ch. 2 windows 系統總述

Ch. 2 Windows Team 1995202072 995202076 995202091 995292098 985302024 965302018 995202068 995202093

IntroductionWindowsWRKWindows Research KernelWindowsWindowsWindows

*

Outline2.1 2.2 Windows2.3 Windows2.4 Windows2.5 2.6 *

Outline2.1 2.2 Windows2.2.1 Windows2.2.2 WindowsHAL

*/2.1 IPCIPC

Windows*

*WindowsNTDLL.DLL (Executive) () (HAL)Windows2.2 WindowsDLL

*DLLNTDLL.DLLAPI(LPC)I/O()Windows

() (HAL)2.3 Windows

Windows#1 API

*

Windows#2PreviousMode = KeGetPreviousMode ( );if ( PriviousMode != KernelMode ) {try {ProbeForWrite ( InputInformation,InputInformaitonLength,sizeof ( ULONG ));if ( ARGUMENT_PRESENT ( ReturnLength ) { ProbeForWriteUlong (ReturnLength ) ;}} except ( EXCEPTION_EXECUTE_HANDLER ) {return GetExceptionCode ( ) ;}}*

Windows#3*

Kernel mode4GB

User mode2GB0x7fff00000x7fffffff64KB0x000000000xffffffff

Windows#1HAL ()Windows

*

Windows#2 ()ntoskrnl.exemulti-processor => C*

Outline2.2 Windows2.2.2 Windows2.5 2.5.1 Windows

API (executive)ntoskrnl.exe5Windows API Windows DDK *

SRMI/O *

4#1 Windows , ,LPC Windows , ,RPC (Remote Procedure Call) *

4#2,(),()*

Windows Windows (ETW, Event Tracing for Windows)*

Windows API *

Outline2.2 Windows2.2.2 WindowsPE/

.sysPE*

HALC(C++)Windows

*

(WDM) ()

*

WindowsI/OPnPWindows*

PnP

*

Windows Driver ModelWDMWindows 2000: (Plug-and-Play) (Power Options)Windows NTWindows Driver Model (WDM)Windows 2000Windows NT 4

*

WDMWDM: Bus Driver Function Driver Filter Driver *

(bus controller)(adapter)(bridge)PCISCSIUSBFireWireVMEbus MultibusFuturebus

*

(I/OSCSI PassThru)*

()orI/O()andSystem Original Equipment Manufactures (OEMs)orIndependent Hardware Vendors (IHVs) *

PEPE(Portable Executable)Windows NT32Windows NT(x86MIPSAlpha )WindowsIntelWindows NTWindows 9xPEPE

*

PEPECOFF(Common Object File Format)UnixWindows(.exe)(.obj) (.dll)(.sys)PE64PEPE32+32PEPE3232PE*

PE*0PEPE\0\0COFFPEDOSPE(FileSize)-1

1/3I/OI/O:*I/OI/OI/O

2/3WindowsNTFS (New Technology File System) WindowsFAT (File Allocation Table)DOS*

3/3WindowsI/OWindows:I/OWindows(FltMgr)I/OFltMgr*

1/3(partition)(volume)()

*

2/3Windows

*

3/3WDMPnP

*PnP

Outline2.2 Windows 2.2.2 Windows 2.2.3 Windows

Windows Windows API *

API APIWindows WinsockWinInet APInamed pipemailslot(DLL)DLLI/O

*

WinsockWindows API DLL ws2_32.dll TCP/IPIPX/SPXAppleTalk ATM afd.sys

*

Transport Driver Interface API afd.sysTDITDI I/O API TDI TDI TDI *

NDIS NDISNetwork Driver Interface Specification NDIS NDIS Windows NDIS ndis.sys NDIS *

TDI * API TDITDITDINDISNDIS ndis.sys

Windows OS/2POSIXWindows Win32Windows Windows*

Windows -win32k.sys(GDI)*

Windows -Windows (csrss.exe)(DLL) kernel32.dlluser32.dllgdi32.dll advapi.dll Windows API

*

Windows *

window classWindows

*

Windows GDIWindows *

1/4Windows Windows win32k.sys DDIENG win32k.sys *

3/4

*

4/4 Windows *

Outline2.3 WindowsWRK Windows

WRK? Windows XP x64 Windows Server 2003 SP1

Microsoft20067 WRKWindows Research KernelWindows 2011/5/4*

WRK(1/2)WRKLPCI/O APC() /DPC()

