DOCSLIB.ORG

Windows Kernel Hijacking Is Not an Option: Memoryranger Comes to The

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

WINDOWS KERNEL HIJACKING IS NOT AN OPTION: MEMORYRANGER COMES TO THE RESCUE AGAIN Igor Korkin, PhD Independent Researcher Moscow, Russian Federation [email protected] ABSTRACT The security of a computer system depends on OS kernel protection. It is crucial to reveal and inspect new attacks on kernel data, as these are used by hackers. The purpose of this paper is to continue research into attacks on dynamically allocated data in the Windows OS kernel and demonstrate the capacity of MemoryRanger to prevent these attacks. This paper discusses three new hijacking attacks on kernel data, which are based on bypassing OS security mechanisms. The first two hijacking attacks result in illegal access to files open in exclusive access. The third attack escalates process privileges, without applying token swapping. Although Windows security experts have issued new protection features, access attempts to the dynamically allocated data in the kernel are not fully controlled. MemoryRanger hypervisor is designed to fill this security gap. The updated MemoryRanger prevents these new attacks as well as supporting the Windows 10 1903 x64. Keywords: hypervisor-based protection, Windows kernel, hijacking attacks on memory, memory isolation, Kernel Data Protection. 1. INTRODUCTION the same high privilege level as the OS kernel, and they also include a variety The security of users’ data and of vulnerabilities. Researchers applications depends on the security of consider that “kernel modules (drivers) the OS kernel code and data. Modern introduce additional attack surface, as operating systems include millions of they have full access to the kernel’s lines of code, which makes it address space” (Yitbarek and Austin, impossible to reveal and remediate all 2019). vulnerabilities. Attackers can exploit the OS vulnerabilities to perform At the recent DEF CON hacking malicious actions. Windows OS kernel conference researchers from remains one of the most desired targets Eclypsium released a list of more than for hackers. 40 drivers from Microsoft-certified hardware vendors, which are prone to Another big challenge of OS privilege escalation attacks (Jesse and kernel protection is the third-party Shkatov, 2019). kernel-mode drivers, which execute at Another vulnerability in a signed The Microsoft Security team do third-party driver was presented at the their best to maintain a high level of Blue Hat IL conference by security OS kernel protection by issuing experts from the Microsoft Defender various security features, for example, ATP Research Team. The vulnerable Microsoft Kernel Patch Protection driver uses a watchdog mechanism (KPP) aka PatchGuard etc. At the based on user APC injection, which same, time security researchers and can also be exploited by attackers to rootkit developers are discovering bypass driver signature enforcement different techniques to bypass and gain escalated privileges. PatchGuard. The most notable of them (Rapaport, 2019). was GhostHook, which abused the Recently revealed Banking trojan Intel Processor Trace (PT) feature to “Banload”, which targets bank overcome PatchGuard and patch the customers in Brazil and Thailand, kernel. Cimpanu (2019) underlines that applied a malicious kernel-mode two recently published bypassing component to fight with anti-malware techniques InfinityHook and ByePg and banking protection programs. This “establish a permanent foothold in the digitally signed malware driver is kernel itself and open the door for the designed “to remove software drivers return of rootkits on Windows 10”. and executables belonging to anti- We can see that on the one hand, malware and banking protection all drivers and the OS kernel share the programs”, such as AVG, Avast, IBM same memory space, and on the other Trusteer Rapport (Bisson, 2019; hand, there are no built-in mechanisms Kremez, 2019). to restrict access to the kernel memory. Kernel-mode drivers were also All drivers have full access to the used during the recent RobbinHood system and can be used by attackers. ransomware attack. Hackers installed a Windows security features provide legitimate driver and exploited its limited kernel memory protection. vulnerability to temporarily disable the Threat model Windows OS driver signature Let us assume that using various enforcement. Finally, they installed a approaches, intruders are able to malicious kernel driver (Cimpanu, execute malicious kernel code. This 2020). paper analyses two types of attacks on Notorious cryptocurrency mining kernel data, which result in the malware also applies kernel-mode following, see Figure 1: rootkits to prevent them from being • gaining access to the files open terminated. Windows-based crypto in an exclusive mode (Handle