Kernel Datastructures

Kernel data structures are those data structures that exist in physical memory and are accessible only by the kernel and its subsystems. Like other datastructures, these contain pointers, data, addresses of other data structures or addresses of routines etc. Here are some of the major kernel ds in Windows:


typedef struct _ACL
{
      UCHAR AclRevision;
      UCHAR Sbzl;
      WORD AclSize;
      WORD AceCount;
      WORD Sbz2;
} ACL, *PACL;

This data structure is associated with access control lists that manages the permissions of various users to objects like files etc.

This link mentions about a set of data structures in Windows Vista. 

Every data structure has a purpose and although some of them are used by several kernel subsystems, they are not very hard to understand. There are many research going on where a process signature is obtained by analyzing these kernel ds during the execution of a current process. This kernel based signatures are made to detect attacks like rootkits where processes are hidden from the list of processes in the system by manipulating the process header. The kernel datastructure that maintains the processes is called EPROCESS.  

If you are interested to explore more about kernel data structures, this could be a good place to begin with. 

Advertisements