Introduction to Windows kernel (wrk)

Introduction

WrkMicrosoft was open to education and academia in 2006.WindowsSome source code of the kernel,

Wrk (Windows research kernel)That isWindowsResearch kernel,

InWrkNot onlyWindowsKernel moduleCodeIt also provides compilation tools,

Through this compilation tool, you canWrkCompile toEXEFile,

That is, the kernel executable module, and then you can use thisEXEFile to replace the kernel of the operating system,

In this way, the kernel loaded by the operating system at the next boot will be the one you compiledEXE.

Tool Software

Intel x86 CPU;

VMware 6.5;

Windows Server 2003 SP1 (used to test wrk compilation results );

Windows 7 (used to compile wrk );

Wrk 1.2;

Overview wrk

First, find the currentWindowsKernel module files in the operating system,

The so-called kernel module file can be viewedWindowsKernel,

It consists of the execution body and microkernel. The file name isNtoskrnl.exe, That is, a binary module,

The file is located:C: \ windows \ system32;

And ourWrkThe compiled result is also a kernel module File,

That is to say, this should be the result of our compilation.Ntoskrnl.exe,

Of course, the compiled names can be different,

The default compilation result isWrkx86.exe (the default compilation result name in x86 environment),

The following describes the directory structure in wrk:

First, let's look at the ws03sp1hals directory:

Ws03sp1halsMeaningWindows Server 2003 SP1 Hals,

That is, inWindows Server 2003 SP1UnderHal (Hardware Abstraction Layer).

InWindowsIn the operating system,HalIt is actually an independentDLL (here you can simply regard Hal as a DLL),

PassHalHardware differences can be isolated, that is, the upper-layer modules do not need to consider the differences between the lower-layer real hardware,

Because the upper-layer module cannot directly access the hardwareHalTo access the hardware,

Therefore, for hardware differencesHalIt can be solved without the upper-layer module,

The advantage of doing so is that our upper-layer modules are the same, that is, we do not need to change the hardware when the hardware is changed,

You only need to provideHalThat is, we can run our upper-layer modules on different hardware.

Because of ourPCThe hardware on is inconsistent, so there must be multipleHal.

For example, myPCThe processor isIntelAnd yourPCThe processor isAMD,

My processor is single-core, and your processor is quad-core,

This will cause hardware inconsistency. To solve this inconsistency,

WindowsMultiple packages will be packed during packaging.HalFor exampleHalFor single-core, oneHalFor multi-core,

WindowsDuring installation, your processor is automatically identifiedAMDOrIntelIs it a multi-core or single-core processor,

ThenWindowsThen an appropriateHalInstallHalChange the nameHal. dll,

InWs03sp1halsDirectory, that isHal,

For example, myPCThe processor isIntel x86Dual-core processors,

InstallWindowsWill automatically select the appropriateHalFor exampleHalmps. dllAsHal,

Then installWindowsInHalCopy to myCAfter the disk is in the specified directory,

Just put thisHalmps. dllRenamedHal. dll (renamed for unification),

In this way, we can seeC: \ windows \ system32 \ Hal. dll.

Let's look at the public directory:

The directory contains some header files, that is. HFiles, and these files are shared and used by all components, that is, public files,

IncludingDDK, internalAnd so on.InternalIt is used internally, that is, the header file that the kernel itself needs to use.

Let's take a look at the tools directory:

As mentioned above,WrkNot only does it contain information aboutWindowsKernelSource code,

It also includes tools used to compile this part of the source code.ToolsDirectory.

Compile thisWrkThis is used in source code.ToolsThe tool in the directory.

Finally, let's look at the base Directory, whereThe ntos directory under the base directory is the main directory of the Windows kernel module:

The following describes the meanings of the files in these directories one by one:

Build	WrkOnly part of the source code is disclosed, and those that are not disclosed exist in this directory in the form of binary target code.
Cache	Source files implemented by the cache manager.
Config	Source file of the Registry implementation.
Dbgk	The source file of the kernel mode part of the debug subsystem.
Ex	The source file that executes the layer function (Kernel Heap, synchronization, timer, and so on.
Fsrtl	The source file of the file system Runtime Library.
Fstub	File System Boot interface.
Io	I/OManager, excluding the plug-and-play manager and Power Manager.
Ke	(Micro) kernel, including thread scheduler,CPUManagement and underlying synchronization Semantics
LPC	Local process call(LPC)Mechanism implementation.
Mm	Memory Manager.
Ob	Kernel Object Manager.
Perf	The performance Logging Function of the kernel.
PS	Process and thread.
Se	Security Reference monitor.
WMI	WindowsManagement specifications.
INC	Applicable onlyNtosContains some files.
Raw	RawFile System driverProgram.
RTL	Kernel Runtime Library support.
Init	Kernel startup code.
Vdm	VirtualDoSMachine.
Verifier	Driver checker.

Compile wrk

First, SetWrkUnder the root directoryToolsSubdirectoryX86SubdirectoryPathIn environment variables,

First, goWrkUnder the root directoryBaseDirectoryNtosDirectory,

Then enter the command:Nmake-nologo x86 =;

(If it is amd cpu, the command will be different, and the environment variable settings are also different)

Then compile the entireWrk.

Compilation completed:

In this case, you canWRK-v1.2 \ base \ ntos \ buildFind the compiledEXEFile.

So far, compilation is complete.

Load the kernel module compiled by wrk

We haveWrkThe kernel executable module is compiled,

Next, let's load the compiled kernel executable module when the operating system starts.

The environment we use isVMware 1, 6.5Moderate InstallationWindows Server 2003 SP1.

First, we willWrkCompiledWrkx86.exeCopy to virtual machine,

And place the file in the directory (that isNtoskrnl.exeDirectory ):

Then, in the installation directory of the systemC:Disk)Boot. iniFile (hidden by default ).

First, remove the read-only attribute of the file to change the file to a readable/writable file,

Use NotePad to open thisBoot. iniFile

The boot. ini file before modification:

Add the following lines in Boot. ini:

Multi (0) disk (0) RDISK (0) Partition (1) \ Windows = "Windows Server 2003, wrk"/kernel1_wrkx86.exe/hal = Hal. dll

The modified boot. ini file:

Set the above items and restart them.Windows Server 2003 SP1.

Then, the following screen is displayed on the startup screen:

We chooseWindows Server 2003, wrkStartWindowsOperating System,

In this way, the kernel executable module is loadedWrkThe compiledWrkx86.exe.

Summary

I have introduced in detail through many of the aboveWrkByWrkThe process of compiling the kernel module,

ForWrkWhat is the function? Of course, it is used for learning, that is, throughWrkLearning,

You can get a deeper understandingWindowsBy that day,

You can modifyWrkSource code, and then compiled into the kernel module,

Then let the operating system load your own kernel module. Of course, this is not easy to achieve !!!

Actually,WrkThere is also a debugging environment. Through this debugging environment,

You can useWindbgTo debug this kernel,

However, since I will explain the driver later, it will not be messy here.

Copyright,HuanWelcome to reprint, but please note: Reprinted fromZachary. Xiaozhen-the sky of dreams