Windows Internals

Processes, Threads, and Jobs in the Windows Operating System

By Mark E. Russinovich

and David A. Solomon

https://www.microsoftpressstore.com/articles/article.aspx?p=2233328

Kernel Structures

EPROCESS, ETHREAD

• Each Windows process is represented by an executive process (EPROCESS) block

• Threads are represented by executive thread (ETHREAD) blocks

EPROCESS

26.2.20 vjj 4

• lkd> dt _eprocess

KPROCESS

26.2.20 vjj 5

• lkd> dt _kprocess

ETHREAD

26.2.20 vjj 7

KTHREAD

26.2.20 vjj 8

Environmet blocks

26.2.20 vjj 9

PEB

26.2.20 vjj 10

• The PEB, which lives in the user process address

space, contains information needed by the image

loader, the heap manager, and other Windows system DLLs that need to access it from user mode

TEB

26.2.20 vjj 11

KPCR, KPRCB • KPCR represents the Kernel Processor Control Region

• lkd> dt nt!_KPCR

• The Prcb field contains an embedded KPRCB structure that represents the Kernel Processor Control Block

• lkd> dt nt!_KPRCB

• The PCR and PRCB contain information about the state of each processor in the system such as current IRQL, a pointer to the hardware Idt, the currently running thread, and the next thread selected to run

• Fooling Windows about its internal CPU (2017) https://rayanfam.com/topics/fooling-windows-about-cpu/

Kernel Process Control Block

26.2.20 vjj 13

memory

process

vs

Kernel

26.2.20 vjj 14

create process • vytvoření údajů o procesu, jeho prvním vláknu,

souborech, ... EPROCESS + KPROCESS, ETHREAD + KTHREAD, ...

• vytvoření virtuálního adresového prostoru procesu - VAD strom a adresář tabulek stránek

• "namapování" exe a všech dll do virtuálního adresového prostoru procesu

• "namapování" PEB, TEB, ... do virtuálního adresového prostoru procesu, jejich alokace v RAM a inicializace

26.2.20 vjj 15

Virtual Memory mapping

pgm EXE

pgm DLLs

pgm data

SYS DLLs

SYS data

VAD tree

pgm EXE

pgm DLLs

pgm data

SYS DLLs

SYS data

VAD tree + Page Tables = virtual memory

Page Table Entry

Valid = 1

...

Page Frame Number = 0

(tj. Present = 0)

jak se přesvědčit na vlastní oči

Kernel Debugger • install WinDbg from Windows SDK

• path to debug symbols srv*d:\Symbols*https://msdl.microsoft.com/download/symbols

• admin> bcdedit /dbgsettings local

• admin> bcdedit /debug on

• reboot

• admin> windbg -kl

• admin> kd –kl

• All memory input and output commands are available.

• You can freely read from user memory and kernel memory.

• You can also write to memory

DbgPrint

• Kernel-mode drivers and the Windows operating system frequently send messages to the kernel debugger by using DbgPrint and related functions.

• These messages are not automatically displayed during local kernel debugging.

• You can display them by using the !dbgprint extension

SysInternals • DebugView • Win32 OutputDebugString

• .NET System.Diagnostics.Debug.WriteLine

• Kernel-mode DbgPrint

• Copy LiveKD.exe to C:\Program Files (x86)\Windows Kits\10\Debuggers\x64

• LiveKD -ml • The LiveKD tool simulates local kernel debugging.

• This tool creates a "snapshot" dump file of the kernel memory, without actually stopping the kernel while this snapshot is made.

• Therefore, the snapshot might not actually show a single instant state of the computer.

Protected Processes

a set of technologies creating a Protected Environment

to enforce Digital Rights Management (DRM)

debug privilege • any process running with a token containing the

debug privilege (such as an administrator’s account) can request any access right that it desires to any other process running on the machine

• for example, it can read and write arbitrary process memory, inject code, suspend and resume threads, and query information on other processes.

• Tools like Process Explorer and Task Manager need and request these access rights to provide their functionality to users

Digital Rights Management • the debug privilege clashes with the system behavior

for digital rights management requirements

• imposed by the media industry on computer operating systems that need to support playback of advanced, high-quality digital content such as BluRay and HD-DVD media

• To support reliable and protected playback of such content, Windows uses protected processes.

• These processes exist alongside normal Windows processes, but they add significant constraints to the access rights that other processes on the system (even when running with administrative privileges) can request

Protected Media Path

• Protected processes can be created by any application

• however, the operating system will only allow a process to be protected if the image file has been digitally signed with a special Windows Media Certificate

• The Protected Media Path (PMP) makes use of protected processes to provide protection for high-value media

• Media Foundation API

protected processes • protected processes have a special bit set in their EPROCESS

structure that modifies the behavior of security-related routines in the process manager to deny certain access rights that would normally be granted to administrators

• Audio Device Graph process (Audiodg.exe) • protected music content may be decoded through it

• Windows Error Reporting client process (Werfault.exe) • it needs to have access to protected processes in case one of them

crashes

• the System process itself • some of the decryption information is generated by the Ksecdd.sys

driver and stored in its user-mode memory

information on process internals

• Process Explorer uses standard user-mode Windows APIs to query information on process internals, it is unable to perform certain operations on protected processes.

• WinDbg in kernel debugging mode, which uses kernel-mode infrastructure to obtain this information, will be able to display complete information

debugging mode • to perform local kernel debugging you must boot

in debugging mode

• This protects against debugger-based attacks on protected processes and the Protected Media Path (PMP)

• When booted in debugging mode, high-definition content playback will not work

• a protected process is indicated by a flag in the EPROCESS block

• an administrator can still load a kernel-mode driver that disables this bit