Michael Hale Ligh

kernel mode is implemented in ring 0 (most privileged) and user mode in ring 3 (least privileged). When the processor is executing in kernel mode, the code has unrestricted access to the underlying hardware, including privileged instructions, and to kernel and process memory regions (except on newer systems with SMEP, which prevents ring 0 execution of user pages).

most operating systems define a set of stable APIs that map to one or more system calls (for example, the APIs provided by ntdll.dll and kernel32.dll on Windows)

user application requests a service from the operating system’s kernel using a system call

When a program executes, a new process is created and associated with its own set of attributes, including a unique process ID and address space. The process address space becomes a container for the application’s code, shared libraries, dynamic data, and runtime stack. A process also possesses at least a single thread of execution. A process provides the execution environment, resources, and context for threads to run.

A thread is often characterized by a thread ID, CPU register set, and execution stack(s), which help define a thread’s execution context. Despite their unique execution contexts, a process’s threads share the same code, data, address space, and operating system resources. A process with multiple threads can appear to be simultaneously performing multiple tasks.

Switching execution of one thread to another is called a context switch

Examples of operating system resources that are typically tracked include processes, threads, files, network sockets, synchronization objects, and regions of shared memory.

By leveraging knowledge of how the program uses the data, the characteristics of how the data is stored in memory, and the conventions of the programming language, you can often recognize an abstract data-type pattern that will help give clues as to how the data can be processed.

An example of a Windows bitmap of in-use network ports

when analyzing the physical address space of a system that leverages paged virtual memory, you could encounter a string that crosses a page boundary to a page that is no longer memory resident, which would require special processing or heuristics to determine the actual size of the string