introduction to windows system internals part ii by tim shelton black security...
TRANSCRIPT
![Page 1: Introduction to Windows System Internals part II by Tim Shelton Black Security redsand@blacksecurity.org](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649dc95503460f94abfc07/html5/thumbnails/1.jpg)
Introduction to Introduction to Windows System Windows System Internals part IIInternals part II
bybyTim SheltonTim Shelton
Black SecurityBlack Security
[email protected]@blacksecurity.org
![Page 2: Introduction to Windows System Internals part II by Tim Shelton Black Security redsand@blacksecurity.org](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649dc95503460f94abfc07/html5/thumbnails/2.jpg)
OutlineOutline
Windows SubsystemsWindows Subsystems API BreakdownAPI Breakdown
The API LayersThe API Layers User-land and Kernel-landUser-land and Kernel-land Processes, Threads, and JobsProcesses, Threads, and Jobs Virtual Memory ManagerVirtual Memory Manager
![Page 3: Introduction to Windows System Internals part II by Tim Shelton Black Security redsand@blacksecurity.org](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649dc95503460f94abfc07/html5/thumbnails/3.jpg)
Windows SubsystemWindows Subsystem Is the Windows NT structure Is the Windows NT structure considered a “microkernel”? No!considered a “microkernel”? No!
A A microkernelmicrokernel is a type of kernel in which the principal operating is a type of kernel in which the principal operating system components (such as memory manager, process manager, system components (such as memory manager, process manager, and I/O manager) run as separate processes in their own separated and I/O manager) run as separate processes in their own separated address space. EX: Carnegie Mellon University’s Mach (OSX) address space. EX: Carnegie Mellon University’s Mach (OSX) operating kernel.operating kernel.
Shares address space with rest of Shares address space with rest of kernel componentskernel components
![Page 4: Introduction to Windows System Internals part II by Tim Shelton Black Security redsand@blacksecurity.org](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649dc95503460f94abfc07/html5/thumbnails/4.jpg)
Windows SubsystemWindows Subsystem 3 Basic Types of User-Mode Processes
Fixed processes ie: logon process, session manager
Service Processes – runs independently of user logons.
ie: Task Scheduler, Spooler service. Environment Subsystem
Windows, POSIX, and OS/2
![Page 5: Introduction to Windows System Internals part II by Tim Shelton Black Security redsand@blacksecurity.org](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649dc95503460f94abfc07/html5/thumbnails/5.jpg)
Windows NT LayerWindows NT Layer
Executive
DeviceDrivers
Hardware Abstraction Layer (HAL)
Kernel
User
Kernel
Win32
User Apps
Subsystem DLL
System & ServiceProcesses
POSIXOS/2
Win32User/GDI
Environment Subsystems
![Page 6: Introduction to Windows System Internals part II by Tim Shelton Black Security redsand@blacksecurity.org](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649dc95503460f94abfc07/html5/thumbnails/6.jpg)
Windows SubsystemWindows Subsystem
Each Subsystem Contains Subsystem Service Process (csrss) Subsystem API library
e.g. kernel32, advapi32, gdi32, ntdll Hooks in CreateProcess code
Pseudo Subsystems ex: LSASS and CLR
![Page 7: Introduction to Windows System Internals part II by Tim Shelton Black Security redsand@blacksecurity.org](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649dc95503460f94abfc07/html5/thumbnails/7.jpg)
![Page 8: Introduction to Windows System Internals part II by Tim Shelton Black Security redsand@blacksecurity.org](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649dc95503460f94abfc07/html5/thumbnails/8.jpg)
![Page 9: Introduction to Windows System Internals part II by Tim Shelton Black Security redsand@blacksecurity.org](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649dc95503460f94abfc07/html5/thumbnails/9.jpg)
![Page 10: Introduction to Windows System Internals part II by Tim Shelton Black Security redsand@blacksecurity.org](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649dc95503460f94abfc07/html5/thumbnails/10.jpg)
Services & KernelServices & Kernel
