Windows 10 Kernel Changes

October 14, 2014

As you probably know, you can download and play with the first bits of Windows 10. While there are many things to discover in the User Interface of the Windows Shell and WinRT applications, I like to dig and find Kernel changes. To do that I use several tools from Sysinternals and Debugging tools for Windows (which are part of Windows SDK now).

I installed Windows 10 x64 bit on Hyper-V:

clip_image002

 

I have also created a Windows Azure Windows 10 Server Machine:

 

clip_image002[5]

clip_image002[7]

 

Using Sysinternals WinObj I have found that there are new two Kernel object types:

image

After installing Visual Studio and the Windows 10 symbols, I could disassemble the kernel:

dumpbin  /dissasm c:\Windows\System32\ntoskrnl.exe > c:\temp\ntoskrnl.txt

I also installed Debugging tools for Windows and use LiveKD –w, so I could use WinDbg with the x command to easily find symbols. The uf WinDbg command shows me the assembly of the specific function that I wanted to investigate.

 

Searching for this new object type, I ‘ve found:

ExpWin32OpenProcedure:
  0000000140496384: 40 55              push        rbp
  0000000140496386: 48 8B EC           mov         rbp,rsp
  0000000140496389: 48 83 EC 40        sub         rsp,40h
  000000014049638D: 41 8B 01           mov         eax,dword ptr [r9]
  0000000140496390: 4C 8D 15 39 DD EE  lea         r10,[ObTypeIndexTable]
                    FF
  0000000140496397: 89 4D E0           mov         dword ptr [rbp-20h],ecx
  000000014049639A: 89 45 10           mov         dword ptr [rbp+10h],eax
  000000014049639D: 41 0F B6 41 E8     movzx       eax,byte ptr [r9-18h]
  00000001404963A2: BA 01 00 00 C0     mov         edx,0C0000001h
  00000001404963A7: 4D 8B 14 C2        mov         r10,qword ptr [r10+rax*8]
  00000001404963AB: 48 8B 45 30        mov         rax,qword ptr [rbp+30h]
  00000001404963AF: 4C 89 45 E8        mov         qword ptr [rbp-18h],r8
  00000001404963B3: 4C 3B 15 EE CD EE  cmp         r10,qword ptr [ExRawInputManagerObjectType]
                    FF
  00000001404963BA: 8B 08              mov         ecx,dword ptr [rax]
  00000001404963BC: 8B 45 38           mov         eax,dword ptr [rbp+38h]
  00000001404963BF: 89 45 FC           mov         dword ptr [rbp-4],eax
  00000001404963C2: 4C 89 4D F0        mov         qword ptr [rbp-10h],r9
  00000001404963C6: 89 4D F8           mov         dword ptr [rbp-8],ecx
  00000001404963C9: 74 4B              je          0000000140496416
  00000001404963CB: 4C 3B 15 CE CD EE  cmp         r10,qword ptr [ExCompositionObjectType]
                    FF
  00000001404963D2: 75 22              jne         00000001404963F6
  00000001404963D4: B9 12 00 00 00     mov         ecx,12h
  00000001404963D9: 4C 8D 4D 10        lea         r9,[rbp+10h]
  00000001404963DD: 48 8D 55 E0        lea         rdx,[rbp-20h]
  00000001404963E1: 41 B8 01 00 00 00  mov         r8d,1
  00000001404963E7: E8 34 22 F6 FF     call        PsInvokeWin32Callout
  00000001404963EC: 8B D0              mov         edx,eax
  00000001404963EE: 8B C2              mov         eax,edx
  00000001404963F0: 48 83 C4 40        add         rsp,40h
  00000001404963F4: 5D                 pop         rbp
  00000001404963F5: C3                 ret

 

