chapter 2 windows 系統總述
DESCRIPTION
Team 1 (page 17 ~ page 56 ) 100522084 劉書銘 100522030 蔡昀昇 100522011 楊善雯 100522045 宋貫綸 100522037 黃惠慈 100522006 賀振坤 100522017 賴佑東 100582012 陳禹任 100582013 張閎翰 100522608 陳書瑜 100522033 馬萬鐸 100522072 萬惠雯. Chapter 2 Windows 系統總述. - PowerPoint PPT PresentationTRANSCRIPT
PowerPoint
Chapter 2Windows Team 1 (page 17 ~ page 56)
100522084 100522030 100522011 100522045 100522037 100522006 100522017 100582012 100582013 100522608 100522033 100522072 1 2.1 2.2 Windows 2.3 Windows 2.4 Windows 2.5 Windows 2.6 Windows 22 2.1 2.2 Windows 2.2.1 Windows 2.2.2 Windows 2.2.3 Windows 2.3 Windows 2.4 Windows 2.5 Windows 100522006 32.12.22.52.5.1[17,18,53,54,55,56]
2.1 !! 2.5 P.53 PPT 34
WindowsLinux : 4
IPC ( inter-process communication )
556/2.1 IPCIPC67/2.1 78/2.1 8 2.1 2.2 Windows 2.2.1 Windows 2.2.2 Windows 2.2.3 Windows 2.3 Windows 2.4 Windows 2.5 Windows 100522033 92.2.1 ()[19,20,21,22]910DLLWindowNTDLL.DLL(Executive)()(HAL)WindowUser modeKernel mode10Hardware Abstraction Layer(HAL)(Micro)Kernel LayerExecutive Layer
11
11Windows12DLLNTDLL.DLLUser modeKernel modeWindows
API
LPC()I/O
()
(HAL)12WindowsAPI
1313Windows14PreviousMode = KeGetPreviousMode();
If(PreviousMode != KernelMode){
try{ProbeForWrite(InputInformation,InputInformationLength,sizeof(ULONG));if(ARGUMENT_PRESENT(ReturnLength)){ProbeForWriteUlong(ReturnLength);}}except(EXCEPTION_EXECUTE_HANDLER){return GetExceptionCode();}} Takes an argument pointer and return FALSE if the pointer is NULL14Windows15Kernel mode4GB
User mode2GB64KB0xffffffff0x7fff00000x7fffffff0x0000000015 2.1 2.2 Windows 2.2.1 Windows 2.2.2 Windows ( HAL ) 2.2.3 Windows 2.3 Windows 2.4 Windows 2.5 Windows 16100582013 2.2.2 (HAL)[22,23,24,25]16Windows DLLNTDLL.DLLC. API(LPC)I/O()Windows
B. ()A. (HAL)2.3 Windows17 (HAL) HAL
HAL Hal.dllPCHalacpi.dllACPIHalapic.dllAPICHalaacpi.dllAPIC ACPI PCHalmps.dll PCHalmacpi.dll ACPI PC 2.1 Windows Server 2003 HAL (Intel x86 )Windows HAL18B. () HAL C () (dispatcher object) event, mutant, semaphore, process, thread, queue, gate timer (Control object) APC, DPC
Windows 19C. (Executive) API (ntoskrnl.exe)
() 1) Windows APIWindows DDK
Windows HAL20C. (Executive) API () (SRM) I/O ()
Windows 21C. (Executive) API () () I/O
Windows HAL22C. (Executive) API ()
4 : LPC:
Windows HAL23 2.1 2.2 Windows 2.2.1 Windows 2.2.2 Windows ( PE WDM ) 2.2.3 Windows 2.3 Windows 2.4 Windows 2.5 Windows 24100522017 2.2.2 (PEWDM)[25,26,27,28,29]24?ntoskrnl.exeHAL
: windows
2525PE(CWindows)HAL
.sys
2626(WDM )WindowsI/OPnP
()PnP
I/O
2727-WDMWindows Driver Model
(PnP)I/O
2828-WDMI/O
2929PEPE(Portable Executable)windows NT32
windows NTex: x86 MIPS Alpha
WindowsIntelWindows 9x(Windows NT)PEPE
3030PEPECOFF(Common Object File Format)
COFFUnixCOFF C3131PEWindowsPE? .exe .obj .dll .sys
3232PEPEPE
3333PE34
MS-DOS halaacpim.dllhalaacpi.dll -> halmacpi.dllhalapic.ll -> halmps.dll7171WRK WRK 72
72WRK WRK 73
73WRK WRK 74
74WRK WRK serial port pipe 75
\\.\pipe\com175WRK WRK 76
WRK 76WRK Windows Debug Toolshttp://msdn.microsoft.com/en-us/windows/hardware/gg463009 Windows SDKhttp://www.microsoft.com/en-us/download/details.aspx?id=8279 Windows Symbol Packagehttp://msdn.microsoft.com/en-us/windows/hardware/gg4630287777WRK Windows SDK78
78WRK Windows SDKhttp://www.microsoft.com/en-us/download/details.aspx? id=8279(Web )http://www.microsoft.com/en-us/download/details.aspx?id=8442(ISO )7979WRK Windows SDK Debugging Tools for Windows 8080WRK81
