Day 4

Question 1

ntoskrnl.exe

Answer 1

the kernel process

Question 2

HAL.DLL (hardware abstraction layer)

Answer 2

a kernel-loadable module that operates between the hardware and the executive so that applications an device drivers don’t have to be aware of hardware-specific information.

Question 3

Kernel

Answer 3

lower layer of ntoskrnl.exe
has 4 main responsibilities:
Thread scheduling
Interrupt and exception handling
Low-level processor synchronization
power failure Recovery

Question 4

Windows executive

Answer 4

the upper layer of ntoskrnl.exe and is the Windows system call handler that verifies and provides kernel services.

Question 5

Windows executive components

Answer 5

Object manager, security reference monitor, process manager, virtual memory manager, I\O manager, asynchronous local inter-process communication, configuration

Question 6

object manager

Answer 6

provides standardized interface for every system object

Question 7

security reference monitor

Answer 7

enforces local computer security policy

Question 8

process manager

Answer 8

creates, manages, and terminates processes and threads

Question 9

virtual memory manager

Answer 9

provides private address space for each process

Question 10

I\O manager

Answer 10

processes all file and I\O requests; responsible for dispatching to device drivers as well as plug and play capabilities

Question 11

asynchronous local inter-process communication (ALPC)

Answer 11

passes messages between client and server processes on the same computer

Question 12

configuration manager

Answer 12

responsible for implementing and managing the registry

Question 13

object criteria

Answer 13

Each object belongs to a statically defined class
Objects are kernel services that multiple processes can share.
A process references objects via handles
Objects use pointers to reference and use other objects within kernel mode
Objects use hierarchical directories and naming structures
Objects are protected by object-based security and support synchronization.

Question 14

Object manager

Answer 14

key responsibilities: standardizing the interface with all objects, object retention, and object security.

each object has an object header and object body

Question 15

object header and object body

Answer 15

the object header stores data used by the object manager to manage objects regardless of their type or class.
Key object header fields:
Name
security descriptor
handle count
reference count

the executive manager responsible for creating the object controls the object body.

Question 16

object header attributes

Answer 16

object type: points to the type of object it is

Question 17

type object attributes

Answer 17

methods: one or more routines that the object manager calls at certain points in an objects lifetime.
(the actions or routines the objects can perform)

Question 18

object methods

Answer 18

open
close
delete

Question 19

object security

Answer 19

specifies who can perform what actions on the object.

the SECURITY DESCRIPTOR holds the ACL for that object

Question 20

Security Descriptor

Answer 20

built from information from the following sources
default security
inherited from parent object
explicit permissions set by user

Question 21

ACL’s

Answer 21

there are two types of ACL’s: DACL and SACL

Question 22

DACL

Answer 22

identifies permissions to a resource
Empty DACL -no access to anyone
null DACL-access to everyone

Question 23

SACL

Answer 23

controls how the system audits object access attempts

Question 24

Security Reference Monitor (SRM)

Answer 24

enforces security policies.
guards kernel mode resources by performing object access protection and auditing.
The OBJECT MANAGER calls the SRM.

Question 25

two functions of the SRM

Answer 25

compares the process’s access token to the object’s security descriptor to determine whether access is permitted.
Generates most of the audit records in the Security event log

Question 26

windows security audits

Answer 26

used to track both user and system activities

we focus on OBJECT ACCESS events

Question 27

process manager

Answer 27

creates, manages, and terminates processes and threads

Question 28

process resources

Answer 28

Handles
an Executable program (image file)
an Access token
a Private virtual address space
PID
Thread

Question 29

more on processes

Answer 29

although processes inherit handles and variables from their parents, each process is self contained. a parent can exit without effecting the child

Question 30

the seven stages of process completion

Answer 30

Step 1: Executable calls CreateProcess() function
Step2: System call opens the image
Step3: create executive process object
Step4: create the initial thread
Step5: subsystem notifications
Step6: start execution of initial thread
Step7 finalize new process initialization

Question 31

Virtual memory manager (VMM)

Answer 31

two primary tasks:
mapping
swapping

uses a swap file (pagefile.sys) for swapping memory

Question 32

VMM also performs:

Answer 32

provides a set of system services to virtual memory
shares memory between processes
maps files into memory
retrieves information about a range of virtual pages
changes virtual page protection
locks virtual pages into memory

Question 33

32 bit address space address space

Answer 33

x86 architecture uses 4GB of RAM

Question 34

64 bit address space

Answer 34

x64 architecture is aproximately 16 exabytes
current processors limit support to 256TB (only uses 48 of the 64 bit address space.

Windows 64 bit limits address space to 16TB.
8TB to the top space for the Kernel
8TB to the bottom space for the user.
the space in the middle is Free Space. if the top meets the bottom, an overflow occurs

Question 35

Paging

Answer 35

divides aprocess’s virtual address space and physical memory (RAM) into equally-sized chunks

Question 36

Page status

Answer 36

pages can be:
Free
reserved
committed

Question 37

VMM mapping virtual address to frame addess

Answer 37

Page Table Selector PTS
Page Table PT
Page Table Entry 48 bit PTE
Page Table Entry Selector PTES
12 bits Offset

Question 38

reasons for page faults

Answer 38

accessing a page that has been swapped out to disk
Accessing a page that isn’t committed
Attempting to write to a page that is read-only
Executing code in a page that is marked as “no execute”

Question 39

shared memory

Answer 39

memory that is visible or present in more than one process’s virtual address space

Question 40

memory protection :to keep processes from potentially corrupting unauthorized address space in the following ways

Answer 40

Each process has virtual address space
PTE control bits and ACL’s prevent unauthorized access
No execute page protection (DEP)
hardware controlled memory protection

Question 41

I\O manager

Answer 41

connects applications and system components to virtual, logical, and physical devices
Device, file, driver

Question 42

I\O requests

Answer 42

An I\O request packet (IRP) represents most I\O requests

Question 43

Asynchronous Local Inter-process communication (ALPC)

Answer 43

a message passing mechanism that passes requests.

actual method of communication

Question 44

Configuration manager

Answer 44

responsible for implementing and managing the system registry.
ensures the registry is always in a recoverable state