The document discusses various components inside the Windows kernel, including system threads, work items, asynchronous procedure calls (APCs), deferred procedure calls (DPCs), timers, process and thread callbacks, completion routines, I/O request packets (IRPs), and the structure of a kernel driver. It provides data structure definitions and examples of how these components work and interact inside the kernel.

1. Reverse Engineering
The Windows Kernel (2)
Kent Huang

2. Asynchronous and
Ad-Hoc Execution

3. Introduce the Component
inside Windows Kernel
1. Usage
2. Introduce the data structure
3. How it work inside Windows Kernel
4. What’s the usage in root-kit
5. Exercises

4. System Threads
• Driver may create multiple threads handling
different requests from kernel or user.
• Call API PsCreateSystemThread
NTSTATUS PsCreateSystemThread(
_Out_ PHANDLE ThreadHandle,
_In_ ULONG DesiredAccess,
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_opt_ HANDLE ProcessHandle,
_Out_opt_ PCLIENT_ID ClientId,
_In_ PKSTART_ROUTINE StartRoutine,
_In_opt_ PVOID StartContext
);

5. System Threads
• If process handle is not NULL, thread will be
created under that process.
• Someone say, if call PsCreateSystemThread in an
IOCTL handler, the new thread will be in the user-
mode application ???

6. Exercises
• Determine whether any of them pass a non-NULL
ProcessHandle parameter. Explain the purpose of
these routines. Repeat the exercise for as many
functions as possible.

7. Work Items
• Similar to system threads
• Except that no physical thread object
• Common driver programming pattern to queue
work items inside a DPC
PIO_WORKITEM IoAllocateWorkItem(
_In_ PDEVICE_OBJECT DeviceObject
);
VOID IoQueueWorkItem(
_In_ PIO_WORKITEM IoWorkItem,
_In_ PIO_WORKITEM_ROUTINE WorkerRoutine,
_In_ WORK_QUEUE_TYPE QueueType,
_In_opt_ PVOID Context
);

8. Structure
1: kd> dt _IO_WORKITEM
nt!_IO_WORKITEM
+0x000 WorkItem : _WORK_QUEUE_ITEM
+0x010 Routine : Ptr32 void
+0x014 IoObject : Ptr32 Void
+0x018 Context : Ptr32 Void
+0x01c Type : Uint4B
+0x020 ActivityId : _GUID
1: kd> dt _WORK_QUEUE_ITEM
nt!_WORK_QUEUE_ITEM
+0x000 List : _LIST_ENTRY
+0x008 WorkerRoutine : Ptr32 void
+0x00c Parameter : Ptr32 Void
1: kd> dt _WORK_QUEUE_TYPE
TmXPFlt!_WORK_QUEUE_TYPE
CriticalWorkQueue = 0n0
DelayedWorkQueue = 0n1
HyperCriticalWorkQueue = 0n2
MaximumWorkQueue = 0n3
1: kd> dt _KPRCB ParentNode
nt!_KPRCB
+0x338 ParentNode : Ptr32 _KNODE
1: kd> dt _KNODE
nt!_KNODE
+0x000 DeepIdleSet : Uint4B
+0x004 SharedReadyQueueLeaders : Uint4B
+0x040 ProximityId : Uint4B
+0x044 NodeNumber : Uint2B
…
1: kd> dt _ENODE
nt!_ENODE
+0x000 Ncb : _KNODE
+0x0c0 ExWorkQueue : [2] _EX_WORK_QUEUE
…
1: kd> dt _EX_WORK_QUEUE
nt!_EX_WORK_QUEUE
+0x000 WorkPriQueue : _KPRIQUEUE
+0x19c WorkItemsProcessed : Uint4B
+0x1a0 WorkItemsProcessedLastPass : Uint4B
+0x1a4 ThreadCount : Int4B
+0x1a8 TryFailed : UChar