3 Different Implimentations Application’s Container (Libraries) Separate Containers (Services) Central, Universally Shared Container (kernel)
![Page 11: Introduction to Windows System Internals part II by Tim Shelton Black Security redsand@blacksecurity.org](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649dc95503460f94abfc07/html5/thumbnails/11.jpg)
KernelKernel
Disadvantages of Kernel Less Flexible Single sysentry mechanism Inter-operation requires shared abstractions Access controls limited (ACLS)
![Page 12: Introduction to Windows System Internals part II by Tim Shelton Black Security redsand@blacksecurity.org](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649dc95503460f94abfc07/html5/thumbnails/12.jpg)
![Page 13: Introduction to Windows System Internals part II by Tim Shelton Black Security redsand@blacksecurity.org](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649dc95503460f94abfc07/html5/thumbnails/13.jpg)
ServicesServices
Services have natural advantage Filtering and refinement of operations provides finer-grained access control Easy to provide alternative abstractions Seperated in their own protected private address space
![Page 14: Introduction to Windows System Internals part II by Tim Shelton Black Security redsand@blacksecurity.org](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649dc95503460f94abfc07/html5/thumbnails/14.jpg)
Execution LayersExecution Layers
Executive Execution LayerExecutive Execution Layer Kernel Execution LayerKernel Execution Layer
![Page 15: Introduction to Windows System Internals part II by Tim Shelton Black Security redsand@blacksecurity.org](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649dc95503460f94abfc07/html5/thumbnails/15.jpg)
![Page 16: Introduction to Windows System Internals part II by Tim Shelton Black Security redsand@blacksecurity.org](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649dc95503460f94abfc07/html5/thumbnails/16.jpg)
Executive Execution Executive Execution LayerLayer Executive Execution LayerExecutive Execution Layer
Upper Layers of Operating SystemUpper Layers of Operating System Provides “generic operating system” Provides “generic operating system” functionsfunctions
Creating/deleting processes and Creating/deleting processes and threadsthreads Memory managementMemory management I/OI/O Interprocess communicationInterprocess communication SecuritySecurity
![Page 17: Introduction to Windows System Internals part II by Tim Shelton Black Security redsand@blacksecurity.org](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649dc95503460f94abfc07/html5/thumbnails/17.jpg)
Windows NT LayerWindows NT Layer
Executive
DeviceDrivers
Hardware Abstraction Layer (HAL)
Kernel
User
Kernel
Win32
User Apps
Subsystem DLL
System & ServiceProcesses
POSIXOS/2
Win32User/GDI
Environment Subsystems
![Page 18: Introduction to Windows System Internals part II by Tim Shelton Black Security redsand@blacksecurity.org](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649dc95503460f94abfc07/html5/thumbnails/18.jpg)
Executive Execution Executive Execution LayerLayer
Almost completely portable C code. Almost completely portable C code. (bits of object oriented c++ and asm)(bits of object oriented c++ and asm)
Private internal O/S structurePrivate internal O/S structure Runs in kernel ("privileged", ring 0) mode Runs in kernel ("privileged", ring 0) mode Many interfaces to executive O/S services Many interfaces to executive O/S services undocumentedundocumented
![Page 19: Introduction to Windows System Internals part II by Tim Shelton Black Security redsand@blacksecurity.org](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649dc95503460f94abfc07/html5/thumbnails/19.jpg)
Executive Execution Executive Execution LayerLayer
Lower Layers of O/SLower Layers of O/S Processor dependant functions Processor dependant functions
(x86 vs. alpha vs. embedded etc)(x86 vs. alpha vs. embedded etc) Processor independant functions closely Processor independant functions closely associated with processor dependant associated with processor dependant functionsfunctions
![Page 20: Introduction to Windows System Internals part II by Tim Shelton Black Security redsand@blacksecurity.org](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649dc95503460f94abfc07/html5/thumbnails/20.jpg)
