OS Dev

Read “Windows Internals: Thread Management — Part 1“ by OS Dev on Medium: This article discusses about ETHREAD, KTHREAD kernel objects & windows scheduler - how it schedules a thread. medium.com/windows-os-int…

@0day_ninja @VazeKshitij @Vicharak_In You're doing great ! Wish you luck ! I'll re-check this after 2-3 days to see if there are more responses :)

@OSdev_ @VazeKshitij @Vicharak_In I'm right here😭

I’d like to sponsor this FPGA learning kit for a deserving student who genuinely wants to learn FPGA but can’t afford it. Just a small help from my side. @VazeKshitij @Vicharak_In, could you help me find someone who would benefit from this opportunity?

@aryamman_bhatia @hackerfabindia @4rynv What you guys are doing is incredible !!

In a few years you’ll be able to have a chip lab in your hostel room

Randell & Kuehner's Dynamic Storage Allocation Systems (1968) is one of the earliest papers that studies how operating systems allocate and reclaim memory at runtime. Instead of proposing a new allocator, it surveys existing allocation techniques and classifies them based on their design and trade-offs. The paper discusses fixed-size and variable-size allocation schemes, relocation, protection, and different placement algorithms such as first fit and best fit. A major focus is memory fragmentation, especially external fragmentation, and how it affects long-running systems. It highlights the limitations of contiguous allocation and provides a framework for evaluating dynamic storage management techniques that later influenced modern memory management designs. *This motivated the innovation of Paging*

@splinedrive That's incredible man. Could you please share any articles or blogs that I can follow along ?

I think I need to finish my SoC and use it as my daily machine. The more I learn, the less I trust the existing stack — from vendor silicon to distribution packages. At some point, building everything yourself starts to look like the only way to know what's really running.

@abhi9u That's very unfortunate. Trusting only software without any hardware backing up in safety-critical systems is very risky.

TIL about a race condition bug in a radiation therapy machine called Therac-25 that caused the deaths of 3 patients. Therac was a radiation therapy machine for treating cancer patients. It had two modes: electron beam for shallower treatment, and high-energy x-ray/photon for deeper treatments. The older models of the machine had hardware interlocks as safety mechanisms to prevent any bad configuration from ever happening. Then came Therac-25 that removed many of the hardware interlocks in favor of implementing them in software. There was a race condition in which if an operator entered the wrong mode (e.g. x-ray) and then switched it quickly within 8 seconds, the mode would not be updated. As a result, the patient could end up receiving massive overdose of radiation. Between 1985-87, six such accidents were known to have occurred, leading to the death of at least 3 patients. Wikipedia notes this as a case study in software engineering and the danger of engineer overconfidence.

Randell & Kuehner (1968) – Dynamic Storage Allocation Systems One of the classic surveys explaining contiguous allocation techniques and fragmentation problems. researchgate.net/profile/Brian-…

Windows Boot Flow youtu.be/mxj7z6WqK14?si…

Windows NT kernel bug CVE-2022-21882 - sentinelone.com/vulnerability-… The vulnerability abuses a use-after-free in "win32k.sys". By carefully manipulating window objects and their lifetime, an attacker can make the kernel operate on a freed object that is now under attacker control. This primitive is then used to achieve arbitrary kernel read/write and finally swap the current process token with the SYSTEM token.

One of the most fascinating Windows kernel bugs is CVE-2023-21768 - sentinelone.com/blog/cve-2023-… A simple integer overflow in the Common Log File System (CLFS) driver causes the kernel to allocate less memory than required but continue writing as if the buffer was large enough. The resulting out-of-bounds write corrupts adjacent kernel objects, giving attackers arbitrary kernel read/write and eventually SYSTEM privileges.

@vivekgalatage Thank you 😀

The amazing perf book you will need github.com/dendibakh/perf…

One of the most interesting Windows NT kernel bugs is CVE-2018-8611 - nccgroup.com/research/cve-2… It's a series of 5 articles. The exploit didn't need to overflow any buffer. Instead, it abuses a race condition in the Kernel Transaction Manager (KTM) to create a use-after-free. Once the attacker gets an arbitrary kernel read/write, it's game over, they simply replace their process token with the SYSTEM token and instantly become SYSTEM.

One unchecked integer multiplication can own the entire Windows kernel. In CVE-2024-30088, an integer overflow caused the kernel to allocate a smaller buffer than required while continuing to process it as if it were large enough. The resulting out-of-bounds write let attackers corrupt kernel memory, build arbitrary read/write primitives, and ultimately replace their process token with the SYSTEM token. github.com/tykawaii98/CVE…

CVE-2021-1732 is a great example of how a tiny logic bug can compromise the entire Windows kernel. During "NtUserCreateWindowEx()", an attacker abuses a user-mode callback to confuse "win32k.sys" about a window's "cbWndExtra" and "pExtraBytes" fields. This type confusion turns "SetWindowLongPtr()" into an arbitrary kernel read/write primitive, allowing the attacker to overwrite the current process token with the SYSTEM token and gain full privileges. safe.security/wp-content/upl…

@IITBHU_Varanasi This is insanely cool !!

IIT (BHU) students have completed the institute’s first-ever silicon tape-out! Primarily led by second-year B.Tech students from the Department of Electronics Engineering, the team designed a 64-point FFT Hardware Accelerator chip in just 5 months using the SKY130 process and submitted it for fabrication through the Tiny Tapeout MPW Shuttle Program. FFT technology is a key component in modern communication systems, AI applications, medical imaging, GPS, radar, and multimedia platforms, making this achievement a significant step in hands-on semiconductor innovation. A landmark accomplishment for undergraduate research, indigenous chip design, and India’s journey towards technological self-reliance. #IITBHU #Semiconductors #ChipDesign #VLSI #AtmanirbharBharat

@S2SmeX zipcpu blogs are incredible !

This article is so well written. zipcpu.com/blog/2025/12/1…

In windows kernel, when interrupts/syscalls or context switch happens, it stores the state of CPU registers inside Threads(KTHREAD) kernel stack. The below are those data structures. KTRAP_FRAME = snapshot of the CPU at kernel entry (trap/interrupt/syscall). KSWITCH_FRAME = snapshot of the thread state needed specifically for KiSwapContext to suspend and later resume that thread. Read more about Thread management in Windows - medium.com/windows-os-int…

@meridi6n Yes, I agree !

@OSdev_ My point was you can acq/rel the mutex at DISPATCH (incl. inside DPCs.) To test with DPC just do `KeSetTimerEx` with a DPC callback. It will be called by `KiIdleLoop` at IRQL 2.

In the windows kernel, at IRQLs you can use Spinlocks but not Mutexes. The reason is Mutex structure holds ownership details meaning they only work with threads. At higher IRQLs >= DISPATCH_LEVEL, there's no concept of threads. When we use KeWaitForSingleObject() on a thread, the scheduler switches this thread on sleep and runs another thread. The scheduler only handles threads not interrupts. That's why there should be no blocking at Higher IRQLs (Mutexes, accessing paged data etc) Btw the Scheduler itself runs at DISPATCH_LEVEL. That's why thread level activity is only restricted to PASSIVE_LEVEL/APC_LEVEL

@VazeKshitij Yesterday someone pointed out that it's Intel Xeon and only NICs are Indian made but not sure if this is true.

I've said this before, I'll say it again. I am not buying into the hype till I read the datasheet. THRICE, minimum.

This is best channel for windows Internals by @zodiacon He's one of the authors of the iconic windows Internals books. youtube.com/playlist?list=…