Windows Architecture & WinAPI

Windows Architecture

Windows architecture follows layered design with two main components:

User Mode

This mode is made of system processes, services, application and environments running on the system. All of these components have limited access to hardware and rely on kernel mode for hardware interaction.
Interface between user mode and kernel functions is called environment subsystem.
Each of these implement different API sets.
Three main environment subsystems exist:

Security subsystem

Deals with security tokens, manages access based on to resources based on permissions, handles authentication. Manages Active Directory

Kernel Mode

Has full access to system hardware and resources and runs code in Protected Memory. Kernel mode handles memory management, device drivers, process management, thread prioritization etc.

System Call

When user mode program needs access to any restricted resource or hardware, it makes system call. This call is processed by kernel mode.

Hardware Abstraction Layer

Acts as a bridge between kernel mode and hardware. Translates generic kernel instructions to specific instructions for given hardware.

Memory Management

Windows has sophisticated memory management system for physical(RAM) and virtual(RAM and Disk) memory utilization.

Virtual Address Space - is set of virtual memory that process can use. This memory is private and cannot be accessed by other processes unless shared.
Virtual address does not represent physical location in memory. System maintains internal data structure Page Table for each process. Every time thread references virtual address, system translates it to physical one.
Virtual address space is divided into two partitions - system and process.

Memory Types

  • User mode/Kernel mode:
    Memory allocations are segregated based on mode to ensure security
  • x86/x64:
    Represent addressable memory space for different CPU architectures. Every 32-bit(x86) app has up to 4GB of virtual memory space, while 64-bit (x64) has up to 8TB.
  • Paged Pool:
    Dynamically allocated memory that can be swapped between RAM and paging file on disk. This serves as memory usage optimization, or when RAM memory is full.
  • Non-paged pool:
    Hold critical kernel mode data that must be always accessible in RAM as long as corresponding objects are allocated. This data is not paged to disk.

Page States

  • Free: The page is available to be reserved, committed, or simultaneously reserved and committed
  • Reserved: The page is reserved for future use, but it does not have any physical storage associated with it. Reserved memory cannot be used by other functions
  • Committed: Memory have been allocated in RAM/paging file(s) on disk. Page is accessible and access is controlled by Memory Protection Constants

Memory Protection Constants

These constants specify permissions, which define operations that can be done on specified memory region. There is many of them, so I will list just a few that are probably most common, the rest can be found in Microsoft Documentation.

  • PAGE_EXECUTE_READWRITE - Enables execute, read-only, or read/write access to the committed region of pages
  • PAGE_READWRITE - Enables read-only or read/write access to the committed region of pages
  • PAGE_READONLY - Enables read-only access to the committed region of pages

C++ Code Example

Let's apply previous information to allocate memory in a process.

LPVOID memBlock = VirtualAllocEx(hProcess, NULL, sizeof(payload), (MEM_RESERVE | MEM_COMMIT), PAGE_EXECUTE_READWRITE);

Here, we allocate variable 'memBlock' of 'LPVOID' type, assigning it result of 'VirtualAllocEx'(memoryapi.h) function. LPVOID represents address of any type.
Executing this function commits memory to which we can write data later.

  1. hProcess is handle to process in which virtual address space the memory will be allocated
  2. This parameter specifies starting address. NULL means function will determine where to allocate the region
  3. Size of memory region to allocate in bytes
  4. Set page state, multiple can be used with bitwise '|' operator
  5. Requires memory protection constant

Data Execution Prevention (DEP)

Is a security technology, that makes some pages in memory non-executable. This prevents potential attackers from executing malicious code in these regions of memory using exploits like buffer overflow.

Address Space Layout Randomization (ASLR)

Is a security technique that randomizes base addresses of processes, DLL's and critical data structures like stack and heap. This prevents the attacker from hardcoding memory locations, which are like to be changed on each application restart. It also makes mistakes expensive, since writing to wrong address leads to application crash.
Effectiveness of this technique can be significantly diminished by reducing entropy.


WinAPI is a collection of functions, divided between many DLL's, that allow applications to interact with underlying Windows functionalities through code.
Many of these functions are documented in Win32 API MSDN.

Important Windows DLL's

  • kernel32.dll - Exposes functions for memory management, file system access and console I/O, thread creation...
  • user32.dll - Provides functions for managing windows, menus, controls and handling user input
  • ntdll.dll - Many user mode API's rely on ntdll, as it exposes Native API
  • ws2_32.dll - Implements Windows Websocket API, it is crutial for network programming
  • advapi32.dll - Provides security features like authentication, access control and registry manipulation