The IDT extension mechanism of analytic Windows2000

Objective

Today we talk about the expansion of the interrupt mechanism under Windows 2000, first of all, that the techniques mentioned in this article are not what I found, but that I learned a little bit in the process of learning the Windows kernel in order to provide some useful information to my friends who have just stepped into the bottom of Windows. At the same time, incidentally recorded their own learning process. If you are a master of Windows kernel, also hope to have time to give a lot of guidance to us these juniors; If you are also a beginner, also welcome to our FZ5FZ website to exchange discussion! Well, let's go straight to the point, and if you don't know enough about the interruption, it's going to be an exciting journey.

1. Introduction to Windows Trap mechanism

Traps are an indispensable system mechanism in Windows systems. When there is an interruption (hardware interruption or software interruption) in the system, the processor captures the action and transfers the control of the system to a fixed handler to handle the operation accordingly. Before the processor starts processing the interrupt or exception that occurred, you must save some of the processor environment parameters to the stack for use during System Restore. The system is implemented by means of a trap frame, which saves the environment data of all threads in the system to the kernel stack (Kernel stack) and restores the execution point in the system control flow through the stack mechanism after execution. The trap mechanism in the kernel is divided into interrupts and exceptions. Interrupts are asynchronous events that occur immediately in the system, regardless of the current system's processor state. At the same time, the interrupt in the system can be divided into the shielding interrupt and the non shielding interrupt. An exception is a synchronization event, where exceptions can recur and interrupts are not possible. Interrupts can also be divided into hardware interrupts and software outages. It is obvious that hardware interrupts are hardware-related, such as some operations performed by I/O devices, processor clocks, or processing on hardware ports. Software interrupts are introduced through interrupt instruction int XX, which is often the code that the application enters the operating system after the user mode is executed, and the system provides a variety of system services to the user. For example, the system service call, which we mentioned last time, was implemented under Windows nt/2000 via software interrupt int 0x2e (System service Interrupt), although in Windows xp/ 2003 Microsoft uses a "Fast system call Interface" to provide system services to users, but a large number of interrupt services still exist in the system.

2, interrupt processing and related processes

Here we discuss the data structures associated with a particular processor, so there are some porting problems, this article is only for Intel's x86 family processors, and the programs included with this article only support normal execution on Intel x86 processors. What is IDT? The IDT (Interrupt descriptor table) is called the Interrupt descriptor table. It is an array of 8,192 cells, and each member of the array is a 8-byte segment descriptor called a "door". The doors in IDT can be divided into three types: Interrupt doors (interrrupt gate), Trap gates (Trap Gate), and task gate, but mainly interrupt doors and trap doors. And there's only a slight difference between them, and we're here to focus only on the interrupt door in IDT, and if you are interested in this, check out the Intel processor related documentation, Intel architecture Software Developer ' s Manual, Volume 3 ". At the same time, there is an interrupt descriptor register (IDTR) in the system, which contains the base address of the system interrupt descriptor and IDT information, which is closely related to a compilation instruction Sidt. As we'll see below, it is the foundation and key to our implementation of various interrupt descriptor extensions! It is also important to note that in the Windows system introduced paging, segmentation and virtual storage mechanism, there is a scheduling mechanism, will need to execute the code and data into the memory, the unwanted data transferred to the external storage (secondary memory, such as hard disk, etc.). If we were to execute some code and found that the data we needed was not in memory, a "page break" would be issued, and then the system would search the IDT for the interrupted ISR (Interrupt service routine, interrupt the services routine) and perform the appropriate transfer work. Can you imagine what it would be like if our interrupt descriptor was paged out to the external memory? At that time the system will not be able to locate the "page break" service routines, so the system will crash!