NT Windows WRK Windows NT Windows 2011/5/4*

WRK(2/2) CRKCurriculum Resource Kit Windows 15

WAPWindows Academic ProgramWindows Windows Internals 12 2011/5/4*

WRK(1/2)2011/5/4*

WRK(2/2)2011/5/4*

Windows(1/5)Intel x86(segment)(paging)Windows320~4GB

4GB2GB~4GB0~2GB2011/5/4*

Windows(2/5)*

Kernel mode4GB

User mode2GB0x7fff00000x7fffffff64KB0x000000000xffffffff

Windows(3/5)WindowsIntel x86 page fault2011/5/4*Two-Level Page-Table Scheme

Windows(4/5)2011/5/4*

Windows(5/5)2011/5/4*

(1/4)PTE2011/5/4*

(2/4) Windowssize

Windows2011/5/4*

(3/4)PTEPTE(page table entries)PTEPTEPTE2011/5/4*

(4/4)APIExAllocatePoolWithTagExFreePoolWthTag2011/5/4*

ProcessPDEexeDLLVADVirtual Address Descriptor2011/5/4*

PFN(Page Frame Number Database)PFNPFNPFNWindowsstandby

2011/5/4*

*Page Frame Database states of pages in physical memory

StatusDescriptionActive/validPage is part of working set (sys/proc), valid PTE points to itTransitionPage not owned by a working set, not on any paging list I/O is in progress on this pageStandbyPage belonged to a working set but was removed; not modifiedModifiedRemoved from working set, modified, not yet written to diskModified no writeModified page, will not be touched by modified page write, used by NTFS for pages containing log entries (explicit flushing)FreePage is free but has dirty data in it cannot be given to user process C2 security requirementZeroedPage is free and has been initialized by zero page threadBadPage has generated parity or other hardware errors

(1/2)(working set)Processprocessprocess 2011/5/4*

(2/2)balance set manager/process/stack swapper

/2011/5/4*

OutlineWRKWindows Research KernelWRKWRKWRK

WRK (1/5)WRK 1.2Win2K3 SP1(X86)WinXP x64 Professional(AMD64)Win2K3/WinXP()Visual Studio

*

WRK (2/5)()WRKVisual StudiopathWRK(WRKnmake-)pathtools\x86tools\amd64ntosnmake*

WRK (3/5)set path=C:\WRK-v1.2\tools\x86;%path%cd base\notsnmake -nologo x86=

set path=C:\WRK-v1.2\tools\amd64;%path%cd base\notsnmake -nologo amd64=*

WRK (4/5)(1)wrkx86.exewrkamd64.exeWRKbase\nots\BUILD\EXE*

WRK (5/5)*wrkx86.exe Kernelwrkx86.pdb Symbol File

WRK (1/5)WRKwrkx86.exewrkamd64.exewrkx86.exewrkamd64.exeC:\Windows\System32\*

WRK (2/5)(Hardware Abstraction Layer , HAL)()WRKlink -dump -all \WINDOWS\system32\hal.dll | findstr pdb

HALHALhalacpi.dll halacpim.dll ; ACPI PIC-based PC [used by VirtualPC] halaacpi.dll halmacpi.dll ; ACPI APIC-based PC [used by VMware]halapic.dll halmps.dll ; MPS*

WRK (3/5)(Hardware Abstraction Layer , HAL)HAL WRKWS03SP1HALS\x86HAL(halacpi.dll | halaacpi.dll | halapic.dll )C:\Windows\System32\*

WRK (4/5)boot.iniboot.iniboot.ini.bkboot.inimulti(0)disk(0)rdisk(0)partition(1)\WINDOWS=Windows WRK /kernel=wrkx86.exe /hal=halmacpi.dllmulti(0)disk(0)rdisk(0)partition(1)\WINDOWS=Windows WRK /kernel=wrkx86.exe /hal=halmacpi.dll /debug /debugport=com1 /baudrate=115200

*

WRK (5/5)WRK*

WRK (1/5)(Debugging and Development)Virtual PCVM WareMicrosoft WinDGBWindows Symbol Packages ( wrkx86.pdb | wrkamd64.pdb)

*Virtual MachineLocalhostNamed Pipe

WRK (2/5)VM WareSettings Configuration Editor Add Hardware Wizard Serial Port Output to named pipe*