miner infected more than 50000 Hijacking and Hijacking NTFS servers from 90 countries (Harpaz and data structures); Goldberg, 2019; O'Donnell, 2019). • escalating process privileges internal data structures, related to the without using the token Object Manager and NTFS driver swapping technique (Token components. Hijacking). The third attack escalates process For the attacks on files, a legal privileges by patching the static and driver creates a file via ZwCreateFile the variable portions of _TOKEN with zero flag ShareAccess, which structure, without using token gives the caller exclusive access to the swapping or token stealing techniques. open file. While the file remains This type of attack is mapped to opened all attempts to gain access to MITRE ATT&CK (2020) under this file via ZwCreateFile are in vain. Access Token Manipulation. The type Windows OS detects this illegal access of escalation privilege attack based on and returns a status sharing violation SeImpersonatePrivilege function is out code (0xC0000043), which indicates of the scope of this paper (Bisht, that “a file cannot be opened because 2020). the share access flags are All newly proposed attacks are incompatible” (Microsoft, 2019). working transparently on Windows 10 This research reveals two different 1903 64 bit as well as for its security attacks, which bypass Windows features, such as Patch Guard, Device security features and successfully gain Guard, and Security Reference unauthorized access to the files opened Monitor. without shared access by patching OS Researcher s Open file without Driver sharing access Secret Formula Attacker s Driver OS process OSstructures structures Figure 1. The following attacks will be considered: attacks on files and a privilege escalation attack. To prevent all these attacks on Section 5 and Section 6 focus on Windows OS kernel data the updated the main conclusions and further MemoryRanger hypervisor will be research directions respectively. presented. 2. TWO HIJACKING ATTACKS MemoryRanger prevents attacks ON THE FILES OPENED on files by running newly loaded WITHOUT SHARED ACCESS drivers in separated kernel spaces as well as restricting access to the This section describes the corresponding sensitive memory areas. internals of file operations in the Windows OS kernel: data structures The newest key feature of and correlations between them. Two MemoryRanger allows it to run a given hijacking attacks make it special data enclave for sensitive OS possible to illegally read and overwrite kernel data, such as _TOKEN the content of the file opened in an structures. This enclave includes these exclusive mode. These two hijacking sensitive OS structures, OS kernel attacks are based on modifying the OS core, and a limited number of OS internal data structures involved in file kernel built-in drivers. This new operations. scheme prevents illegal access from all drivers whether loaded before and after 2.1. Control Flow and Internal Data MemoryRanger. Structures Involved in Read and Write File Operations The remainder of the paper is as follows. Windows OS provides four main kernel API routines to create, Section 2 provides the details of read/write, and close files: the control flow and corresponding ZwCreateFile, ZwReadFile, internal data structures involved during ZwWriteFile, ZwClose. file operations in kernel mode. Two examples of hijacking attacks on files During file operations, several OS will be given. kernel components are involved (Russinovich, Solomon, and Ionescu, Section 3 presents the details of 2012; Tanenbaum and Bos, 2014). access control issues in the Windows Each time a driver calls ZwCreateFile OS kernel and shows how attackers the control goes to the following OS can hijack the corresponding structure kernel subsystems: I/O manager, in order to escalate the process Object Manager, Security Reference privileges. Monitor, NTFS driver, and finally, the Section 4 contains the details of control goes to the low-level drivers, adapting MemoryRanger to prevent such as Disk Filter Driver and Disk these attacks. Class Driver. These are in charge of access to the physical disk. The key features revealed by will be redirected by the OS to the Korkin (2019) are that Security secret file, see Figure 3. This is the key Reference Monitor checks access point of all hijacking attacks on files. rights to the file for ZwCreateFile Intruders can modify the routine, while routines ZwReadFile, following data to change the control ZwWriteFile are uncontrolled by the flow, the corresponding attacks are in Security Reference Monitor. brackets: Once a file is created via calling • handle table entries (Handle ZwCreateFile, the OS creates a file Table Hijacking); handle, adds an entry to the Handle • file object (Hijacking Table, allocates file object, NTFS data,
Recommended publications
  • Win32 API 1.Pdf