9. kd> !thread
THREAD 865b2da8 Cid 0004.003c Teb: 00000000 Win32Thread: 00000000 RUNNING on processor 0
Not impersonating
DeviceMap e1004438
Owning Process 0 Image: <Unknown>
Attached Process 865b5490 Image: System
Wait Start TickCount 19549 Ticks: 0
Context Switch Count 901 IdealProcessor: 0
UserTime 00:00:00.000
KernelTime 00:00:01.062
Start Address nt!ExpWorkerThread (0x80534b02)
Stack Init f78eb000 Current f78ead1c Base f78eb000 Limit f78e8000 Call 0
Priority 13 BasePriority 12 PriorityDecrement 0 DecrementCount 16
ChildEBP RetAddr Args to Child
f78ead60 8056bcc5 86124338 00000000 8055b0fc NotYourFault!TesterWorkerItemRoutine+0x52 (FPO: [Non-Fpo])
(CONV: stdcall) [c:userskent_huangperforcepd_kent_huangcorevsapipdkent_huangvsapitools
notyourfaultnotyourfaultreverseengineeringworkeritem.c @ 19]
f78ead74 80534c02 86121548 00000000 865b2da8 nt!IopProcessWorkItem+0x13 (FPO: [Non-Fpo])
f78eadac 805c6160 86121548 00000000 00000000 nt!ExpWorkerThread+0x100 (FPO: [Non-Fpo])
f78eaddc 80541dd2 80534b02 00000001 00000000 nt!PspSystemThreadStartup+0x34 (FPO: [Non-Fpo])
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

10. Reverse follow API (Win8)
• IoAllocateWorkItem
• IoInitializeWorkItem
• IoQueueWorkItem
• IopQueueWorkItemProlog
• ExQueueWorkItem

11. Asynchronous Procedure
Calls
• Asynchronous I/O completion, thread suspension, and
process shutdown
• Undocumented API
• Kernel Mode (PASSIVE_LEVEL , APC_LEVEL)
• User Mode (PASSIVE_LEVEL)
• Rootkits achieve this by queueing a user-mode APC to
a thread in the process in which they want to inject
code.

12. Structure
1: kd> dt _KAPC
nt!_KAPC
+0x000 Type : UChar
+0x001 SpareByte0 : UChar
+0x002 Size : UChar
+0x003 SpareByte1 : UChar
+0x004 SpareLong0 : Uint4B
+0x008 Thread : Ptr32 _KTHREAD
+0x00c ApcListEntry : _LIST_ENTRY
+0x014 KernelRoutine : Ptr32 void
+0x018 RundownRoutine : Ptr32 void
+0x01c NormalRoutine : Ptr32 void
+0x014 Reserved : [3] Ptr32 Void
+0x020 NormalContext : Ptr32 Void
+0x024 SystemArgument1 : Ptr32 Void
+0x028 SystemArgument2 : Ptr32 Void
+0x02c ApcStateIndex : Char
+0x02d ApcMode : Char
+0x02e Inserted : UChar
1: kd> dt _KTHREAD ApcState
nt!_KTHREAD
+0x070 ApcState : _KAPC_STATE
1: kd> dt _KAPC_STATE
nt!_KAPC_STATE
+0x000 ApcListHead : [2] _LIST_ENTRY
+0x010 Process : Ptr32 _KPROCESS
+0x014 InProgressFlags : UChar
+0x014 KernelApcInProgress : Pos 0, 1 Bit
+0x014 SpecialApcInProgress : Pos 1, 1 Bit
+0x015 KernelApcPending : UChar
+0x016 UserApcPending : UChar

13. Deferred Procedure Calls
• Routines executed at DISPATCH_LEVEL
• Hardware drivers use them to process interrupts
coming from the device
• Some rootkits use DPCs to synchronize access to
global linked lists

