Overview

The NT Kernel & System Services (NTOSKRNL) is the core component of the Windows operating system. It provides fundamental services to all other parts of the OS and applications, including process and thread management, memory management, security, I/O operations, and inter-process communication (IPC).

Understanding NTOSKRNL is crucial for low-level driver development, performance tuning, debugging complex system issues, and gaining a deep insight into how Windows functions.

Key Components and Concepts

• Executive: The highest level of the kernel-mode part of the operating system, responsible for managing system resources.
• Kernel Layer: Provides fundamental services such as thread scheduling, interrupt handling, and low-level synchronization.
• Memory Manager: Manages the virtual and physical memory of the system.
• Process Manager: Creates and terminates processes and threads.
• I/O Manager: Manages input and output operations, including device drivers.
• Security Reference Monitor: Enforces security policies.
• Object Manager: Manages kernel objects (e.g., processes, threads, files).
• Local Procedure Call (LPC) Facility: Enables communication between processes.

Core APIs and Structures

Key kernel-mode functions and structures you'll encounter include:

• ZwCreateFile, ZwReadFile, ZwWriteFile: Functions for file I/O operations.
• KeInitializeEvent, KeWaitForSingleObject: Synchronization primitives.
• ExAllocatePoolWithTag: Memory allocation function.
• KPROCESS, KTHREAD: Structures representing processes and threads.
• UNICODE_STRING: Structure for Unicode string manipulation.

Example of a common system call invocation:

Resources for Developers

• Developing Device Drivers
• Windows Memory Management
• Windows Security Internals
• Debugging Tools for Windows