Day 4 Flashcards
ntoskrnl.exe
the kernel process
HAL.DLL (hardware abstraction layer)
a kernel-loadable module that operates between the hardware and the executive so that applications an device drivers don’t have to be aware of hardware-specific information.
Kernel
lower layer of ntoskrnl.exe has 4 main responsibilities: Thread scheduling Interrupt and exception handling Low-level processor synchronization power failure Recovery
Windows executive
the upper layer of ntoskrnl.exe and is the Windows system call handler that verifies and provides kernel services.
Windows executive components
Object manager, security reference monitor, process manager, virtual memory manager, I\O manager, asynchronous local inter-process communication, configuration
object manager
provides standardized interface for every system object
security reference monitor
enforces local computer security policy
process manager
creates, manages, and terminates processes and threads
virtual memory manager
provides private address space for each process
I\O manager
processes all file and I\O requests; responsible for dispatching to device drivers as well as plug and play capabilities
asynchronous local inter-process communication (ALPC)
passes messages between client and server processes on the same computer
configuration manager
responsible for implementing and managing the registry
object criteria
Each object belongs to a statically defined class
Objects are kernel services that multiple processes can share.
A process references objects via handles
Objects use pointers to reference and use other objects within kernel mode
Objects use hierarchical directories and naming structures
Objects are protected by object-based security and support synchronization.
Object manager
key responsibilities: standardizing the interface with all objects, object retention, and object security.
each object has an object header and object body
object header and object body
the object header stores data used by the object manager to manage objects regardless of their type or class. Key object header fields: Name security descriptor handle count reference count
the executive manager responsible for creating the object controls the object body.
object header attributes
object type: points to the type of object it is
type object attributes
methods: one or more routines that the object manager calls at certain points in an objects lifetime.
(the actions or routines the objects can perform)
object methods
open
close
delete
object security
specifies who can perform what actions on the object.
the SECURITY DESCRIPTOR holds the ACL for that object
Security Descriptor
built from information from the following sources
default security
inherited from parent object
explicit permissions set by user
ACL’s
there are two types of ACL’s: DACL and SACL
DACL
identifies permissions to a resource
Empty DACL -no access to anyone
null DACL-access to everyone
SACL
controls how the system audits object access attempts
Security Reference Monitor (SRM)
enforces security policies.
guards kernel mode resources by performing object access protection and auditing.
The OBJECT MANAGER calls the SRM.
two functions of the SRM
compares the process’s access token to the object’s security descriptor to determine whether access is permitted.
Generates most of the audit records in the Security event log
windows security audits
used to track both user and system activities
we focus on OBJECT ACCESS events
process manager
creates, manages, and terminates processes and threads
process resources
Handles an Executable program (image file) an Access token a Private virtual address space PID Thread
more on processes
although processes inherit handles and variables from their parents, each process is self contained. a parent can exit without effecting the child
the seven stages of process completion
Step 1: Executable calls CreateProcess() function
Step2: System call opens the image
Step3: create executive process object
Step4: create the initial thread
Step5: subsystem notifications
Step6: start execution of initial thread
Step7 finalize new process initialization
Virtual memory manager (VMM)
two primary tasks:
mapping
swapping
uses a swap file (pagefile.sys) for swapping memory
VMM also performs:
provides a set of system services to virtual memory
shares memory between processes
maps files into memory
retrieves information about a range of virtual pages
changes virtual page protection
locks virtual pages into memory
32 bit address space address space
x86 architecture uses 4GB of RAM
64 bit address space
x64 architecture is aproximately 16 exabytes
current processors limit support to 256TB (only uses 48 of the 64 bit address space.
Windows 64 bit limits address space to 16TB.
8TB to the top space for the Kernel
8TB to the bottom space for the user.
the space in the middle is Free Space. if the top meets the bottom, an overflow occurs
Paging
divides aprocess’s virtual address space and physical memory (RAM) into equally-sized chunks
Page status
pages can be:
Free
reserved
committed
VMM mapping virtual address to frame addess
Page Table Selector PTS
Page Table PT
Page Table Entry 48 bit PTE
Page Table Entry Selector PTES
12 bits Offset
reasons for page faults
accessing a page that has been swapped out to disk
Accessing a page that isn’t committed
Attempting to write to a page that is read-only
Executing code in a page that is marked as “no execute”
shared memory
memory that is visible or present in more than one process’s virtual address space
memory protection :to keep processes from potentially corrupting unauthorized address space in the following ways
Each process has virtual address space
PTE control bits and ACL’s prevent unauthorized access
No execute page protection (DEP)
hardware controlled memory protection
I\O manager
connects applications and system components to virtual, logical, and physical devices
Device, file, driver
I\O requests
An I\O request packet (IRP) represents most I\O requests
Asynchronous Local Inter-process communication (ALPC)
a message passing mechanism that passes requests.
actual method of communication
Configuration manager
responsible for implementing and managing the system registry.
ensures the registry is always in a recoverable state
