The Windows Process Journey — “ntoskrnl.exe” (NT Kernel & System)

In general, “ntoskrnl.exe” is the kernel image of the Windows operating system. It includes both the executive and the kernel layers of Windows NT, which are responsible for memory management, process handling and hardware abstraction. Also, “ntoskrnl.exe” contains the SRM (Security Reference Monitor), cache manager, scheduler and more (https://en.wikipedia.org/wiki/Ntoskrnl.exe)

Overall, although in the “Subsystem” field of the PE header “ntoskrnl.exe” is defined as “Native”, it is not linked with “ntdll.exe” as other user-mode native applications — as shown in the screenshot below which was taken using “PE Explorer” (https://github.com/zodiacon/PEExplorerV2). Due to that, “ntoskrnl.exe” needs a “static” copy of the C runtime (think about function like “strcmp”, “strcpy”, “strcpy_s”, “strlen” and more) — as shown in the screenshot below. For a reference implementation we can check out the ReactOS source code (https://github.com/reactos/reactos/tree/master/ntoskrnl).

Lastly, the functions exported by “ntoskrnl.exe” have specific prefixes which indicate the component in which they are part of, for example: “Io” (I/O manager), Ke (core kernel routines), “Kd” (kernel debugger support functions), “Ldr” (PE image loader support functions), “Mm” (memory management), “Se” (security functions), “Ob” (object manager), “Hal” (hardware abstraction layer), “Ps” (process management functions), “Nls” (native language support) and more (https://community.osr.com/t/meaning-of-the-function-prefices/21242).

See you in my next writeup ;-) You can follow me on twitter — @boutnaru (https://twitter.com/boutnaru). Also, you can read my other writeups on medium — https://medium.com/@boutnaru. You can find my free eBooks at https://TheLearningJourneyEbooks.com.