81WRK82
82WRK83
83WRK84
84WRK85
85WRK86
86WRK87
87WRK Visual C++ 2010 Redistributable Windows SDK (10.0.30319) 8888WRK89
89WRK Windows Symbol Packages90
90WRK Windows Symbol Packages91
91WRK Windows Symbol Packages92
92WRK WinDbg93
93WRK WinDbg ( symbol )Symbol Ex. 9494WRK WinDbg ( symbol )WinDbg set _NT_SYMBOL_PATH=http://msdl.microsoft.com/download/symbols9595WRK WinDbg96
symbol 96WRK WinDbg97
97WRK WinDbg ( symbol )WinDbg WinDbg wrkx86.exe wrkx86.pdb WinDbg WRK 9898WRK WinDbg99
Kernel Debug99WRK WinDbg100
100WRK WinDbg101
101WRK WinDbg102
102WRK WinDbg103
103 2.1 2.2 Windows 2.3 Windows 2.4 Windows 2.4.1 2.4.2 2.4.3 2.4.4 2.4.5 2.5 Windows 104100522045 2.42.4.12.4.2 ()[43,44,45,46]1042.4.1 Intel x86 2 0:3:
Windows 03 0:CPU ( kernel mode )3:CPU( user mode )1051052.4.1 I/O
1061062.4.1
1071072.4.1 (software / hardware interrupt) iret/iretd intel x86 sysenter sysexitiret/iretd 1081082.4.1 windows API109109110DLLNTDLL.DLLAPI(LPC)I/O()Windows
() (HAL)2.3 Windows1102.4.2 Intel x86(segment)(paging)Windows320~4GB
4GB2GB~4GB0~2GB
111111112112Windows(1/3)WindowsIntel x86
113page numberpage offsetpip2d101012113Windows(2/3)114
114Windows(3/3) page fault
115
115116116(1/4)PTE
117117(2/4) Windowssize
Windows
118118(3/4)PTEPTE(page table entries)PTEPTEPTE
119119(4/4)APIExAllocatePoolWithTagExFreePoolWthTag
120120121121ProcessPDE
exeDLL
VADVirtual Address Descriptor
122122PFN(Page Frame Number Database)PFNPFN
PFN
Windowsstandby
123123Page Frame Database states of pages in physical memory124StatusDescriptionActive/validPage is part of working set (sys/proc), valid PTE points to itTransitionPage not owned by a working set, not on any paging listI/O is in progress on this pageStandbyPage belonged to a working set but was removed; not modifiedModifiedRemoved from working set, modified, not yet written to diskModified no writeModified page, will not be touched by modified page write, used by NTFS for pages containing log entries (explicit flushing)FreePage is free but has dirty data in it cannot be given to user process C2 security requirementZeroedPage is free and has been initialized by zero page threadBadPage has generated parity or other hardware errors124(1/2)(working set)Process
processprocess
125125(2/2)balance set manager
/process/stack swapper
/
126126 2.1 2.2 Windows 2.3 Windows 2.4 Windows 2.4.1 2.4.2 2.4.3 2.2.4 2.4.4 2.4.5 2.5 Windows 127100522084 2.4.32.2.4 ()[36,37,46,47,48]
127 (process) (An Environment for program execution) (private virtual address space) (PCBProcess Control Block (Access token)
128128PCB (Process Control Block)newreadyrunningwaitinghaltedCPU Index registerCPU CPU I/O By wikipedia129129 (process) ID (Process ID, PID) ID
130130 (Thread) (The entity within a process that can be scheduled for execution) (call stack) ID (Thread ID, TID)
131131
132 132 User mode Kernel mode 133. P1 T1 P2T2T3 P3T4T6T5()()133 Kernel KeAttachProcess / KeStackAttachProcess PspCreateThread , PspCreateProcess
134134 PspCreateProcess EPROCESS
135. P1 P2 P3 T1T2T3T4T6T5 P4EPROCESS135 PspCreateThread ETHREAD
136. P1 P2 P3 T1T2T3T4T6T5 T7ETHREAD136 (Thread Scheduling) (Preemptive) (base priority) (priority) 0: 1~15: 16~31:
137137 (Thread Scheduling)
138138