![Page 21: Introduction to Windows System Internals part II by Tim Shelton Black Security redsand@blacksecurity.org](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649dc95503460f94abfc07/html5/thumbnails/21.jpg)
Kernel Execution LayerKernel Execution Layer Kernel Execution LayerKernel Execution Layer
Private internal O/S structurePrivate internal O/S structure Heart and Soul of O/SHeart and Soul of O/S Executes in kernel modeExecutes in kernel mode API not documented!API not documented! Accessed indirectly via subsystem Accessed indirectly via subsystem APIsAPIs
![Page 22: Introduction to Windows System Internals part II by Tim Shelton Black Security redsand@blacksecurity.org](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649dc95503460f94abfc07/html5/thumbnails/22.jpg)
Windows NT SubsystemWindows NT Subsystem
Executive Services APII/O
SystemSecurityMonitor
Win32GDI
ObjectServices
MemoryMgmt
Processes/Threads
Exec.RTL
DeviceDrivers
Hardware Abstraction Layer (HAL)
Kernel
Object ManagementFileSystems
I/ODevices
DMA/BusControl
CacheControl
Clocks/Timers
PrivilegedArchitecture
InterruptDispatch
Registry
User
Kernel
SystemProcesses
Services User AppsEnvironmentSubsystems
Subsystem DLLInterface DLL
Session MgrWinLogon
ReplicatorAlerter
Event Log
Win32POSIXOS/2
![Page 23: Introduction to Windows System Internals part II by Tim Shelton Black Security redsand@blacksecurity.org](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649dc95503460f94abfc07/html5/thumbnails/23.jpg)
Kernel Execution LayerKernel Execution Layer Reasons for Kernel Code Execution
Requests from user mode (system calls)
Via system service dispatch mechanism (dispatcher) Kernel-mode code runs in context of requesting thread
![Page 24: Introduction to Windows System Internals part II by Tim Shelton Black Security redsand@blacksecurity.org](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649dc95503460f94abfc07/html5/thumbnails/24.jpg)
Windows NT SubsystemWindows NT Subsystem
Executive Services APII/O
SystemSecurityMonitor
Win32GDI
ObjectServices
MemoryMgmt
Processes/Threads
Exec.RTL
DeviceDrivers
Hardware Abstraction Layer (HAL)
Kernel
Object ManagementFileSystems
I/ODevices
DMA/BusControl
CacheControl
Clocks/Timers
PrivilegedArchitecture
InterruptDispatch
Registry
User
Kernel
SystemProcesses
Services User AppsEnvironmentSubsystems
Subsystem DLLInterface DLL
Session MgrWinLogon
ReplicatorAlerter
Event Log
Win32POSIXOS/2
![Page 25: Introduction to Windows System Internals part II by Tim Shelton Black Security redsand@blacksecurity.org](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649dc95503460f94abfc07/html5/thumbnails/25.jpg)
Kernel Execution LayerKernel Execution Layer Reasons for Kernel Code Execution
Interrupts from external devices Interrupts (like all traps) are handled in kernel mode NT-supplied interrupt dispatcher invokes interrupt service routiner ISR runs in context of interrupted thread ("arbitrary thread context") ISR requests execution of "DPC routine", which also runs in kernel mode
![Page 26: Introduction to Windows System Internals part II by Tim Shelton Black Security redsand@blacksecurity.org](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649dc95503460f94abfc07/html5/thumbnails/26.jpg)
Kernel Execution LayerKernel Execution Layer
Reasons for Kernel Code Execution Dedicated kernel-mode threads
Some threads in system stay in kernel mode at all times (mostly "System" process) Scheduled, preempted, etc., like any other threads
![Page 27: Introduction to Windows System Internals part II by Tim Shelton Black Security redsand@blacksecurity.org](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649dc95503460f94abfc07/html5/thumbnails/27.jpg)
Hardware Abstraction Hardware Abstraction LayerLayer
Subroutine library for kernel and device drivers Seperates Kernel and Executive from platform-specific details Presents uniform model of I/O hardware interface to drivers
![Page 28: Introduction to Windows System Internals part II by Tim Shelton Black Security redsand@blacksecurity.org](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649dc95503460f94abfc07/html5/thumbnails/28.jpg)
