Reading notes----"Windows core Programming" chapter III kernel Object 1 (handle and security)

Recently has not updated the blog, because has been thinking of a problem, the kernel object This chapter content is very important, oneself did not grasp well also did not grasp to write this chapter, finally still decide can write how many write how many, one side writes a side to learn, follow-up learn new update bar;

Several kernel objects are mentioned in Windows core programming:

Access token object: Related to the security of Windows, currently not very understand, understand and then write;

Event object: Events object that can be synchronized across processes; Created by CreateEvent;

Document object: File object, more common; Created by CreateFile;

File mapping object: The file mapping can be convenient to manipulate the file (as the file data in memory); Created by CreateFileMapping, WinObj can see that the system is created by the session object;

I/O completion Port object: Short IOCP, often used in socket programming;

Job Object: not very understanding;

Message Slot objects: available for inter-process synchronization, but rarely used. No other special use has been identified;

Mutex objects: Processes that are commonly used for synchronization;

Pipeline objects: Commonly used for process data transfer, and processes can be on different computers;

Process object: The operating system uses this object for process management work

Thread object: The operating system uses this object for thread management;

Semaphore object: A Kernel object commonly used for thread synchronization, powerful;

Waiting Timer object: Not very understanding, should be able to use a very high precision timer;

Thread Pool object: no use;

Almost all of the kernel objects have security descriptors (which describe which members can access and what access permissions) and usage counts (the current object is used by several members at the same time, if it is 0, no member is used, the kernel object has no meaning and will automatically destroy) two members;

Usage Count:

Why is there a usage count?

The kernel object is owned by the operating system and not by a single program, which may occur when multiple programs use the same kernel object, and the Count value indicates how many times the kernel object is referenced, when the kernel object is opened again with a count value of +1, when Close is counted to 1, when the count value is reduced to 0 o'clock, The operating system automatically destroys the kernel object;

(When the process terminates, the operating system will close all the handles in the handle table individually)

Security Descriptor:

The security descriptor provides information about who owns the object, who can access the object, how to access it (DACL), and what kind of review the access type (SACL). A user A creates an object Objecta (File,pipe, etc.), but user A wants user B to simply read and not write objecta, which can be accomplished by a security descriptor;

The structure of the security descriptor is as follows:

typedef struct _security_descriptor    {        UCHAR Revision;//version control information;        UCHAR Sbz1;   version control information;        Security_descriptor_control CONTROL; Unsigned short type, control bit;        PSID Owner;   The owner SID of the object, which can change the security descriptor regardless of the other person's lock on access.        PSID Group;   Windows usually ignores this parameter (this is for POSIX compatibility, but it is now degraded)        Paclsacl;    Specifies the type of audit to be performed on the object. If an audit event occurs, it is stored in the log of the audit event.        PACL Dacl;     This preserves the permission of the object (who is allowed to access the object and who refuses it).    } Security_descriptor;

Where the DACL points to the structure of the ACL:

typedef struct _ACL    {    UCHAR aclrevision;//version control information;    UCHAR Sbz1;      version control information;    USHORT aclsize;   (Bytes)   ACL + aces+ free Buffer  see winnt.h comment;    USHORT AceCount; The number of Aces see WinNT.h annotation;    USHORT Sbz2;     version control information;    } Acl;typedef ACL *pacl;

We can see that there is a acecount here, but no acelist this field to save the ace information, I guess the Ace field is also saved in the struct, but not named to not let the user program to index, the implementation means similar to char acelist[0], These are just guesses, and if you want to know, you can trace the assembly code of GetAce or AddAce.

The three fields that the ACE (access control entry) needs to be concerned with are acetype,mask and Sid,acetype include allow (allow)/deny (deny)/audit (audit)/alarm (warning); mask indicates the combination of behaviors allowed or denied; The SID represents the associated SID;

About token:

After reading the "deep analysis of Windows operating system" and then add;

One of the following occurs when an object is opened from a token owned by the thread (using the impersonation token if there is an impersonation token, otherwise using the master token) to get the user name and the group list of the user, compared to the DACL in the object's security descriptor, as in this case:

1. The dacl==null of the object, the thread has full access rights.

2. The DACL of the object is not NULL, but acecount==0 (ACE, access control entry) denies any thread access.

3. Traverse the DACL, locate the ACE that is consistent with the user or group in the token, exit the security check function directly and deny access to the thread if the ACE indicates that it does not have the established access rights.

4. Traversing the DACL, failed to find the same ace as the user or group in the token, and denied access to the thread.

5. Traverse the DACL, locate the ACE that is consistent with the user or group in the token, exit the security check function directly and allow the thread to access if the ACE indicates that it has established access rights.

Security descriptors and other security articles are available for reference:

http://blog.csdn.net/hjxyshell/article/details/38502933

http://blog.csdn.net/hjxyshell/article/details/38503387

Http://www.doc88.com/p-382740626684.html

In-depth resolution of the Windows operating system, chapter eighth

A kernel object is a block of memory created, accessed, modified, destroyed by the operating system and accessible only by the kernel, and the user program should not guess the contents of the memory block for access and change, and the user program should use a set of functions provided by Windows if it wants to manipulate the kernel objects; When the user program calls the function creation ( Operation created by the kernel) or when a kernel object is opened, the function returns a handle value (handle) that identifies the kernel object and passes the handle to the corresponding function to manipulate the kernel object; 32-bit program sizeof (HANDLE) = 4; 64 for the procedure sizeof (handle) = 64;

Notice:

1. Handle is process-dependent, so the handle value can only be used within the same process, cannot pass the value to another process using access, if more than one process is required to access the same kernel object, several methods are described later

2. The true meaning of handle is HANDLE/4 = handle corresponds to the index value of the kernel object in the process handle table and also proves 1. But the meaning of the handle is not exposed in the Windows documentation, so it may change in the future

Reading notes----"Windows core Programming" chapter III kernel Object 1 (handle and security)