On Windows 8, I have found the same function, but without the compare command for the new object type:

nt!ExpWin32OpenProcedure:
fffff802`0de9ccc0 4055            push    rbp
fffff802`0de9ccc2 488bec          mov     rbp,rsp
fffff802`0de9ccc5 4883ec40        sub     rsp,40h
fffff802`0de9ccc9 418b01          mov     eax,dword ptr [r9]
fffff802`0de9cccc 4c8d154deae1ff  lea     r10,[nt!ObTypeIndexTable (fffff802`0dcbb720)]
fffff802`0de9ccd3 894de0          mov     dword ptr [rbp-20h],ecx
fffff802`0de9ccd6 894510          mov     dword ptr [rbp+10h],eax
fffff802`0de9ccd9 410fb641e8      movzx   eax,byte ptr [r9-18h]
fffff802`0de9ccde ba010000c0      mov     edx,0C0000001h
fffff802`0de9cce3 4d8b14c2        mov     r10,qword ptr [r10+rax*8]
fffff802`0de9cce7 488b4530        mov     rax,qword ptr [rbp+30h]
fffff802`0de9cceb 4c8945e8        mov     qword ptr [rbp-18h],r8
fffff802`0de9ccef 4c3b15d244e1ff  cmp     r10,qword ptr [nt!ExCompositionObjectType (fffff802`0dcb11c8)]
fffff802`0de9ccf6 8b08            mov     ecx,dword ptr [rax]
fffff802`0de9ccf8 8b4538          mov     eax,dword ptr [rbp+38h]
fffff802`0de9ccfb 8945fc          mov     dword ptr [rbp-4],eax
fffff802`0de9ccfe 4c894df0        mov     qword ptr [rbp-10h],r9
fffff802`0de9cd02 894df8          mov     dword ptr [rbp-8],ecx
fffff802`0de9cd05 7522            jne     nt!ExpWin32OpenProcedure+0x69 (fffff802`0de9cd29)

 

The same object also appears in:

 

ExpWin32OkayToCloseProcedure:
  0000000140496878: 48 89 5C 24 08     mov         qword ptr [rsp+8],rbx
  000000014049687D: 55                 push        rbp
  000000014049687E: 48 8B EC           mov         rbp,rsp
  0000000140496881: 48 83 EC 40        sub         rsp,40h
  0000000140496885: 8B 02              mov         eax,dword ptr [rdx]
  0000000140496887: 4C 8D 15 42 D8 EE  lea         r10,[ObTypeIndexTable]
                    FF
  000000014049688E: 48 89 4D E0        mov         qword ptr [rbp-20h],rcx
  0000000140496892: 89 45 28           mov         dword ptr [rbp+28h],eax
  0000000140496895: 0F B6 42 E8        movzx       eax,byte ptr [rdx-18h]
  0000000140496899: 48 89 55 E8        mov         qword ptr [rbp-18h],rdx
  000000014049689D: 4D 8B 14 C2        mov         r10,qword ptr [r10+rax*8]
  00000001404968A1: 4C 89 45 F0        mov         qword ptr [rbp-10h],r8
  00000001404968A5: 44 88 4D F8        mov         byte ptr [rbp-8],r9b
  00000001404968A9: 4C 3B 15 F8 C8 EE  cmp         r10,qword ptr [ExRawInputManagerObjectType]
                    FF

 

 

So I guess that this object is related to a change in the Win32 kernel side (win32k.sys). Maybe some new functionality in Raw Input

 

I wanted to find additional changes, so I dump all the symbols of the kernel:

>.logopen c:\temp\kernel_symbols.txt

>x nt!*

>.logclose

 

Opened log file ‘c:\temp\symbols.txt’
kd> x nt!*
fffff801`2a790780 nt!ZwCreateTimer2 (<no parameter info>)
fffff801`2adaae6c nt!MxPageAlwaysHot (<no parameter info>)
fffff801`2a7022a4 nt!MiSyncSystemPdes (<no parameter info>)

 

I did it on Windows 8.1 as well.

 

To get only the pure symbol name, I wrote a short program:

 

image

 

Now I can use WinDiff:

 

image

 

This is just the first page of the list of changes. The list is very long, There are many new functions, and there are functions that were deleted.

Scanning the symbols, I have found some interesting areas that need further investigation:

 

>x nt!*hetero*

image

Probably Hetero AMD Processor support

>x nt!*Asl*

image

>x nt!*SystemImage* (Many changes in the Memory Manager)

 

>x nt!*SecureThread*

image

 

As you can see there are many changes under the hood…

Add comment
facebook linkedin twitter email

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

*