Every day, we use Windows to learn, program, listen to music, and play games. Windows is very skillful in operating, but how much do you know about windows? The purpose of this series is to give you a more intuitive, clear, and thorough understanding of Windows systems. Although most of us do not see the source code of windows, we cannot gain a glimpse of the deepest technical knowledge of its memory scheduling algorithm, but we can do more than we know now, after learning about this, you will find that development on Windows is easy to use. Any trojan virus on your machine will only become your test product.
Since the Windows 9x kernel has been obsolete and the technology is outdated, we will not discuss it here. Mainly for Versions later than Windows 5.0, especially 2000. You must know that XP is Windows 5.1 and 2003 is also version 5.2. The Windows OS technology mentioned in this series is Windows 5.x.
1. Intuitive understanding of Windows
The easiest way to start with analyzing a software program is to figure out what every file is. First, let us have an intuitive understanding of the Windows operating system we are using. Find the following files in the WINNT/system32 or Windows/system32 directory on Windows 2000 or Windows XP: Hal. DLL, ntoskrnl. EXE, NTDLL. DLL, kernel32.dll, gdi32.dll, and user32.dll. These files are the key to Windows system execution. As long as you can operate windows on the GUI, these files will certainly play a role. It is worth mentioning that the graphic interface subsystem of Windows is implemented in the kernel (you know why the graphic interface of Linux is not good-looking and easy to use in Windows ).
The functions of these files are described as follows:
Hal. dll: hardware action layer, hardware abstraction layer.
Windows 2000 is also a software system. Similar to the project development work we usually work on, we need to determine the development objectives at the initial stage of the project. One of the initial development goals of Windows2000 is to be able to port it on multiple hardware platforms (Windows2000 supports single processor, multi-processor, and Compaq systempro ), different hardware platforms have different hardware abstraction layers. This file is Hal on the standard PC we usually use. DLL (halsp on Compaq systempro. DLL. files at the hardware abstraction layer of different hardware platforms are available on Windows installation disks. During installation, only the corresponding files are copied according to the platform type of the computer ).
Hal is a loadable Kernel Mode module (DLL dynamic link library file) that provides low-level interfaces for the hardware platform running on Windows systems. It hides hardware-related details, such as I/O interfaces, interrupt controllers, and multi-processor communication mechanisms, provides unified hardware interface functions to the operating system kernel.
Ntoskrnl. EXE: nt OS kernel. There is no doubt that this is the Windows Kernel. Specifically, the kernel is implemented here, only 1.6 Mb, which is similar to the size of the kernel compiled by linux2.4.
This file actually provides two main functions:
First, the system kernel, above the hardware abstraction layer, provides the basic system mechanism (thread scheduling and synchronization, memory allocation, and so on. Everything you can see in the operating system principles book is the most complex part, if you think that the operating system course is too abstract and a little difficult, try to put this ntoskrnl. EXE has compiled a one-read loop. If there are not many lines of assembly code, you can't find the exact entry point ). At the same time, the kernel also provides hardware support. In fact, the calling of upper-layer programs such as drivers is embodied in the hardware. In turn, the hardware abstraction layer is abstracted again and exposed to a unified interface on the upper layer, those who have written the windows driver or read the DDK must have a deep impression on the fixed writing mode of the Windows WDM driver.
The second is the execution Program (called Executive ). There are a lot of things to execute this program. I was a little dizzy when I was doing something, but now I can see it in a single sentence: the execution program is a window for the interaction between the developer and the windows. Then, the execution program exposes the Windows development function, which is encapsulated several times for the developer to use. Regardless of the function classification of these functions, the classification by function is a bit messy and easy to make people puzzled. From the developer's perspective, there are several types: Win32 API functions, which are used for application development. We often say that MFC and ATL are object-oriented and encapsulated for them; ddk api functions and Ifs kit functions are used for driver development, however, if you have browsed DDK and are careful enough, you will find it strange that the development of the file system driver is not provided, ifs (installable File System) kit is doing this.
We mentioned earlier that Windows has placed graphic interface processing in the kernel state for execution, so we have to mention a special driver: win32k. sys, the beautiful Windows Desktop you see is drawn from this file.
Speaking of this, the above content is the basic function of Windows operating in kernel mode, that is, this is running at the CPU ring0 level (if you don't know what ring is, please go to Intel's website and download the Intel CPU system development reference. Refer to your computer principles textbook, ). A lot of drivers are also running at this level. At the kernel level, the calling of functions between components is different from the user State. LPC is commonly used. Let's talk about it later.