WRK (3/5)WinDGB"D:\Program Files\Debugging Tools for Windows\windbg.exe" -b -k com:pipe,port=\\.\pipe\com_1,baud=115200,reconnect -y C:\WRK-v1.2\ base\nots\BUILD\EXE;srv* C:\WRK-v1.2\ base\nots\BUILD\EXE*http://msdl.microsoft.com/download/symbols -srcpath " C:\WRK-v1.2\ base "WinDBGKernelSymbolC:\WRK-v1.2\ base\nots\BUILD\EXEwrkx86.pdbwrkamd64.pdb*

WRK (4/5)WRKWinDGB()

Virtual MachineWRK 1.2 [debugger enabled]*

WRK (5/5)WinDGB()*int 3 go(F5)

WinDBGCTRL+BREAK

WinDGB

Outline2.4 Windows2.4.3(Process and Thread)WindowsWindows

process(1/2) (An Environment for program execution) (private virtual address space) (PCBProcess Control Block (Access token)

*

process(2/2)ID(process ID)ID*

Thread (The entity within a process that can be scheduled for execution)(call stack)ID(thread ID)*

User modeKernel mode

*

KernelKeAttachProcess/KeStackAttachProcessPspCreateThread, PspCreateProcess*

PspCreateThread ETHREAD* T7ETHREAD

PspCreateProcess EPROCESS*. P1 P2 P3 T1T2T3T4T6T5 P4EPROCESS

Thread Scheduling (Preemptive) (base priority) (priority)0: 1~15: 16~31: *

*

Win32 process class prioritiesWin32 thread prioritiesReal timeHighAbove NormalNormalBelow normalIdleTime critical311515151515Highest2615121086Above normal251411975Normal241310864Below normal23129753Lowest22118642Idle1611111

System ExQueueWorkItemI/OIoQueueWorkItem (System worker thread)*

(System worker thread)Windows*

/ PsCreateSystemThread *

(Idle) 1ID 0(processor)kernelthread

*

System2 ID4kernel modesystem threadPsCreateSystemThreadthread*

(Session manager, smss.exe)3user mode processWindows csrss.exe winlogon.exe (terminal server session)csrss.exewinlogon.exe*

(winlogon.exe)4 Crtrl+Alt+Del (SAS, )winlogonSASwinlogon*

Windows(csrss.exe)5processthread*

Windows DLL PspCreateProcess

*

WindowsWindows(csrss.exe)Kernel modeUser mode*

(lsass.exe)6(Event Log)*

Shell(explore.exe)7 Windowsshell*

(services.exe)8 WindowsWindows*

Outline2.4 Windows (PDF)2.4.1 2.4.4 2.4.5

Thanks *

*WindowsLinux : IPC ( inter-process communication )

*()Plug-and-play=>/=>*()Plug-and-play=>/=>*Plug-and-play=>/=>*OS* => => 4GB => => 2GB -> ->

Windows:UnixOS/2 : : *Windows: => => : API => Ntoskrnl.exe : OS NTDLL.DLL : user modekernel mode

*user modekernel modeInputInformaiton ReturnLengthProbeforwrite ProbeforwriteulongTheARGUMENT_PRESENTmacro takes an argument pointer and returns FALSE if the pointer is NULL, TRUE otherwise.http://www.osronline.com/ddkx/kmarch/k106_4t6a.htm

** : : : :

***I/O

*WDMPnPPnP

* Windows Windows Windows API** Windows NDIS Network Driver Interface Specification NDIS NDIS Windows NDIS ndis.sys NDIS * Windows NT OS/2POSIX Windows Win32Windows Windows Windows XP Windows Windows *Windows win32k.sys I/O GDI

* Windows csrss.exeDLL Csrss.exe DLL kernel32.dlluser32.dllgdi32.dll advapi.dll Windows API

Process ProcessThread processThreadsCodeData SectionOS Resources Thread Process , Process -----Threads Resources, Threads Process (Dynamic Object)*windows Windows Windows

* / Windows

* Windows

*Windows Windows 1. GDI2.Windows

*Windows Windows win32k.sys DDIENG win32k.sys

*

* Windows

*VAD

*WindowsPFNPage Frame Number Database* ?Windows**

ch. 2 windows 系統總述

Documents