# Kernel Structures In this section we will take a brief look at the following Windows kernel structures: * `_EPROCESS` ; the executive representation of a process. * `_KPROCESS` ; the kernel representation of a process. * `_ETHREAD` ; the executive representation of a thread. * `_KTHREAD` ; the kernel respresentation of a thread. * `_KPCR` ; the kernel processor control region. * `_KPRCB` ; the kernel processor region control block. ## \_EPROCESS The `_EPROCESS` structure, also known as the EPROCESS block, is a crucial data structure in the Windows operating system kernel. It serves the purpose of representing a process (a running instance of a program) in the Windows kernel. The `_EPROCESS` structure holds various information and control blocks related to a process, allowing the kernel to manage and track its execution. Some of the key purposes and components of the `_EPROCESS` structure include: * **Process Identification**: The structure contains fields that store the unique process ID (PID) and the parent process ID (PPID), which help identify and establish relationships between processes. * **Memory Management**: The `_EPROCESS` structure maintains information about the virtual memory space allocated to the process, including the process's address space layout, page directories, and page tables. * **Thread List**: It includes a list of all threads associated with the process, allowing the kernel to manage and schedule thread execution within the process context. * **Security Context**: The `_EPROCESS` structure holds the security context associated with the process, including the security token (TOKEN) that represents the process's security credentials, privileges, and user identity. * **Object Management**: It maintains information related to the process's handle table and object table, facilitating the management and tracking of various kernel objects associated with the process, such as files, devices, and synchronisation primitives. * **Process State and Control**: The `_EPROCESS` structure contains fields to represent the current state of the process, such as whether it is running, suspended, or terminated. It also includes control blocks for process termination, suspension, and resumption. The `_KPROCESS` structure is nested inside the `_EPROCESS` structure and is the first member. the `_KPROCESS` structure is not directly exposed to user mode processes or applications. It is primarily used internally by the Windows kernel for managing and controlling processes at the kernel level. ## \_ETHREAD The `_ETHREAD` structure, also known as the ETHREAD block, is an important data structure in the Windows operating system kernel. It serves the purpose of representing a thread (a unit of execution within a process) in the Windows kernel. The `_ETHREAD` structure contains various fields and control blocks that provide information and control over the execution of a thread. Some of the key purposes and components of the `_ETHREAD` structure include: * **Thread Identification**: The structure includes fields for storing the unique thread ID (TID) and the process ID (PID) of the associated process, facilitating thread identification and establishing relationships with processes. * **Thread Context**: It contains fields for storing the processor context of the thread, including register values, stack pointers, and other execution-related information. * **Thread State and Control**: The `_ETHREAD` structure maintains fields representing the current state of the thread, such as whether it is running, waiting, or terminated. It includes control blocks and flags for thread scheduling, suspension, and termination. * **Kernel Stack**: The structure holds information about the kernel stack allocated to the thread, such as the stack base address and stack size. * **Thread Synchronisation**: Fields related to synchronisation primitives, such as thread-specific mutexes or semaphores, may be present in the `_ETHREAD` structure. * **Security Context**: It may contain fields related to the security context of the thread, including the security token (TOKEN) representing the thread's security credentials and privileges. * **Thread Priority and Affinity**: The `_ETHREAD` structure includes fields to store the thread's priority level and CPU affinity, allowing for thread scheduling and resource allocation. The `_KTHREAD` is the first nested member in the `_ETHREAD` structure. Together, these structures provide a comprehensive representation of a thread within the Windows kernel. The `_KTHREAD` structure handles the low-level kernel-specific aspects of thread management, while the `_ETHREAD` structure provides a higher-level view, integrating the thread into the context of the associated process and user mode components. ## \_KPCR Each physical processor in a multi-processor system has its own `_KPCR` structure (Kernel Processor Control Region), which is located at a fixed memory address known as the "PCR address." The `_KPCR` structure contains various fields and control blocks that provide processor-specific information and context for the kernel's execution on that particular processor. Some of the key purposes and components of the `_KPCR` structure include: * **Processor Control Information**: The `_KPCR` structure holds information related to processor control, including fields for storing the processor number, processor flags, and other processor-specific details. * **Processor Context**: It contains fields to store the processor context, including register values, control registers, segment selectors, and other processor-specific context information. * **System Service Dispatch Table**: The `_KPCR` structure maintains a dispatch table of system service routines, allowing fast access to system services and kernel functions specific to that processor. * **Kernel Stack**: The structure includes fields for storing the current kernel stack pointer and the base address of the kernel stack for the processor. * **Interrupt Management**: Fields related to interrupt management and interrupt request (IRQ) handling may be present in the `_KPCR` structure, enabling the processor to handle and prioritize interrupts efficiently. * **Thread Local Storage (TLS)**: The `_KPCR` structure may contain fields for storing thread-specific data and thread local storage (TLS) information associated with the processor. The `_KPCR` structure is an essential component of the Windows kernel's architecture and plays a vital role in managing and controlling the execution of kernel code on each processor in a multi-processor system. It provides per-processor context and data, allowing the kernel to manage system services, processor-specific operations, and maintain separation between different processors in the system. The `_KPRCB` structure (Kernel Processor Control Block) is the last member inside the `_KPCR` structure. There is one `_KPRCB` structure per logical processor. ## Exploring the Kernel In the next section we will look at how we can navigate the kernel and examine these structures. These strructures can and do change between versions of windows. The [Vergilius Project](https://www.vergiliusproject.com) is a fantastic resource for exploring these structures (and others) in different versions of the Windows operating ssystem. The importance of these structures will become aparent when we start writing kernel exploits, for example we can 'walk' these structures to manipulate the security context of an `_EPROCESS` for privilege escalation.