    Win32 API 1.Pdf

    Win32 Programming for Microsoft Windows NT Windows NT is designed to address the changing requirements of the computing world. It is written mainly in C and is crafted in such a way as to make its functionality extensible, and to ease the porting of the code from one hardware platform to another. This enables the ability to take advantage of multiprocessor and RISC computers, and to distribute tasks to other computers on the network, transparently. Whilst providing applications and users with the ability to use the power of local and remote machines, Windows NT must offer compatibility to applications and users. Users must feel comfortable with the interface, and be able to run existing high-volume applications. Existing applications have to port simply to the new environment to take advantage of its power. So, the user interface is compatible with existing Microsoft systems and existing programming APIs are supported and have been extended. To be considered a major player in the server arena, Windows NT has to offer reliable, robust support for ‘mission critical’ software. This means the system should be fault tolerant, protecting itself from malfunction and from external tampering. It should behave predictably and applications should not be able to adversely affect the system or each other. It should also have a security policy to protect the use of system resources, and implement resource quotas and auditing. Networking is built in, with high level programming and user interfaces available. Remote access to other machines on various networks is almost transparent. Because applications have to perform to an expected level, the system should be fast and responsive on each hardware platform.
  • Installation and Configuration Guide

    Installation and Configuration Guide

    NetApp SANtricity® SMI-S Provider 11.53 Installation and Configuration Guide December 2019 | 215-13407_C0 [email protected] Table of Contents About This Guide ............................................................................................................................. 1 Overview of the NetApp SANtricity SMI-S Provider ...................................................................... 1 What’s New ................................................................................................................................1 Abbreviations, Acronyms, Terms, and Definitions ........................................................................ 1 Supported Profiles and Subprofiles ............................................................................................. 1 Supported Operating Systems for SMI-S .................................................................................... 2 Supported Firmware Versions ........................................................................................................ 3 System Requirements ..................................................................................................................... 3 Installing and Uninstalling SMI-S Provider ..................................................................................... 4 Windows operating system install and uninstall process ............................................................... 4 Installing SMI-S Provider (Windows operating system) .....................................................
  • Leveraging Forticlient with Microsoft Defender: 6 Use Cases

    Leveraging Forticlient with Microsoft Defender: 6 Use Cases

    SOLUTION BRIEF Leveraging FortiClient with Microsoft Defender: 6 Use Cases Executive Overview A compromised endpoint can quickly infect an entire enterprise network—which FortiClient Features Include: is why endpoint devices are now a favorite target for cyber criminals. More than an endpoint protection platform that provides automated, next-generation threat nnSecurity Fabric Connector. protection, FortiClient connects endpoints with the Security Fabric. It enables Enables endpoint visibility and endpoint visibility and compliance throughout the Security Fabric architecture. compliance throughout the Combining FortiClient with OS-embedded protection, such as Microsoft Security Fabric architecture. Defender or Microsoft Defender ATP, enhances these capabilities, providing nnVulnerability scanning. an integrated endpoint and network security solution that reinforces enterprise Detects and patches endpoint defenses, reduces complexity, and enhances the end-user experience. vulnerabilities. nn Improving Protection of Endpoint Devices Anti-malware protection. Employs machine learning (ML), FortiClient provides automated threat protection and endpoint vulnerability scanning to help artificial intelligence (AI), and maintain endpoint security hygiene and deliver risk-based visibility across the Fortinet Security cloud-based threat detection Fabric architecture. As a result, organizations can identify and remediate vulnerabilities or in addition to pattern-based compromised hosts across the entire attack surface. malware detection. In some cases, customers may wish to take advantage of certain FortiClient features while nnAnti-exploit engine. Uses leaving existing third-party protections in place. For example, in instances where there are signatureless, behavior-based policies in an organization that require two different antivirus (AV) vendors on an endpoint protection against memory and for governance or compliance reasons, the need for FortiClient alongside a third-party AV fileless attacks; detects exploit solution such as Microsoft Defender is necessitated.
  • Guide to Hardening Windows 10 Technical Guide

    Guide to Hardening Windows 10 Technical Guide

    NOVEMBER 2020 Guide to Hardening Windows 10 For Administrators, Developers and Office Workers TABLE OF CONTENTS Introduction .......................................................................................................................... 4 Prerequisites ............................................................................................................................ 4 User roles ................................................................................................................................. 4 EFI (BIOS) Configuration ...................................................................................................... 5 To be enabled: ......................................................................................................................... 5 To be disabled: ......................................................................................................................... 5 Windows Defender Firewall .................................................................................................. 6 Enable logging of dropped packets ............................................................................................. 6 Disable enforcement of local rules and disable notifications .......................................................... 7 Block outbound connections by default ....................................................................................... 8 Secure potentially vulnerable protocols ......................................................................................
  • Microsoft Expands Capabilities and Platforms for Microsoft Defender ATP

