[Principles and implementation of Windows Kernel] Reading Notes (1)

Content: pages 18-42

 

The operating system itself belongs to the scope of software, but it deals with the underlying hardware and provides an abstraction for the upper-layer application software or applications. It is responsible for the management and allocation of hardware resources. Applications do not directly use hardware, but implement various application tasks through the functions provided by the operating system.

 

LPC: inter-process communication

 

The basic structure of modern operating systems:

Application Environment ----------- system environment ---------- hardware devices

|

System Service Hardware Abstraction

 

In modern computer systems, device plug-and-play (PNP) and power management become increasingly important.

 

Windows System Structure

Dual Mode: Kernel Mode and user mode. Applications use hardware commands to switch from user mode to kernel mode.

 

The Windows subsystem and the Windows Kernel constitute the application execution environment. The Windows subsystem contains the kernel mode (graphical and window management) and user mode. The user mode section contains a separate subsystem process and a group of system DLL links to each application.

 

Windows Kernel Structure

The kernel is divided into three layers: Hardware Abstraction Layer (HAL), kernel layer, and execution layer (including an object manager ). The execution and inner layers are in the same binary structure. The name is ntoskrnl.exe.

The Windows Kernel provides a set of system calls for applications, but the user program does not directly call these system services, but uses a set of system DLL and finally uses NTDLL. switch the DLL to the execution body API function in kernel mode to call the system service in the kernel. Ntdll. dll is a bridge between user-mode code and kernel-mode system services.

Ntdll. in DLL, NT Prefix: System Service's Stub function; LDR: Image loader function; CSR: Windows subsystem process communication function, dbg: Debugging function; ETW: System Event function, RTL: generally, functions and strings are supported.

Windows kernel is a preemptible process scheduling. Each thread has a base priority, and each thread has a dynamic priority value to allow the system to respond quickly to user actions, and balance the distribution of processor resources between system services and other low-priority processes.

Windows Kernel manages two types of objects: the distributor object and the control object. The distributor object implements various synchronization functions that affect thread scheduling: events, bursts, semaphores, processes, threads, queues, doors, and timers. The control object is used to control kernel operations, but does not affect thread scheduling. It includes asynchronous process calls, delayed process calls, And interrupt objects.

The execution body includes process and thread manager, Memory Manager, secure reference monitor, I/0 manager, cache manager, Configuration Manager, Plug and Play manager, and Power Manager.

Windows drivers include three categories: plug-and-play drivers (WDM drivers), kernel extended drivers, and file system drivers.

In Windows file system management, each file system instance has its own device stack. By inserting a filter driver, you can filter file I/O requests. Windows supports two types of Filter Drivers: one is directly inserted into the device stack to view each file I/O request that passes through the device stack; another I/O filtering framework based on the windows-provided fltmgr driver is called the file system small filter driver. It responds to fltmgr events through callback.

A large-capacity storage device manages the entire storage space using partitions and volumes. A partition refers to a continuous storage area (continuous sector) on the storage device ). A volume is a logical set of slices. The slice inside a volume may come from one partition or multiple partitions. The file system is the logical structure of the volume.

The file system is closest to the application, followed by the volume Management Section, and the partition management and disk driver are closest to the storage device.

 

Network

Winsock is the most important network API for Windows. Its user mode includes ws2_32.dll and defines a scalable framework. In the kernel, the Network API driver AFD. sys communicates with the protocol driver through the Transport Driver Interface (TDI, Transport Driver Interface. TDI is actually a set of predefined I/O requests, which describe various network requests, including name resolution, connection establishment, sending and receiving data. The Network API driver is a TDI client, and the Transport Protocol Driver implements the TDI interface, which is called the TDI transmitter.

The protocol driver communicates with the Adapter Driver through a unified interface, which is an NDIS (Network Driver Interface). The Network Adapter driver that complies with the NDIS is called the NDIS driver, or NDIS small port driver.

The NDIS client uses the functions provided by the NDIS library to format the commands to be sent to the NDIS driver and send them to the NDIS driver. The NDIS driver uses the NDIS library, receive requests and send responses.

 

Windows subsystem, kernel part of win32k. sys, contains a large number of system calls, mainly responsible for window management and graphic device interface (GDI)

 

The Windows Window Programming Model is message-driven. Each window object responds to various messages according to the Window Process specified by its window class.

 

Graphical Device Interface

The image engine provides two advantages in the Windows subsystem:

1. provides a set of device-independent programming interfaces, GDI, which allows applications to adapt to the differences of various underlying display devices;

2. The communication between applications and graphics device drivers is efficient enough, so that Windows can provide users with good visual effects even when graphic elements are frequently output and refreshed.

 

Threads and processes

Each thread represents a command execution sequence and is also a scheduling unit. A process defines an execution environment and has its own independent address space. Each thread must be attached to a process. The thread of the system process is called the system thread.