⇦
Map KUSER_SHARED_DATA
Map the executable
Map [Link]

5
Portable Executable (PE)
Sections
Imports
Exports
Relocations
AddressOfEntryPoint
Subsystem
...

Demo 6
Process creation (kernel)
Initialize address space
Map KUSER_SHARED_DATA
Map the executable
Map [Link]
Allocate PEB ⇦

7
Process Environment Block
Small memory range
Storage for process-specific information
Environment variables
Command line
Working directory
Module list
Heap pointer
8
Process creation (kernel)
Initialize address space
Map KUSER_SHARED_DATA
Map the executable
Map [Link]
Allocate PEB
Create initial thread ⇦
Allocate stack
Allocate TEB
[Link] 9
Thread Environment Block
Small memory range
Storage for thread-specific information
Thread ID
Stack range
GetLastError
TLS: Thread Local Storage
gs:[X] = [IA32_KERNEL_GS_BASE + X]
10
Thread Environment Block

11
Calling conventions

Parameters: RCX, RDX, R8, R9


Volatile vs Non-volatile
Documentation (used registers)
12
DllMain/TLS Callbacks
Notification of thread start/end
Used for initialization
DLLs vs Executables
Loader lock (DllMain)

Demo!

13
Summary
Process creation
PE format
TEB/PEB
Calling conventions
TLS callbacks

Questions?
14
Debuggers

15
Process creation (kernel)
Initialize address space
Map KUSER_SHARED_DATA
Map the executable
Map [Link]
Allocate PEB
Create initial thread
Allocate stack
Allocate TEB
[Link] ⇦ 16
LdrInitializeThunk

Load imported DLLs


Loader lock
TLS callbacks/DllMain
ZwContinue -> RtlUserThreadStart
17
ZwContinue

Continues execution of the current thread with a


different context.

Demo! 18
RtlUserThreadStart

[Link]
[Link]
[Link]
mainCRTStartup(PEB) -> main(argc, argv)
Demo! 19
Summary
Process creation
Executable loading
Kernelmode → Usermode

Questions?

20
Syscalls

21
Callbacks
LdrInitializeThunk
KiUserExceptionDispatcher
KiUserCallbackDispatcher
...

Initialization: PspInitializeSystemDlls

22
KiUserExceptionDispatcher

Executed on segfaults/interrupts
Handles the exception in user-mode

Demo!
23
Summary
Process initialization
Syscalls
Callbacks

Questions?

24
Process Monitor
Simple GUI
Shows process events
Filter driver
Notification callbacks

Demo!

25
Thanks
JustMagic
Brit
xenocidewiki
herrcore
Fiske
Karl
Can
26
Questions?

27

You might also like