Understanding Windows Kernel Mode and user mode

Kernel hierarchy

Windows programs run in kernel mode and user mode. in kernel mode, you can access all memory address spaces and all CPU commands. Generally, the program runs in user mode and switches to kernel mode to run system functions. Windows ensures system security and stability through system calls.

The following is the kernel hierarchy:

Hardware Abstraction Layer (HAL) (hal. dll)
The bottom layer isolates the hardware, and the underlying Third-Party driver runs on this layer.

Kernel)
It implements some underlying services of the operating system, such as thread scheduling, multi-processor synchronization, and interrupt/exception handling.

Executive)
Implement basic operating system services, such as basic thread process management, memory management, IO, and inter-process communication.

Windows Graphics Subsystem)
Implemented by win32K. sys at the kernel layer. User Interface depends on this layer. Most of the functions of User32.dll are implemented by this layer.

User-layer Key Processes

Windows has several key system processes at the user layer:

Smss.exe (session manager Subsystem)
For more information about the Session concept, see my Sessions, Window Stations and sharetops. When the operating system is started, a smss.exe manager instance that is not associated with any sessionwill be created.

WinLogon.exe
This process manages user login and logout. We press Ctrl + Alt + Del to display the interface and the desktop window displayed after logon is started by it.

Csrss.exe (Client/Server Runtime Subsystem)
We can see that our desktop window (GetDesktopWindow) is created by this process, which is mainly responsible for the user mode of the Win32 subsystem (the kernel mode is implemented by win32k. sys ).

Lsass.exe (Local Security Authority Subsystem)
WinLogon.exe authenticates user logon through this process. After logon, a security access token object is generated. With this token, the system creates assumer.exe. Other users of this token are started by assumer.exe and inherit the token permission.

Services.exe
This process is short for SCM (NT Service Control Manager). It is responsible for starting some special user-State processes, which are also called Service programs.

User Mode: Kernel Mode

The kernel mode is called in user mode. Generally, there are two methods: system call and IOCTL (IO Control Commands)

Kernel Mode Call User Mode

It can be passed through the context of IOCTL or through APC (Asynchronous Procedure Call.

Inter-process communication

Another very powerful communication mode between user mode and kernel mode. It also supports inter-process communication. This mode is ALPC (Advanced Local Procedure Call), which is widely used by the operating system, the Broker process in WinRT also uses it.
This method actually involves four core functions: nt! Ntalpcsendwaitpoliceport, nt! NtAlpcCreatePort, nt! NtAlpcConnectPort, Nt! The principle of AplcAcceptConnectPort is as follows:

To sum up, we will deepen our understanding of the Windows system through the introduction of some key concepts in the above Windows system, so that we can grasp the overall situation of application development.