Windows NT LayerWindows NT Layer
Executive
DeviceDrivers
Hardware Abstraction Layer (HAL)
Kernel
User
Kernel
Win32
User Apps
Subsystem DLL
System & ServiceProcesses
POSIXOS/2
Win32User/GDI
Environment Subsystems
![Page 29: Introduction to Windows System Internals part II by Tim Shelton Black Security redsand@blacksecurity.org](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649dc95503460f94abfc07/html5/thumbnails/29.jpg)
Hardware Abstraction Hardware Abstraction LayerLayer
HAL abstracts System timers, cache coherency & flushing SMP support, Hardware interrupt priorities HAL implements functions in both Executive and Kernel Layers
![Page 30: Introduction to Windows System Internals part II by Tim Shelton Black Security redsand@blacksecurity.org](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649dc95503460f94abfc07/html5/thumbnails/30.jpg)
Processes, Threads & Processes, Threads & JobsJobs
Process Layout Each Process Has Its Own:
Virtual address space Program Global Storage Heap Storage Threads' stacks
![Page 31: Introduction to Windows System Internals part II by Tim Shelton Black Security redsand@blacksecurity.org](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649dc95503460f94abfc07/html5/thumbnails/31.jpg)
![Page 32: Introduction to Windows System Internals part II by Tim Shelton Black Security redsand@blacksecurity.org](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649dc95503460f94abfc07/html5/thumbnails/32.jpg)
ProcessesProcesses
Process Layout - Continued Processes cannot corrupt each others address space by mistake (sort of!)
CreateRemoteThread Injection Working set
physical memory "owned" by process
![Page 33: Introduction to Windows System Internals part II by Tim Shelton Black Security redsand@blacksecurity.org](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649dc95503460f94abfc07/html5/thumbnails/33.jpg)
ProcessesProcesses
Process Layout - Continued Access token
includes security identifiers (objects) Handle Table for Win32 kernel objects Resources available to all threads in process Resources separate and protected between processes
![Page 34: Introduction to Windows System Internals part II by Tim Shelton Black Security redsand@blacksecurity.org](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649dc95503460f94abfc07/html5/thumbnails/34.jpg)
ThreadsThreads
Each Thread has: Stack
local variable storage, call frames, etc. Instance of top-level function Scheduling state
Wait, Ready, and Running states Kernel Thread Priority Execution
![Page 35: Introduction to Windows System Internals part II by Tim Shelton Black Security redsand@blacksecurity.org](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649dc95503460f94abfc07/html5/thumbnails/35.jpg)
![Page 36: Introduction to Windows System Internals part II by Tim Shelton Black Security redsand@blacksecurity.org](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649dc95503460f94abfc07/html5/thumbnails/36.jpg)
ThreadsThreads Each Thread has:
Current access mode user-land kernel-land
Saved CPU state of not Running Access token
optional - overrides process token if present
![Page 37: Introduction to Windows System Internals part II by Tim Shelton Black Security redsand@blacksecurity.org](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649dc95503460f94abfc07/html5/thumbnails/37.jpg)
ProcessesProcesses
Processes Continued Container for address space and threads Associated User-mode Process Environment Block (PEB) Primary Access Token (objects) Quota, Debug port, Handle Table (objects)
![Page 38: Introduction to Windows System Internals part II by Tim Shelton Black Security redsand@blacksecurity.org](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649dc95503460f94abfc07/html5/thumbnails/38.jpg)
![Page 39: Introduction to Windows System Internals part II by Tim Shelton Black Security redsand@blacksecurity.org](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649dc95503460f94abfc07/html5/thumbnails/39.jpg)
ProcessesProcesses Processes Continued
Unique process ID Process Object Queued
Job List Global Process List Session list
MM structures like WorkingSet, VAD tree, AWE etc
