计算机系信息处理实验室 leture1 concepts and tools 2005 spring 陈香兰

计算机系•信息处理实验室

Leture1 concepts and tools

2005 Spring

陈香兰

xlanchen@2005-2-25 Understanding the Inside of Windows2000

2计算机系信息处理实验室

Foundation Concepts and Terms

Win32 API

Services, Functions, and Routines

Processes, Threads, and Jobs

Virtual memory

Kernel Mode vs. User Mode

Objects & handles

…



Win32 API

REF2 and REF3

We will explain the internal behavior and implementation of key Win32 API functions

functions that cover areas such as processes, threads, memory management, security, I/O, windowing, and graphics

History: Win3.x



Services, Functions, and Routines [1,2,3 ]

Win32 API functions

CreatProcess, CreatFile, GetMessage, …

System services (or executive system services)

Native functions in the 2KOS that are callable from user mode

Similar to: system call (int 0x80, int 0x2e)

NtCreateProcess, NtWriteFile



Example:

NtWriteFile:

mov eax, 0x0E ; build 2195 system service

; number for NtWriteFile

mov ebx, esp ; point to parameters

int 0x2E ; execute system service trap

ret 0x2C ; pop parameter of stack and

; return to caller



Services, Functions, and Routines [1,2,3]

Kernel support functions (or routines)

Subroutines inside the kernel-mode

ExAllocatePool (for device driver to allocate memory from the 2K system heaps )

Win32 services

Processes started by the Windows 2000 service control manager



Services, Functions, and Routines [1,2,3]

DLL (dynamic-link library)

A set of callable subroutines linked together as a binary file that can be dynamically loaded by applications that use the subroutines

Example: Msvcrt.dll (C 运行时库 ), Kernel32.dll (Win32 API 子系统库之

一 )

Advantages: sharable



Processes, Threads, and Jobs [1,2,3,4]

Program VS. Process

A process include ???




A 2K Process

A private Virtual address space

An executable program

A list of open handles to various system resources, such as semaphores, communication ports, and files, that are accessible to all threads in the process

A security context

Process id

At least one thread of execution




A process and its resources




Thread: the entity within a process that Windows 2000 schedules for execution

Hardware Context

Two stacks

Thread-local-storage

Thread id

…

Threads of the same process share its resources

Shared memory section

Context of a thread



Virtual memory [1,2,3,4]

Linear 32bit address space = 4GB




Mapping to physical memory




What if physical memory > virtual memory

AWE for 32bit virtual address space

<=64GB

The long-term solution: 64bit



Kernel Mode vs. User Mode

2K uses two processor access modes

Kernel mode and user mode

I386 supports 4 modes

0Kernel mode

3User mode

User mode Kernel mode

Demo



Objects & handles

An object is a single, run-time instance of a statically defined object type

An object type comprises a system-defined data type, functions that operate on instances of the data type, and a set of object attributes.

Object attribute, Object methods

Example: process, thread, file, event

Handles: references to an instance of an object



Others

Security

supports C2-level security as defined by the U.S. Department of Defense Trusted Computer System Evaluation Criteria (DoD 5200.28-STD, December 1985)

Registry

A system database

the information required to boot and configure the system, systemwide software settings, the security database, and per-user configuration settings



Unicode (16bit)

Two versions of Win32 function: unicode(16bit) and ANSI(8bit)



Tools for Viewing Windows 2K Internals

Page 11-16



Thank you!

计算机系 信息处理实验室 leture1 concepts and tools 2005 spring 陈香兰

Documents

计算机系信息处理实验室 leture1 concepts and tools 2005 spring 陈香兰