14. IRQL

15. Structure
1: kd> dt _KDPC
nt!_KDPC
+0x000 TargetInfoAsUlong : Uint4B
+0x000 Type : UChar
+0x001 Importance : UChar
+0x002 Number : Uint2B
+0x004 DpcListEntry : _SINGLE_LIST_ENTRY
+0x008 ProcessorHistory : Uint4B
+0x00c DeferredRoutine : Ptr32 void
+0x010 DeferredContext : Ptr32 Void
+0x014 SystemArgument1 : Ptr32 Void
+0x018 SystemArgument2 : Ptr32 Void
+0x01c DpcData : Ptr32 Void
1: kd> dt _KPRCB DpcData
nt!_KPRCB
+0x21e0 DpcData : [2] _KDPC_DATA
1: kd> dt _KDPC_DATA
nt!_KDPC_DATA
+0x000 DpcList : _KDPC_LIST
+0x008 DpcLock : Uint4B
+0x00c DpcQueueDepth : Int4B
+0x010 DpcCount : Uint4B
+0x014 ActiveDpc : Ptr32 _KDPC
138 Chapter 3 ■ The Windows Kernel
KPRCB KDPC KDPC KDPC
Type Type Type
DpcData[0]
DpcData[1] DpcListEntry DpcListEntry DpcListEntry
DeferredRoutine DeferredRoutine DeferredRoutine
…
… … …
…… …
…

16. kd> !thread
THREAD 8649d020 Cid 0134.032c Teb: 7ffdf000 Win32Thread: e1634008 RUNNING on processor 0
IRP List:
8692cf68: (0006,0094) Flags: 40000000 Mdl: 00000000
Not impersonating
DeviceMap e21e88b0
Owning Process 0 Image: <Unknown>
Attached Process 864a07f0 Image: ReverseEngineer
Wait Start TickCount 20134 Ticks: 0
Context Switch Count 23 IdealProcessor: 0 LargeStack
UserTime 00:00:00.000
KernelTime 00:00:00.015
Win32 Start Address ReverseEngineeringTester!ILT+1240(_wmainCRTStartup) (0x0042e4dd)
Start Address kernel32!BaseProcessStartThunk (0x7c8106f5)
Stack Init f7517000 Current f7516b8c Base f7517000 Limit f7513000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr Args to Child
f78b2fd0 80541b8d f7516bc8 00000000 00000000 NotYourFault!TestDpcRoutine+0x52 (FPO: [Non-Fpo]) (CONV:
stdcall) [c:userskent_huangperforcepd_kent_huangcorevsapipdkent_huangvsapitoolsnotyourfault
notyourfaultreverseengineeringworkeritem.c @ 57]
f78b2ff4 8054185a f7516b20 00000000 00000000 nt!KiRetireDpcList+0x46 (FPO: [0,0,0])
f78b2ff8 f7516b20 00000000 00000000 00000000 nt!KiDispatchInterrupt+0x2a (FPO: [Uses EBP] [0,0,1])
WARNING: Frame IP not in any known module. Following frames may be wrong.
8054185a 00000000 00000009 bb835675 00000128 0xf7516b20

17. Timer
• Signal the expiration of a certain amount of time
• Periodically or at some time in the future
VOID KeInitializeTimer(
_Out_ PKTIMER Timer
);
BOOLEAN KeSetTimer(
_Inout_ PKTIMER Timer,
_In_ LARGE_INTEGER DueTime,
_In_opt_ PKDPC Dpc
);
BOOLEAN KeSetTimerEx(
_Inout_ PKTIMER Timer,
_In_ LARGE_INTEGER DueTime,
_In_ LONG Period,
_In_opt_ PKDPC Dpc
);

18. Structure
1: kd> dt _KPRCB TimerTable
nt!_KPRCB
+0x2260 TimerTable : _KTIMER_TABLE
1: kd> dt _KTIMER_TABLE
nt!_KTIMER_TABLE
+0x000 TimerExpiry : [16] Ptr32 _KTIMER
+0x040 TimerEntries : [256] _KTIMER_TABLE_ENTRY
1: kd> dt _KTIMER
nt!_KTIMER
+0x000 Header : _DISPATCHER_HEADER
+0x010 DueTime : _ULARGE_INTEGER
+0x018 TimerListEntry : _LIST_ENTRY
+0x020 Dpc : Ptr32 _KDPC
+0x024 Period : Uint4B
1: kd> dt _KTIMER_TABLE_ENTRY
nt!_KTIMER_TABLE_ENTRY
+0x000 Lock : Uint4B
+0x004 Entry : _LIST_ENTRY
+0x010 Time : _ULARGE_INTEGER

