Kernel notes
This is a collections of notes on various kernel related topics, featuring Windows NT. A good chunk of these snippets were gathered as a precocius high schooler around somewhere between 2016 and 2017, therefore, do not expect the quality to be on par of a peer reviewd research paper, far from it. The notes don’t lie in any particular order as most of this material was gathered through books during self study.
Table of contents
- What are PCR, PRCB and why do we have them?
- How does an interrupt work ?
- What are SYSENTER / SYSEXIT and why do we need them
- How are syscalls information data stored/retrieved
- Explain in which way a system call can be implemented (NT)
- Explain what IRQL is
- Explain execution contests
- Explain what a work item is
- Kernel routines decompilation
- References
What are PCR, PRCB and why do we have them?
PCR (Process Control Region) is a per-processor data structure used in the kernel that contains critical information about it. Inside of it there’s PRCB (Process Region Control Block) which contains other stuff about it (both structures are undocumented). These are used in order to access the PCR FS/GS are used (x86/x64 respectively)
How does an interrupt work ?
The operating system uses data structures (IDT) to know which interrupts are handled and how.
What are SYSENTER / SYSEXIT and why do we need them
These two instructions are used to implement syscalls. (The reason we have syscalls in the first place is beacuse user space can’t directly access hardware / physical mem addresses.)
How are syscalls information data stored/retrieved
Windows distinguishes GUI syscalls from non-GUI ones: W32pServiceTable and
KiServiceTable. They have a base and a limit.
Explain in which way a system call can be implemented (NT)
Syscalls can be implemented by usign either having a dedicated int code
(0x2e) or a trap instructions (SYSENTER/SYSEXIT).
Explain what IRQL is
Interrupt Request Level are numbers associated with interrupts and describe the “priority” of the int. IRQL is an unsigned char and is per-processor: interrupts are handled only if they number is equal or higher than the current IRQL.
Explain execution contests
Unlike Linux, Windows distinguishes threads from processess (every process has at least 1 thread). A contest is a collection of all the information relevant to the process.
Explain what a work item is
Worker threads are kernel mode threads executed on behalf of the caller.
Kernel routines decompilation
See GitHub.
References
Analysis of Wirenet »