    Microsoft Expands Capabilities and Platforms for Microsoft Defender ATP

    REPORT REPRINT Microsoft expands capabilities and platforms for Microsoft Defender ATP JULY 31 2020 By Fernando Montenegro The company has been pouring significant resources into growing its capabilities as a provider of security functionality. It appears to be making significant inroads into the endpoint security space, given its role behind the Windows OS and on account of its Defender ATP offering, which was recently updated. THIS REPORT, LICENSED TO MICROSOFT, DEVELOPED AND AS PROVIDED BY 451 RESEARCH, LLC, WAS PUBLISHED AS PART OF OUR SYNDICATED MARKET INSIGHT SUBSCRIPTION SER- VICE. IT SHALL BE OWNED IN ITS ENTIRETY BY 451 RESEARCH, LLC. THIS REPORT IS SOLELY INTENDED FOR USE BY THE RECIPIENT AND MAY NOT BE REPRODUCED OR RE-POSTED, IN WHOLE OR IN PART, BY THE RECIPIENT WITHOUT EXPRESS PERMISSION FROM 451 RESEARCH. ©2020 451 Research, LLC | WWW.451RESEARCH.COM REPORT REPRINT Introduction Endpoint security had been growing in importance as a key component of security architecture even before the COVID-19 health crisis. Back then, key trends such as user mobility, BYOD and increased use of encryption already meant that properly securing and capturing telemetry from endpoints was crucial for protection, detection and incident response. The COVID-19 crisis merely accelerated this as network connectivity patterns changed and corporate offices sat empty. In recent years the endpoint security market has seen significant change, including the rise in popularity of Microsoft’s offerings, particularly its Microsoft Defender Advanced Threat Protection (MDATP) component. The company has been expanding the capabilities of the product as it adds support for new environments and partners.
  • Microsoft Patches Were Evaluated up to and Including CVE-2020-1587

    Microsoft Patches Were Evaluated up to and Including CVE-2020-1587

    Honeywell Commercial Security 2700 Blankenbaker Pkwy, Suite 150 Louisville, KY 40299 Phone: 1-502-297-5700 Phone: 1-800-323-4576 Fax: 1-502-666-7021 https://www.security.honeywell.com The purpose of this document is to identify the patches that have been delivered by Microsoft® which have been tested against Pro-Watch. All the below listed patches have been tested against the current shipping version of Pro-Watch with no adverse effects being observed. Microsoft Patches were evaluated up to and including CVE-2020-1587. Patches not listed below are not applicable to a Pro-Watch system. 2020 – Microsoft® Patches Tested with Pro-Watch CVE-2020-1587 Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability CVE-2020-1584 Windows dnsrslvr.dll Elevation of Privilege Vulnerability CVE-2020-1579 Windows Function Discovery SSDP Provider Elevation of Privilege Vulnerability CVE-2020-1578 Windows Kernel Information Disclosure Vulnerability CVE-2020-1577 DirectWrite Information Disclosure Vulnerability CVE-2020-1570 Scripting Engine Memory Corruption Vulnerability CVE-2020-1569 Microsoft Edge Memory Corruption Vulnerability CVE-2020-1568 Microsoft Edge PDF Remote Code Execution Vulnerability CVE-2020-1567 MSHTML Engine Remote Code Execution Vulnerability CVE-2020-1566 Windows Kernel Elevation of Privilege Vulnerability CVE-2020-1565 Windows Elevation of Privilege Vulnerability CVE-2020-1564 Jet Database Engine Remote Code Execution Vulnerability CVE-2020-1562 Microsoft Graphics Components Remote Code Execution Vulnerability
  • The Flask Security Architecture: System Support for Diverse Security Policies