19. Process and Thread
Callbacks
• Callback function when create or terminate process
or thread
• PsSetCreateProcessNotifyRoutine
• PsSetCreateThreadNotifyRoutine
• PsSetLoadImageNotifyRoutine

20. • Many anti-virus software products register these
callbacks to monitor system behavior.
• Kernel-mode root-kits sometimes use them in
conjunction with APCs to inject code into new
processes

21. Completion Routines
• Completion routines are used to notify drivers that
their I/O request has been completed
• Use when low-level driver complete a IRP
• IoCompleteRequest, IoSetCompletionRoutine

22. Structure
1: kd> dt _IO_STACK_LOCATION
nt!_IO_STACK_LOCATION
+0x000 MajorFunction : UChar
+0x001 MinorFunction : UChar
+0x002 Flags : UChar
+0x003 Control : UChar
+0x004 Parameters : <unnamed-tag>
+0x014 DeviceObject : Ptr32 _DEVICE_OBJECT
+0x018 FileObject : Ptr32 _FILE_OBJECT
+0x01c CompletionRoutine : Ptr32 long
+0x020 Context : Ptr32 Void

23. I/O Request Packets

24. • Windows uses I/O request packets (IRPs) to
describe I/O requests to kernel- mode components
(like drivers)
• IRP can be divided into two areas
• static, dynamic
• Ex. IRP_MJ_CREATE, IRP_MJ_READ, etc…

25. 146 Chapter 3 ■ The Windows Kernel
IRPStatic Port
Dynamic Port
StackCount
Tail.Overlay.CurrentStackLocation
IO_STACK_LOCATION IO_STACK_LOCATION
“next” IRP stack location
“current” IRP stack location
IO_STACK_LOCATION
IO_STACK_LOCATION
IO_STACK_LOCATION
IO_STACK_LOCATION
an IO request packet relationship between IRP and IO_STACK_LOCATION
in an IO request packet
…
…
…
…
…
kd> dt _IRP
ntdll!_IRP
+0x000 Type : Int2B
+0x002 Size : Uint2B
+0x004 MdlAddress : Ptr32 _MDL
+0x008 Flags : Uint4B
+0x00c AssociatedIrp : __unnamed
+0x010 ThreadListEntry : _LIST_ENTRY
+0x018 IoStatus : _IO_STATUS_BLOCK
+0x020 RequestorMode : Char
+0x021 PendingReturned : UChar
+0x022 StackCount : Char
+0x023 CurrentLocation : Char
+0x024 Cancel : UChar
+0x025 CancelIrql : UChar
+0x026 ApcEnvironment : Char
+0x027 AllocationFlags : UChar
+0x028 UserIosb : Ptr32 _IO_STATUS_BLOCK
+0x02c UserEvent : Ptr32 _KEVENT
+0x030 Overlay : __unnamed
+0x038 CancelRoutine : Ptr32 void
+0x03c UserBuffer : Ptr32 Void
+0x040 Tail : __unnamed
kd> dt _IO_STACK_LOCATION
ntdll!_IO_STACK_LOCATION
+0x000 MajorFunction : UChar
+0x001 MinorFunction : UChar
+0x002 Flags : UChar
+0x003 Control : UChar
+0x004 Parameters : __unnamed
+0x014 DeviceObject : Ptr32 _DEVICE_OBJECT
+0x018 FileObject : Ptr32 _FILE_OBJECT
+0x01c CompletionRoutine : Ptr32 long
+0x020 Context : Ptr32 Void