139139System ExQueueWorkItem I/O IoQueueWorkItem (System worker thread)
140140 (System worker thread) Windows
141141Windows (Idle)System (smss.exe) (winlogon.exe)Windows(csrss.exe) (lsass.exe)Shell (explore.exe) (services.exe)142142 Win7 ctrl + alt + del 143
143[1] (Idle) (Process ID, PID) = 0 (processor) (kernel) (thread)144144[2] System (Process ID, PID) = 4Kernel mode System thread PsCreateSystemThread thread (system worker threads)
145145[3] (smss.exe) (Session manager, smss.exe) user mode process Windows csrss.exewinlogon.exe (terminal server session) csrss.exe winlogon.exe146146[4] (winlogon.exe) Ctrl + Alt + Del (Secure Attention Sequence, SAS) winlogon SAS winlogon ... 147147[5] Windows(csrss.exe) process thread
148148[6] (lsass.exe) (Event Log)
149149[7] Shell (explore.exe)Windows shell ... Windows 150150[8] (services.exe) Windows Windows 151151 2.1 2.2 Windows 2.3 Windows 2.4 Windows 2.4.1 2.4.2 2.4.3 2.4.4 2.4.5 2.5 Windows 152100522011 2.4.4 ()[49,50]152153(Interrupt) 1. 2. 3.
(Exception) 1. 2. 3.
153The IDT must be properly initialized before the kernel enables interrupts.Each entry corresponds to an interrupt or an exception vector and consists of an 8-bits descriptor. (A maximum of 2048 bytes are required to store the IDT. )
154Interrupt Descriptor Table (IDT)154Windows IDT, , ISR *: 1.ISR 2., IDTISR 3.155Interrupt Service Routine(ISR)155IRQL=0, PASSIVE_LEVEL IRQL=1, APC_LEVEL (Asynchronous Procedure Calls)IRQL=2, DISPATCH/DPC_LEVEL (Deferred Procedure Calls)IRQL=3~26, IRQLIRQL=26~31, :
156Interrupt Request Level (IRQL)156 : I/O157APC157, IRQL:(timer)158DPC158159(Interrupt) 1. 2. 3.
(Exception) 1. 2. 3.
159, (Exception handler) 1. Kernel Mode stack 2.Handle the exception by means of a high-level C function. 3.Exit from the handler by means of the ret_from_exception() function.160 (Exception)160161Kernel Mode ExceptionFrame-based exception handlerException dispatch procedure161162Kernel Mode ExceptionFrame-based exception handler exception handler stack frame ,, stack stack frame 162Exception dispatch procedure163User Mode ExceptionProcessKernel modeUser modeFrame-based exception handlerprocessprocess163 2.1 2.2 Windows 2.3 Windows 2.4 Windows 2.4.1 2.4.2 2.4.3 2.4.4 2.4.5 2.5 Windows 164100522037 2.4.5 ()[51,52,53]164(concurrency)
(synchronization)
165165IRQLPASSIVE_LEVEL
166166WindowsIRQL167
167IRQL 0 IRQLIRQLIRQL168168IRQL 0 (interlocked)Intel x86lock
169169Windows 170
170IRQL 0 Windows64
171171IRQL 0 (spin lock)(busy wait)IRQLDISPATCH_LEVEL()(queued spin lock)(in-stack queued spin lock)
172172IRQL 0 173173PASSIVE_LEVEL
: WindowsWindows:(dispatcher object) DISPATCH_HEADER174174DISPATCH_HEADER
175
175(wait block)
176176KWAIT_BLOCK177
177
(wait block)
[Wait Any][WaitAll]178178179
179Windows Server 2003(event)WaitAny
180180Windows Server 2003(mutant)(mutex)
181181Windows Server 2003(semaphore)(queue)KQUEUEI/O
182182Windows Server 2003
183183Windows Server 2003DPC(gate object)
184184(fast mutex)(quarded mutex)(executive resource)(push lock)185185Chapter 03 186186 2.1 2.2 Windows 2.3 Windows 2.4 Windows 2.5 Windows 2.5.1 Windows 1872.12.22.52.5.1[17,18,53,54,55,56]187Windows
188 (HAL)()API188Object
189
190
191
192
193__in: input parameter__out output parameter__in_opt: optional input parameter
194
195
196
197 ex:Process
198 ex:Thread
199
200ex1:Process
201ex1:Thread
202