    The Flask Security Architecture: System Support for Diverse Security Policies

    The Flask Security Architecture: System Support for Diverse Security Policies Ray Spencer Secure Computing Corporation Stephen Smalley, Peter Loscocco National Security Agency Mike Hibler, David Andersen, Jay Lepreau University of Utah http://www.cs.utah.edu/flux/flask/ Abstract and even many types of policies [1, 43, 48]. To be gen- erally acceptable, any computer security solution must Operating systems must be flexible in their support be flexible enough to support this wide range of security for security policies, providing sufficient mechanisms for policies. Even in the distributed environments of today, supporting the wide variety of real-world security poli- this policy flexibility must be supported by the security cies. Such flexibility requires controlling the propaga- mechanisms of the operating system [32]. tion of access rights, enforcing fine-grained access rights and supporting the revocation of previously granted ac- Supporting policy flexibility in the operating system is cess rights. Previous systems are lacking in at least one a hard problem that goes beyond just supporting multi- of these areas. In this paper we present an operating ple policies. The system must be capable of supporting system security architecture that solves these problems. fine-grained access controls on low-level objects used to Control over propagation is provided by ensuring that perform higher-level functions controlled by the secu- the security policy is consulted for every security deci- rity policy. Additionally, the system must ensure that sion. This control is achieved without significant perfor- the propagation of access rights is in accordance with mance degradation through the use of a security decision the security policy.
  • Microsoft Defender ATP.Pdf

    Microsoft Defender ATP.Pdf

    Traditional Approach THE SENSORS FABRIC WE DEPLOY Threat Intelligence (TIaaS) Data Loss Prevention Cloud (Office IP/DLP) Directory Services Malware Detection Cloud DC Management User/Entity Behavior Analytics (AAD) (Office ATP/Sonar) (ASC) (AADIP) Classification and Information Protection (AIP) Cloud Application Federation Services Security Broker (ADFS) (MCAS) User/Entity Behavior Analytics (ATA) On Premises On Premises Directory Mobile Device Management DC Management Services (Intune) (OMS) (AD) Endpoint Protection (Defender) LOCALIZED INTELLIGENCE Threat Intelligence (TIaaS) Cloud Data Loss Prevention Directory Services (Office IP/DLP) Malware Detection Cloud DC Management User/Entity Behavior Analytics (AAD) (Office ATP) (ASC) (AADIP) Classification and Information Protection (AIP) Cloud Application Federation Services Security Broker (ADFS) (MCAS) User/Entity Behavior Analytics (ATA) On Premises On Premises Directory Mobile Device Management DC Management Services (Intune) (OMS) (AD) Endpoint Protection (Defender) Microsoft Azure Windows Defender Advanced Threat Protection rules Require the device to be at or under the machine risk score: Set up a connection to Windows Defender Advanced Threat Protection Microsoft 365 ATP | Windows Machine Search for machine, user, file, IP and URL [email protected] Smith m Security operation dashboard Open incidents Statistics Attention required (41) Incidents severities Incident in-progress #1067 In progress Jon-Smith-Lap HIGH MEDIUM LOW INFORMATIONAL Golden ticket compromise: user permissions
  • Summary Report 2020 Awards, Winners, Comments

    Summary Report 2020 Awards, Winners, Comments

    Independent Tests of Anti-Virus Software Summary Report 2020 Awards, winners, comments TEST PERIOD : 2020 LANGUAGE : ENGLISH LAST REVISION : 15TH JANUARY 2021 WWW.AV-COMPARATIVES.ORG Summary Report 2020 www.av-comparatives.org Content INTRODUCTION 3 MANAGEMENT SUMMARY 5 ANNUAL AWARDS 9 PRICING 16 USER EXPERIENCE REVIEW 18 AVAST FREE ANTIVIRUS 21 AVG ANTIVIRUS FREE 24 AVIRA ANTIVIRUS PRO 27 BITDEFENDER INTERNET SECURITY 30 ESET INTERNET SECURITY 34 F-SECURE SAFE 38 G DATA INTERNET SECURITY 41 K7 TOTAL SECURITY 45 KASPERSKY INTERNET SECURITY 48 MCAFEE TOTAL PROTECTION 52 MICROSOFT DEFENDER ANTIVIRUS 55 NORTONLIFELOCK NORTON 360 DELUXE 58 PANDA FREE ANTIVIRUS 61 TOTAL AV ANTIVIRUS PRO 64 TOTAL DEFENSE ESSENTIAL ANTI-VIRUS 67 TREND MICRO INTERNET SECURITY 70 VIPRE ADVANCED SECURITY 73 FEATURELIST COMES HERE 76 COPYRIGHT AND DISCLAIMER 77 2 Summary Report 2020 www.av-comparatives.org Introduction About AV-Comparatives We are an independent test lab, providing rigorous testing of security software products. We were founded in 2004 and are based in Innsbruck, Austria. AV-Comparatives is an ISO 9001:2015 certified organisation. We received the TÜV Austria certificate for our management system for the scope: “Independent Tests of Anti-Virus Software”. http://www.av-comparatives.org/iso-certification/ AV-Comparatives is the first certified EICAR Trusted IT-Security Lab http://www.av-comparatives.org/eicar-trusted-lab/ At the end of every year, AV-Comparatives releases a Summary Report to comment on the various consumer anti-virus products tested over the course of the year, and to highlight the high-scoring products of the different tests that took place over the twelve months.
  • DAC Vs. MAC Bell-La Padula Model [BL]