![Page 40: Introduction to Windows System Internals part II by Tim Shelton Black Security redsand@blacksecurity.org](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649dc95503460f94abfc07/html5/thumbnails/40.jpg)
ThreadsThreads Threads Continued
Fundamental schedulable entity on system Represented by ETHREAD (includes KTHREAD) Queued to Process (both E & K thread) IRP List Impersonation Access Token Unique Thread ID
![Page 41: Introduction to Windows System Internals part II by Tim Shelton Black Security redsand@blacksecurity.org](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649dc95503460f94abfc07/html5/thumbnails/41.jpg)
![Page 42: Introduction to Windows System Internals part II by Tim Shelton Black Security redsand@blacksecurity.org](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649dc95503460f94abfc07/html5/thumbnails/42.jpg)
ThreadsThreads Threads Continued
Associated User-mode Thread Environment Block (TEB) User-mode stack Kernel-mode stack Process Control Block (in KTHREAD)
for cpu state when not running Holds Ready, or Waiting status
![Page 43: Introduction to Windows System Internals part II by Tim Shelton Black Security redsand@blacksecurity.org](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649dc95503460f94abfc07/html5/thumbnails/43.jpg)
JobsJobs Each Job contains:
Container for multiple processes Queued
Global Job List Processes and Jobs in Job Set
Security token filters and job token Completion ports Counters, limits etc
![Page 44: Introduction to Windows System Internals part II by Tim Shelton Black Security redsand@blacksecurity.org](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649dc95503460f94abfc07/html5/thumbnails/44.jpg)
Virtual Memory Virtual Memory ManagerManager
How Do We Allocate Memory? Virtual Memory Manager
User Land Memory Manager Kernel Land Memory Manager
![Page 45: Introduction to Windows System Internals part II by Tim Shelton Black Security redsand@blacksecurity.org](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649dc95503460f94abfc07/html5/thumbnails/45.jpg)
Virtual Memory Virtual Memory ManagerManager
Allocating User Memory Space Virtual Memory Manager
Handles 4gb flat of VA space (IA32) Manages process address space Handles pagefaults Manages process working sets
![Page 46: Introduction to Windows System Internals part II by Tim Shelton Black Security redsand@blacksecurity.org](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649dc95503460f94abfc07/html5/thumbnails/46.jpg)
Virtual Memory Virtual Memory ManagerManager Allocating User Memory Space
Virtual Memory Manager continued… Manages physical memory Provides memory-mapped files Allows pages shared between processes Structure for I/O subsystem and device drivers Supports file system cache manager
![Page 47: Introduction to Windows System Internals part II by Tim Shelton Black Security redsand@blacksecurity.org](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649dc95503460f94abfc07/html5/thumbnails/47.jpg)
Virtual Memory Virtual Memory ManagerManager
Allocating User Memory Space Virtual Memory Manager
Internal API NtCreatePagingFile() NtAllocateVirtualMemory() NtFreeVirtualMemory() NtQueryVirtualMemory() NtProtectVirtualMemory()
![Page 48: Introduction to Windows System Internals part II by Tim Shelton Black Security redsand@blacksecurity.org](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649dc95503460f94abfc07/html5/thumbnails/48.jpg)
Virtual Memory Virtual Memory ManagerManager
Allocating User Memory Space Virtual Memory Manager
Pagefault NtLockVirtualMemory NtUnlockVirtualMemory NtReadVirtualMemory NtWriteVirtualMemory
(OMG!! Thread Injection Tangent) NtFlushVirtualMemory
![Page 49: Introduction to Windows System Internals part II by Tim Shelton Black Security redsand@blacksecurity.org](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649dc95503460f94abfc07/html5/thumbnails/49.jpg)
Remote Thread Injection Remote Thread Injection TangentTangent
One way to copy some code to another process's address space and then execute it in the context of this process involves the use of remote threads and the WriteProcessMemory API. Basically you copy the code to the remote process directly now - via WriteProcessMemory - and start its execution with CreateRemoteThread.
