Understanding Windows Kernel mode and user mode



1. Basic

The processor in the computer running Windows has two different modes: User mode and kernel mode. Depending on the type of code running on the processor, the processor switches between two modes. The application runs in user mode, and the core operating system components run in kernel mode. Multiple drivers run in the kernel mode, but some drivers run in user mode.

When you start a user-mode application, Windows creates a "process"for the application. The process provides a dedicated "virtual address space" and a dedicated "handle table"for the application. Because the application's virtual address space is private, an application cannot change data that belongs to other applications. Each application runs in isolation, and if an application is corrupted, the damage is limited to that application. Other applications and operating systems are not affected by this corruption.

The virtual address space of a user-mode application is limited in addition to the private space. A processor that is running in user mode cannot access the virtual address reserved for that operating system. Restricting the virtual address space of a user-mode application prevents application changes and may damage critical operating system data.

All code running in kernel mode shares a single virtual address space. This means that the kernel-mode driver does not separate from the other drivers and the operating system itself. If the kernel-mode driver unexpectedly writes the wrong virtual address, data that is part of the operating system or other drivers may be corrupted. If the kernel-mode driver is corrupted, the entire operating system is corrupted.

This figure illustrates the communication between a user-mode component and a kernel-mode component.

2. Kernel hierarchy

here is the kernel hierarchy:

Hardware Abstraction Layer( hardwareabstraction Layer) (HAL) (Hal.dll)
The lowest level of isolated hardware,The underlying third-party drivers run on this layer.

Kernel(Kernel)
implement some of the underlying services of the operating system, such as thread scheduling,Multi-processor synchronization, interrupt/exception handling, and so on.

Executive Body(Executive)( ntoskrnl.exe)
implement basic operating system services, such as basic thread process management, memory management,IOand inter-process communication.

Window Graphics Subsystem(Windows Graphics Subsystem)
byWin32k.sysimplemented at the kernel level,user interface dependent on this layer, User32.dllMost of the functionality is implemented by this layer.

user-level critical processes

WindowsThe system has several key system processes at the user level:

Smss.exe (Session Manager Subsystem)
about theSessionThe concept of this article can refer to mySessions, Window stationsand desktops,when the operating system starts, it creates a non -Sessionassociated withSmss.exeexamples of managers,and then when a user logs in, it will be for eachSessina copy of the associatedSmss.exeinstance, and then by the associatedSmss.exeinstance StartWinlogon.exeand theCsrss.exe.

WinLogon.exe
The process manages the logon and logoff of users,We pressCtrl+alt+delThe interface that appears and the desktop window that appears after login is started by it.

Csrss.exe (client/server Runtime Subsystem)
we can see our desktop window(GetDesktopWindow)is created by the process,The process is primarily responsible forWin32user Mode section of the Subsystem(the kernel-mode section consists ofWin32k.sysImplement).

Lsass.exe (Local Security Authority Subsystem)
WinLogon.exethe process verifies that the user is logged on,generates a secure access token object after logging in,created with this tokenExplorer.exe,Our other user processes are created by theExplorer.exestarts, and inherits the token permissions.

Services.exe
This process is referred to asSCM (NT Service Control Manager),the process is responsible for initiating the user-state of some special processes,That 's what we usually call a service program.

3. How user mode calls kernel mode

4, kernel-mode call user mode

    can be ioctl context Pass, Span style= "font-family: ' Tahoma ', ' Sans-serif '; Color: #4b4b4b; line-height:107%; Font-size:11pt ">APC (asynchronous Procedure Call) call directly.

5, inter-process communication

Another very powerful user-mode and kernel-mode communication method,It also supports inter-process communication,This approach isALPC (Advanced Local Procedure Call),This mode is heavily used by the operating system,WinRTin theBrokerThe process also uses it..
This approach is actually4a core function: nt! ntalpcsendwaitreceiveport,nt! Ntalpccreateport, nt! Ntalpcconnectport, Nt!aplcacceptconnectport,The approximate principle is as follows: