Kernel Structures

Several kernel structs are of particular interest to exploit developers as they can contain critical information and provide avenues for manipulation, allowing for privilege escalation.

In this section we will take a brief look at the following Windows kernel structures:

• _EPROCESS ; the executive representation of a process.

• _KPROCESS ; the kernel representation of a process.

• _ETHREAD ; the executive representation of a thread.

• _KTHREAD ; the kernel respresentation of a thread.

• _KPCR ; the kernel processor control region.

• _KPRCB ; the kernel processor region control block.

_EPROCESS

The _EPROCESS structure, also known as the EPROCESS block, is a crucial data structure in the Windows operating system kernel. It serves the purpose of representing a process (a running instance of a program) in the Windows kernel.

The _EPROCESS structure holds various information and control blocks related to a process, allowing the kernel to manage and track its execution. Some of the key purposes and components of the _EPROCESS structure include:

• Process Identification: The structure contains fields that store the unique process ID (PID) and the parent process ID (PPID), which help identify and establish relationships between processes.

• Memory Management: The _EPROCESS structure maintains information about the virtual memory space allocated to the process, including the process's address space layout, page directories, and page tables.

• Thread List: It includes a list of all threads associated with the process, allowing the kernel to manage and schedule thread execution within the process context.

• Security Context: The _EPROCESS structure holds the security context associated with the process, including the security token (TOKEN) that represents the process's security credentials, privileges, and user identity.

• Object Management: It maintains information related to the process's handle table and object table, facilitating the management and tracking of various kernel objects associated with the process, such as files, devices, and synchronisation primitives.

• Process State and Control: The _EPROCESS structure contains fields to represent the current state of the process, such as whether it is running, suspended, or terminated. It also includes control blocks for process termination, suspension, and resumption.

The _KPROCESS structure is nested inside the _EPROCESS structure and is the first member.

the _KPROCESS structure is not directly exposed to user mode processes or applications. It is primarily used internally by the Windows kernel for managing and controlling processes at the kernel level.

_ETHREAD

The _ETHREAD structure, also known as the ETHREAD block, is an important data structure in the Windows operating system kernel. It serves the purpose of representing a thread (a unit of execution within a process) in the Windows kernel.

The _ETHREAD structure contains various fields and control blocks that provide information and control over the execution of a thread. Some of the key purposes and components of the _ETHREAD structure include:

• Thread Identification: The structure includes fields for storing the unique thread ID (TID) and the process ID (PID) of the associated process, facilitating thread identification and establishing relationships with processes.

• Thread Context: It contains fields for storing the processor context of the thread, including register values, stack pointers, and other execution-related information.

• Thread State and Control: The _ETHREAD structure maintains fields representing the current state of the thread, such as whether it is running, waiting, or terminated. It includes control blocks and flags for thread scheduling, suspension, and termination.

• Kernel Stack: The structure holds information about the kernel stack allocated to the thread, such as the stack base address and stack size.

• Thread Synchronisation: Fields related to synchronisation primitives, such as thread-specific mutexes or semaphores, may be present in the _ETHREAD structure.

• Security Context: It may contain fields related to the security context of the thread, including the security token (TOKEN) representing the thread's security credentials and privileges.

• Thread Priority and Affinity: The _ETHREAD structure includes fields to store the thread's priority level and CPU affinity, allowing for thread scheduling and resource allocation.

The _KTHREAD is the first nested member in the _ETHREAD structure.

Together, these structures provide a comprehensive representation of a thread within the Windows kernel. The _KTHREAD structure handles the low-level kernel-specific aspects of thread management, while the _ETHREAD structure provides a higher-level view, integrating the thread into the context of the associated process and user mode components.

_KPCR

Each physical processor in a multi-processor system has its own _KPCR structure (Kernel Processor Control Region), which is located at a fixed memory address known as the "PCR address." The _KPCR structure contains various fields and control blocks that provide processor-specific information and context for the kernel's execution on that particular processor.

Some of the key purposes and components of the _KPCR structure include:

• Processor Control Information: The _KPCR structure holds information related to processor control, including fields for storing the processor number, processor flags, and other processor-specific details.

• Processor Context: It contains fields to store the processor context, including register values, control registers, segment selectors, and other processor-specific context information.

• System Service Dispatch Table: The _KPCR structure maintains a dispatch table of system service routines, allowing fast access to system services and kernel functions specific to that processor.

• Kernel Stack: The structure includes fields for storing the current kernel stack pointer and the base address of the kernel stack for the processor.

• Interrupt Management: Fields related to interrupt management and interrupt request (IRQ) handling may be present in the _KPCR structure, enabling the processor to handle and prioritize interrupts efficiently.

• Thread Local Storage (TLS): The _KPCR structure may contain fields for storing thread-specific data and thread local storage (TLS) information associated with the processor.

The _KPCR structure is an essential component of the Windows kernel's architecture and plays a vital role in managing and controlling the execution of kernel code on each processor in a multi-processor system. It provides per-processor context and data, allowing the kernel to manage system services, processor-specific operations, and maintain separation between different processors in the system.

The _KPRCB structure (Kernel Processor Control Block) is the last member inside the _KPCR structure. There is one _KPRCB structure per logical processor.

Exploring the Kernel

In the next section we will look at how we can navigate the kernel and examine these structures. These strructures can and do change between versions of windows. The Vergilius Project is a fantastic resource for exploring these structures (and others) in different versions of the Windows operating ssystem.

The importance of these structures will become aparent when we start writing kernel exploits, for example we can 'walk' these structures to manipulate the security context of an _EPROCESS for privilege escalation.