Before proceeding to the following content, we must first describe the fact that Windows features are much more powerful than what we usually see. Generally speaking, Win32 is actually a Windows sub-system. Windows also has two sub-systems: POSIX and OS/2. In this case, it seems that the program on Linux can run on windows, but it is not that simple. You also need to transplant the library and recompile the connection, in the end, we have to rely on the implementation of the Win32 subsystem to complete its functions, which is of little significance. Basically, it was suddenly dropped by users. We only talk about the Win32 subsystem. Note: different subsystems have special Subsystem Support environments. POSIX subsystem is POSIX. EXE and Win32 subsystem is CSRSS. EXE (full name: Client/Server Run-time Subsystem ). All in all, there is a process like csrss.exe running on your machine. Don't think it's a Trojan and kill it.
The following is user-level content. For ease of understanding, the kernel-level layering Introduction starts from bottom up (from hard to soft). at the user level, we will start from top down, which is more intuitive.
Let's first give an example of an application (although there are more user-level programs than there are so many applications). Let's start with IE. If you have installed VC and depends, you can use it to open IE (or any Windows Executable File. EXE), while kernel32.dll calls NTDLL. DLL. At the same time, the main program of IE also calls user32.dll, and user32.dll has gdi32.dll, kernel32.dll, NTDLL. DLL call.
To simplify the process, Win32 applications need to call Win32 API functions. These functions are provided by kernel32.dll, but the file kernel32.dll does not actually implement specific functions, I just made a simple address pointer conversion and jumped the function entry point to NTDLL. DLL, corresponding to the native API function, NTDLL. the DLL does not perform any specific processing. It converts user-level function calls into real system function calls in kernel mode and returns the application process after the kernel completes execution. Some may ask why Windows encapsulate the program interface exposed by executive through kernel32.dll and NTDLL. dll twice. In fact, this is also the difference between Win32 API and native API. Win32 APIs, also known as archive APIs, are intended for users. They must maintain consistency and compatibility and cannot modify the function name at will. New functions must be compatible with old functions, otherwise, an error may occur when you use the Win32 API development of the old version (we use the Win32 SDK or MFC) to run programs on the new version of the system. Native API is a function that may need to be modified when the system is updated, such as the function name, function parameter type, and number, which may change with the system upgrade, therefore, it is left for Ms users to use it. Of course, it cannot be used directly by users. However, this does not mean that we cannot use native APIs as developers. If you locate NTDLL by yourself. DLL function and call it. As long as this function has not been modified by MS, you can be sure that this call is successful and your program runs without any problems. Similar to kernel32.dll, advapi32.dll provides some advanced application programming functions.
Gdi32.dll and user32.dll provide the archived Win32 Graphic programming interfaces. They also call the system plotting function (implemented in win32k. sys) through NTDLL. dll.
Kernel32.dll, advapi32.dll, user32.dll, and gdi32.dll are collectively referred to as Win32 subsystem DLL. Win32 subsystem DLL translates the archived Win32 API functions into corresponding calls to the local API functions, NTDLL. DLL translates the local API into ntoskrnl. EXE and win32k. sys kernel mode system service calls to achieve user-level functional requirements.
After talking about the application, let's look at other user-level programs. Environment subsystems (Win32 subsystem, POSIX subsystem, OS/platform, etc.) will be discussed later, and then system support processes, such as SMSs. EXE (Session Manager), Winlogon. EXE (login program), LSASS. EXE (security permission sub-system of the Local Machine), which is specialized and has the opportunity to conduct special research. The processes mentioned here are all the processes necessary for the normal operation of the Windows system. That is to say, they are safe and you do not have to worry about them (of course, if there is a vulnerability, it is an exception ). Most user-level applications call kernel32.dll for execution, and then indirectly call NTDLL. dll. Some programs such as the system support process directly call NTDLL. dll.
The basic architecture of Windows is roughly the same. The following is the system architecture diagram of Windows 2000, which can be used as a reference for reading the above text.
Every day, we use Windows to learn, program, listen to music, and play games. Windows is very skillful in operating, but how much do you know about windows? The purpose of this series is to give you a more intuitive, clear, and thorough understanding of Windows systems. Although most of us do not see the source code of windows, we cannot gain a glimpse of the deepest technical knowledge of its memory scheduling algorithm, but we can do more than we know now, after learning about this, you will find that development on Windows is easy to use. Any trojan virus on your machine will only become your test product.
Since the Windows 9x kernel has been obsolete and the technology is outdated, we will not discuss it here. Mainly for Versions later than Windows 5.0, especially 2000. You must know that XP is Windows 5.1 and 2003 is also version 5.2. The Windows OS technology mentioned in this series is Windows 5.x.