    DAC Vs. MAC Bell-La Padula Model [BL]

    DAC vs. MAC Bell-La Padula model [BL] Most people familiar with discretionary access View the system as subjects accessing objects • • control (DAC) - The system input is requests, the output is decisions - Unix permission bits are an example - Objects can be organized in one or more hierarchies, H - Might set a file private so only group friends can read it (a tree enforcing the type of decendents) Discretionary means anyone with access can Four modes of access are possible: • • propagate information: - execute – no observation or alteration - Mail [email protected] < private - read – observation Mandatory access control - append – alteration • - Security administrator can restrict propagation - write – both observation and modification - Abbreviated MAC (NOT to be confused w. Message The current access set, b, is (subj, obj, attr) tripples Authentication Code or Medium Access Control) • An access matrix M encodes permissible access types • (as before, subjects are rows, objects columns) 1/39 2/39 Security levels Security properties A security level is a (c, s) pair: The simple security or ss-property: • • - c = classification – E.g., unclassified, secret, top secret - For any (S, O, A) b, if A includes observation, then level(S) ∈ - s = category-set – E.g., Nuclear, Crypto must dominate level(O) (c , s ) dominates (c , s ) iff c c and s s - E.g., an unclassified user cannot read a top-secret document • 1 1 2 2 1 ≥ 2 1 ⊇ 2 - L dominates L sometimes written L L or L L The star security or ⋆-property: 1 2 1 ⊒ 2 2 ⊑ 1 • - levels then form a lattice (partial order w.
  • What Is Active Directory

    What Is Active Directory

    What is Active Directory Originally created in the year 1996, Active Directory, also referred as an AD, was first used with Windows 2000 Server as a directory service for Windows domain networks. Active Directory is a special purpose database, which serves as a central location for authenticating and authorizing all the users and computers within a network. Active Directory uses the Lightweight Directory Access Protocol (LDAP), an application protocol used for accessing and maintaining directory information services distributed over an IP network. What is Active Directory? The basic internal structure of the Active Directory consists of a hierarchical arrangement of Objects which can be categorized broadly into resources and security principles. Some of the examples of Active Directory objects are users, computers, groups, sites, services, printers, etc. Every Object is considered as a single entity with some specific set of attributes. The attributes of Objects along with the kind of objects that can be stored in the AD are defined by a Schema. The intrinsic framework of Active Directory is divided into a number of levels on the basis of visibility of objects. An AD network can be organized in four types of container structure namely, Forest, Domains, Organizational Units and Sites. y Forests: It is a collection of AD objects, their attributes and set of attribute syntax. y Domain: Domain is a collection of computers objects in the AD which share a common set of policies, a name and a database of their members. y Organizational Units: OUs are containers in which domains are grouped. They are used to create a hierarchy for the domain to resemble the structure of the Active Directory's company in organizational terms.
  • The Windows Operating System, Such As the Logon Process and the Session Manager

    The Windows Operating System, Such As the Logon Process and the Session Manager

    TTHEHE WWINDOWSINDOWS OOPERATINGPERATING SSYSTEMYSTEM William Stallings This document is an extract from Operating Systems: Internals and Design Principles, Fifth Edition Prentice Hall, 2005, ISBN 0-13-147954-7 Copyright 2005 William Stallings TTABLEABLE OFOF CCONTENTSONTENTS 2.5 MICROSOFT WINDOWS OVERVIEW...........................................................................3 History............................................................................................................................3 Single-User Multitasking...............................................................................................5 Architecture....................................................................................................................7 Operating System Organization.........................................................................7 User-Mode Processes.......................................................................................10 Client/Server Model.....................................................................................................11 Threads and SMP.........................................................................................................13 Windows Objects.........................................................................................................13 4.4 WINDOWS THREAD AND SMP MANAGEMENT.....................................................17 Process and Thread Objects.........................................................................................18