![Page 50: Introduction to Windows System Internals part II by Tim Shelton Black Security redsand@blacksecurity.org](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649dc95503460f94abfc07/html5/thumbnails/50.jpg)
![Page 51: Introduction to Windows System Internals part II by Tim Shelton Black Security redsand@blacksecurity.org](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649dc95503460f94abfc07/html5/thumbnails/51.jpg)
Remote Thread Injection Remote Thread Injection TangentTangent
The CreateRemoteThread & WriteProcessMemory technique of code injection is, when compared to the other methods, more flexible in that you don't need an additional DLL. Unfortunately, it is also more complicated and riskier than the other methods.
![Page 52: Introduction to Windows System Internals part II by Tim Shelton Black Security redsand@blacksecurity.org](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649dc95503460f94abfc07/html5/thumbnails/52.jpg)
Remote Thread Injection Remote Thread Injection TangentTangent
You can (and most probably will) easily crash the remote process, as soon as something is wrong with your Injected Thread. Because debugging a remote Thread can also be a nightmare, you should use this technique only when injecting at most a few instructions.
![Page 53: Introduction to Windows System Internals part II by Tim Shelton Black Security redsand@blacksecurity.org](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649dc95503460f94abfc07/html5/thumbnails/53.jpg)
Virtual Memory Virtual Memory ManagerManager Allocating Kernel Memory Pool
Tightest x86 system resource is KVA Kernel Virtual Address Space
Pool allocates in small chunks< 4kb: 8b granularity>= 4kb: page granularity
Paged & Non-panged pool Paged pool backed by pagefile
Special pool used to find corruptors Lots of support for debugging/diagnosis
![Page 54: Introduction to Windows System Internals part II by Tim Shelton Black Security redsand@blacksecurity.org](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649dc95503460f94abfc07/html5/thumbnails/54.jpg)
Virtual Memory Virtual Memory ManagerManager Memory Paging
(writing unused memory to disk and paging (pulling it back into active memory)
Working Sets - list of valid pages each process and kernel
Pages 'trimmed' from working set on lists
Standby list: pages backed by disk Modified List: dirty pages to push to disk Free list: pages not associated with disk Zero List: supply of demand-zero pages
![Page 55: Introduction to Windows System Internals part II by Tim Shelton Black Security redsand@blacksecurity.org](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649dc95503460f94abfc07/html5/thumbnails/55.jpg)
Virtual Memory Virtual Memory ManagerManager
Memory Paging – Continued… Modify/standby pages can be faulted back into a working set w/ disk activity (soft fault) Background system threads trim working sets, write modified pages and produce zero pages based on memory stat and config parameters
![Page 56: Introduction to Windows System Internals part II by Tim Shelton Black Security redsand@blacksecurity.org](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649dc95503460f94abfc07/html5/thumbnails/56.jpg)
Virtual Memory Virtual Memory ManagerManager Managing Working Sets
Aging pages - Increment age counts for pages which haven't been accessed
Estimate unused pages: count in working set and keep a global count of estimate When memory starts to become scarce
replace rather than add pages when fault occurs in working set with significant unused pages
When memory IS scarce reduce (trim) working sets which are above maximum
![Page 57: Introduction to Windows System Internals part II by Tim Shelton Black Security redsand@blacksecurity.org](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649dc95503460f94abfc07/html5/thumbnails/57.jpg)
Virtual Memory Virtual Memory ManagerManager
Memory Paging – Continued…Managing Working Sets
Balance Set Manager periodically runs Working Set Trimmer, also swaps out kernel stacks of long-waiting threads
![Page 58: Introduction to Windows System Internals part II by Tim Shelton Black Security redsand@blacksecurity.org](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649dc95503460f94abfc07/html5/thumbnails/58.jpg)
ReviewReview
Windows is segmented into many different layers in order to control the flow of execution.
Windows does many things unique to any other publicly available operating system (obviously)
![Page 59: Introduction to Windows System Internals part II by Tim Shelton Black Security redsand@blacksecurity.org](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649dc95503460f94abfc07/html5/thumbnails/59.jpg)
Questions?Questions?
\o/\o/||
/\ /\