In the Interrupt Descriptor table, we've just mentioned an interesting register IDTR, and of course we're more concerned with the data that is more direct to us: The code snippet selector in the IDT (Codes Segment Selector), the offset of the interrupt execution code and interrupt descriptor permission levels (descriptor privilege level) parameters. Let's look at the execution flow of the interrupt instruction, we should know that the application executes under User mode (Ring 3), and the interrupt descriptor is in the system address space that the kernel mode (ring 0) can access. After a software outage occurs, that is, after the application invokes a software interrupt instruction, the processor first retrieves the incoming interrupt number in the IDT, finds the response's entry unit, and checks the interrupt gate's permission level parameters to see if the application calls under Ring 3 are allowed. This allows the operating system to retain the power to control the software interrupt invocation, while hardware interrupts and exceptions are not concerned with information about permissions. If the current permission level (Privilge level,cpl) value is greater than the permissions required for the interrupt Gate descriptor (descriptor Privilege level), a generic protection failure can be caused by insufficient permissions (general Protection Fault), whereas switching the processor from the user stack to the kernel stack. Now is the time to save the thread environment, and the processor will push the stack pointer (SS:ESP) and standard interrupt frames (EFlags and CS:EIP) into the stack in user mode. The processor then enters our interrupt service routine, executes the associated code, and returns to the invoked application via assembly instruction Iretd. When the instruction IRETD executes, the system will store the thread environment data stack restore on the stack, and then execute the application's subsequent code after the system resumes the environment before the interrupt instruction is executed.

3, interrupt the relevant data structure

First we introduce the relevant data structure of a key assembler instruction Sidt that we mentioned earlier. After executing the instruction Sidt, the system will save the base address and limit of the interrupt descriptor (a total length of six bytes) in the variable pointer pointed to in the instruction, which is the entry gate for the IDT operation. 　　 typedef struct _IDTR
{
//define the limit of the interrupt descriptor, length two bytes;
Short idtlimit;
Define the base address for the interrupt description service, length four bytes;
unsigned int idtbase;
} IDTR,*PIDTR; When we get the IDT's entry, we retrieve the IDT unit for the Interrupt descriptor table that we need to handle. The unit contains a lot of data structures that we need to pay attention to, where we are most concerned about the code snippet selector, interrupt code execution offset and privilege level, and so on, so let's give it a definition first. , we will discuss their specific applications in detail below. 　　 typedef struct _IDTENTRY
{
//interrupt the bottom 16 bits of the execution code offset;
unsigned short offsetlow;
　　Selector, which is the register;
unsigned short Selector;
　　Reserved bit, always zero;
unsigned char Reserved;
　　Type of door in IDT: Includes interrupt door, trap door and task door;
unsigned char type:4;
　　The segment identity bit;
unsigned char segmentflag:1;
　　Interrupt door permission level, 0 for kernel level, 3 for user level;
unsigned char dpl:2;
　　Renders a bit of flag;
unsigned char present:1;
A high 16-bit interrupt execution code offset;
unsigned short offsethigh;
} Idtentry,*pidtentry; 4. Create the function of software interrupt hook

As an ordinary Windows programmer, you may need to be familiar with the basic functions of the system, as well as the mastery of common program development. But for an idea of a Windows kernel-level analysis developer, a deep understanding of the bottom of the system is essential and important. The hook creates a great opportunity for us to understand the idea of the system's internal operating mechanism as a possibility. At the same time, writing a system-related monitoring program can automatically record and analyze the internal operation of the system. Of course, we can not be limited to the understanding of the system, we are more eager to implement the system modification and expansion, change the original operating characteristics of the system, inject the functional components we need, so that the system to do more for ourselves, but also we would like to see the operation. Previously we talked about creating hooks to system service calls to intercept system service calls, and also under Windows2000, System services are implemented through system service interrupts (the system services Interrupt,int 0x2e). The ability to monitor and modify system service calls can also be achieved by intercepting software interrupts. Our main discussion here is to create hooks for software interrupts, but for hardware interrupts and exceptions, we can also apply the methods mentioned in this article to hardware interrupts and exceptions. For example, we can also use a keyboard-driven interrupt to write a kernel-level keyboard recorder, which can operate directly on each keystroke and release, but it also needs to be used in some of the functions that Microsoft has to offer us in connection with the hardware interrupt hooks.