Mutexes A mutex (from mutually exclusive) is an object that can only be
acquired by one thread at any given moment. Any threads that attempt
to acquire a mutex while it is already owned by another thread will
enter a wait state until the original thread releases the mutex or until it
terminates. If more than one thread is waiting, they will each receive
ownership of the mutex in the original order in which they requested it.
Semaphores A semaphore is like a mutex with a user-defined counter
that defines how many simultaneous owners are allowed on it. Once
that maximum number is exceeded, a thread that requests ownership of
the semaphore will enter a wait state until one of the threads release the
semaphore.
Critical Sections A critical section is essentially an optimized implemen-
tation of a mutex. It is logically identical to a mutex, but with the differ-
ence that it is process private and that most of it is implemented in user
mode. All of the synchronization objects described above are managed
by the kernel’s object manager and implemented in kernel mode, which
means that the system must switch into the kernel for any operation that
needs to be performed on them. A critical section is implemented in user
mode, and the system only switches to kernel mode if an actual wait is
necessary.Process Initialization Sequence
In many reversing experiences, I’ve found that it’s important to have an
understanding of what happens when a process is started. The following pro-
vides a brief description of the steps taken by the system in an average process
creation sequence.
- The creation of the process object and new address space is the first
step: When a process calls the Win32 API CreateProcess, the API
creates a process object and allocates a new memory address space for
the process. - CreateProcessmaps NTDLL.DLLand the program executable
(the.exefile) into the newly created address space. - CreateProcesscreates the process’s first thread and allocates stack
space for it. - The process’s first thread is resumed and starts running in the
LdrpInitializefunction inside NTDLL.DLL. - LdrpInitializerecursively traverses the primary executable’s
import tables and maps into memory every executable that is required
for running the primary executable.
Windows Fundamentals 87