26. Structure of a Driver

27. Kernel Driver
• Type of Kernel Driver
• Legacy software driver
• Legacy filter driver
• File system minifilter driver

28. How to Write Kernel Driver
• WDM ( Windows Driver Model )
• Defined since Windows 2000 and all drivers you
analyze are based on it
• KMDF ( kernel-mode driver framework )
• WDF is basically a set of libraries built on top of
WDM that simplifies driver development

29. Entry Points
• The primary responsibility of DriverEntry
• Initialize driver-specific settings
• Register IRP dispatch routines
DriverEntry:
DriverObject->MajorFunction[IRP_MJ_CREATE] = CreateCloseHandler;
DriverObject->MajorFunction[IRP_MJ_CLOSE] = CreateCloseHandler;
DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DeviceControlHandler;

30. • If you do not initialize the MajorFunction table,
default handler is “IopInvalidDeviceRequest”
• If a driver supports dynamic unloading, it must also
fill out the DriverUnload field

31. STATUS_INVALID_DEVICE_REQUEST

32. Driver and Device Objects
typedef struct _DEVICE_OBJECT {
CSHORT Type;
USHORT Size;
LONG ReferenceCount;
struct _DRIVER_OBJECT *DriverObject;
struct _DEVICE_OBJECT *NextDevice;
struct _DEVICE_OBJECT *AttachedDevice;
struct _IRP *CurrentIrp;
...
PVOID DeviceExtension;
DEVICE_TYPE DeviceType;
CCHAR StackSize;
...
ULONG ActiveThreadCount;
PSECURITY_DESCRIPTOR SecurityDescriptor;
...
PVOID Reserved;
} DEVICE_OBJECT, *PDEVICE_OBJECT;

33. IRP Handling
• The prototype for these dispatch routines
• If the dispatch routine successfully completes:
• Calls IoCompleteRequest and returns
• If it cannot complete:
• Return an error, pass the IRP to another driver, or
pend the IRP
NTSTATUS XXX_Dispatch ( PDEVICE_OBJECT *DeviceObject, PIRP *Irp );

34. A Common Mechanism for
User-Kernel Communication
• Shared memory region double-mapped in user and
kernel space
• Create an event that a user-mode thread can wait on;
the event state can be used as a trigger for further
action
• Interrupt handling
• IRP_MJ_DEVICE_CONTROL operation and commonly
referred to as device I/O control or simply IOCTL

35. I/O Control Code
• User-mode code can request these IOCTL
operations through the DeviceIoControl API.
User Mode:
bResult = DeviceIoControl(hDevice, dwIoControlCode, lpInBuffer, nInBufferSize,
lpOutBuffer, nOutBufferSize, lpBytesReturned, &Overlapped);
Kernel Mode:
NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObj, PUNICODE_STRING RegistryPath) {
…
DriverObj->MajorFunction[IRP_MJ_CLEANUP] = DispatchFilter;
DriverObj->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DispatchFilter;
…
}
NTSTATUS DispatchFilter(PDEVICE_OBJECT DeviceObject, PIRP Irp) {
PIO_STACK_LOCATION IrpStack = IoGetCurrentIrpStackLocation(Irp);
switch(IrpStack->MajorFunction) {
…
case IRP_MJ_DEVICE_CONTROL:
// Handle IOCTL
break;
…
}
}

36. • Buffering Methods
• Buffered I/O
• Direct I/O
• Neither
• I/O Control Code

37. Miscellaneous System
Mechanisms
• System Control Registers
• Root-kit developers resort to hooking func- tions
in the kernel. But Kernel code is mapped as
Read-Only.
• Protect by hardware level special control register:
CR0
• CPU can write to read-only pages (WP bit)

38. System Control Registers

39. KeServiceDescriptorTable
• Many root-kits resort to hooking system calls
• But the system call table (KiServiceTable) is not
exported
• How to access KiServiceTable?
• Ex. Sample G

41. Sections