Windows Native Mode And Native Shell
Â
Intro
Native shell is a program for experiments with a Native API mode of Windows. Native mode is a mode, where chkdsk starts at the boot time before login screen appears. It is used by chkdsk utility to check and correct errors in the system partition. The Native mode itself is a blue screen (it is blue in Windows XP, another color in other versions of Windows), which appears before the Windows login screen.
Documentation
https://github.com/amdf/NativeShell A shell for Windows Native Mode
By
Alex Ionescu
https://searchcode.com/codesearch/view/78419172/Native NT Toolkit (contains the header files needed to access NTDLL) by Alex Ionescu
native-nt-toolkit: A set of headers, libraries and sample source code for writing Windows Native Applications
Three Steps Down the Stairs: From Win32 User-Land through Native API to Kernel
Native Thread Injection | Into the Session Manager Subsystem
Â
Tips and Tidbits
Â
Â
Â
So what's a native application?
Â
Source: NativeRegMod
An excellent description can be found by Mark at Sysinternals;Â http://technet.micro...s/bb897447.aspx
In short it is an application you can configure to run before the Win32 subsystem is loaded, similar to autochk.exe.
What this means is that we can halt the Windows boot while in native mode (NT) and do whatever we programmed our native app to do
To give an idea of roughly when this occurs during boot, it is right after the system thread has finished phase 1 (executive and kernel initialization considered complete), and the session manager (smss.exe) has been started.
In fact, it is smss.exe that starts configured native applications. It does so by reading the registry key: HKLM\SYSTEM\CurrentControlSet\Control\SessionManager\BootExecute.Â
However at this stage, no other registry hives than then SYSTEM have been loaded
Only 2 processes are running (system and smss).
Csrss comes into play later when the subsystem is loaded.
For this reason, a native application can not use the Windows API (kernel32.dll etc), but must use the NT API (ntdll.dll).
So it has some similarity to kernel mode coding, though the native apps are actually running in user mode, almost right after user mode has been created.
But since it is compiled with subsystem=native, it will not be possible to run it like other exe's (when win32 subsystem is loaded)
© Roger Cruz - All rights reserved