Windows Architecture
Windows architecture follows layered design with two main components:
User Mode
This mode is made of system processes, services, application and environments running on the system. All of these components have limited access to hardware and rely on kernel mode for hardware interaction.
Interface between user mode and kernel functions is called environment subsystem.
Each of these implement different API sets.
Three main environment subsystems exist:
1.Win32
2.OS/2
3.POSIX
Security subsystem
Deals with security tokens, manages access based on to resources based on permissions, handles authentication. Manages Active Directory
Kernel Mode
Has full access to system hardware and resources and runs code in Protected Memory. Kernel mode handles memory management, device drivers, process management, thread prioritization etc.
System Call
When user mode program needs access to any restricted resource or hardware, it makes system call. This call is processed by kernel mode.
Hardware Abstraction Layer
Acts as a bridge between kernel mode and hardware. Translates generic kernel instructions to specific instructions for given hardware.
Memory Management
Windows has sophisticated memory management system for physical(RAM) and virtual(RAM and Disk) memory utilization.
Virtual Address Space - is set of virtual memory that process can use. This memory is private and cannot be accessed by other processes unless shared.
Virtual address does not represent physical location in memory. System maintains internal data structure Page Table for each process. Every time thread references virtual address, system translates it to physical one.
Virtual address space is divided into two partitions - system and process.
Memory Types
- User mode/Kernel mode:
Memory allocations are segregated based on mode to ensure security - x86/x64:
Represent addressable memory space for different CPU architectures. Every 32-bit(x86) app has up to 4GB of virtual memory space, while 64-bit (x64) has up to 8TB. - Paged Pool:
Dynamically allocated memory that can be swapped between RAM and paging file on disk. This serves as memory usage optimization, or when RAM memory is full. - Non-paged pool:
Hold critical kernel mode data that must be always accessible in RAM as long as corresponding objects are allocated. This data is not paged to disk.
Page States
- Free: The page is available to be reserved, committed, or simultaneously reserved and committed
- Reserved: The page is reserved for future use, but it does not have any physical storage associated with it. Reserved memory cannot be used by other functions
- Committed: Memory have been allocated in RAM/paging file(s) on disk. Page is accessible and access is controlled by Memory Protection Constants
Memory Protection Constants
These constants specify permissions, which define operations that can be done on specified memory region. There is many of them, so I will list just a few that are probably most common, the rest can be found in Microsoft Documentation.
- PAGE_EXECUTE_READWRITE - Enables execute, read-only, or read/write access to the committed region of pages
- PAGE_READWRITE - Enables read-only or read/write access to the committed region of pages
- PAGE_READONLY - Enables read-only access to the committed region of pages
...
C++ Code Example
Let's apply previous information to allocate memory in a process.
LPVOID memBlock = VirtualAllocEx(hProcess, NULL, sizeof(payload), (MEM_RESERVE | MEM_COMMIT), PAGE_EXECUTE_READWRITE);
Here, we allocate variable 'memBlock' of 'LPVOID' type, assigning it result of 'VirtualAllocEx'(memoryapi.h) function. LPVOID represents address of any type.
Executing this function commits memory to which we can write data later.
Parameters:
- hProcess is handle to process in which virtual address space the memory will be allocated
- This parameter specifies starting address. NULL means function will determine where to allocate the region
- Size of memory region to allocate in bytes
- Set page state, multiple can be used with bitwise '|' operator
- Requires memory protection constant
Data Execution Prevention (DEP)
Is a security technology, that makes some pages in memory non-executable. This prevents potential attackers from executing malicious code in these regions of memory using exploits like buffer overflow.
Address Space Layout Randomization (ASLR)
Is a security technique that randomizes base addresses of processes, DLL's and critical data structures like stack and heap. This prevents the attacker from hardcoding memory locations, which are like to be changed on each application restart. It also makes mistakes expensive, since writing to wrong address leads to application crash.
Effectiveness of this technique can be significantly diminished by reducing entropy.
WinAPI
WinAPI is a collection of functions, divided between many DLL's, that allow applications to interact with underlying Windows functionalities through code.
Many of these functions are documented in Win32 API MSDN.
Important Windows DLL's
- kernel32.dll - Exposes functions for memory management, file system access and console I/O, thread creation...
- user32.dll - Provides functions for managing windows, menus, controls and handling user input
- ntdll.dll - Many user mode API's rely on ntdll, as it exposes Native API
- ws2_32.dll - Implements Windows Websocket API, it is crutial for network programming
- advapi32.dll - Provides security features like authentication, access control and registry manipulation