Windows Kernel Analysis

Reserved email address for Pdf

(C) Gloomy aka Peter Kosyh, Melancholy Coding2001

INTRO (for NT researchers)
==================================

When there are too many threads, there are too many threads, too many threads.
When there are too many threads,
When there are too many threads,
Please refer to the following link for more information...

(C) by Anathema

00. System Components
01. memory pattern of Windows NT Operating System
02. Windows NT and FLAT Models
03. THREAD INFORMATION BLOCK)
04. PROCESSOR CONTROL REGION)

00. System Components
==================================

In fact, all Windows NT components are DLL, PE-format. EXE files, and import and export functions. The main components of Windows NT include:

* Ntoskrnl.exe
System Core. The system executes the functions here, and these functions call other components. Core Components include: Object Manager, Memory Manager, thread creation, thread control, LPC, security management, exception handling, file system, input and output, VDM, and timeout. invalid. generally, it is located at an address greater than 80100000h.

* Hal. dll
Hardware Abstraction Layer (Hardware Abstraction action Layer)-Hardware-related modules. This isolation layer isolates hardware-related parts of the operating system to enhance system portability. The main module implements very underlying functions: Program Control interruption, hardware input and output, and so on. Generally, it is located at an address greater than 80100000h.

* Ntdll. dll
Implement some Win32 API functions. Provides interfaces between the core mode and the user mode. Located in the user space. In other words, system function calls are mainly exported here.

* Kernel32.dll
Implemented some functions, similar to the core of Win9x. Many functions are encapsulated in ntdll. dll.

* Csrss.exe
Process server subsystem. It is a separate process, so it is protected from being affected by other processes (in the address space of other processes. Requests to services must be generated by LPC.

* Win32k. sys
Driver. It is used to reduce the cost of calling Csrss services. This program implements the GDI and USER functions. Use System calls without using LPC-This significantly improves the graphics processing performance of Windows NT4.0 and 2 K.

01. memory pattern of Windows NT Operating System
==================================

Programs used by the system are saved in 32-bit linear address space of 2G in Windows NT. In this pattern, the address space 80000000-ffffffff is a system component: Driver, system table, system data structure, and so on. The precise system memory pattern is not possible, but its function usage and approximate location can be used to distinguish different regions.

* 80000000-9FFFFFFF
System code. The code and data of Hal and ntoskrnl reside here, as well as the driver (boot driver and ntosldr driver ). GDT, IDT, and TSS struct also reside in these regions.

* C0000000-C0FFFFFF
The region of the system table. This linear address space area stores the page tables, page directories, and other things related to the process struct. This region is not global. Unlike other system space regions, it maps to different physical spaces for each process and stores the data structure of the current process.

* E1000000-E57FFFFF
Paging pool. This area can be swapped out to the disk. Most objects in the operating system are generated in this region. In fact, some memory pools are located in this region.

* FB000000-FFDFEFFF
The area where the page cannot be swapped out, that is, the Non-Paged Poll ). Data in this region cannot be swapped out to the disk. Data in this region is always required by the system. For example, there are information blocks of processes and threads (Thread environment block, Process Environment block ).

* FFDFF000-FFFFFFFF
PCR-Processor Control Region (process Control domain) is used for each process. The PCR structure is stored in this region. The system status information is stored in this struct. For example, information about IRQL, current thread, and IDT.

2G low linear address space (2017-0ffffffff) is the address space in process user mode (the space of each process ). The Win32 address space looks like the following:

* 00000000-0000FFFF
Protected Area. An exception occurs when you access this region. Is used to detect NULL pointers.

* 00xx0000
Normally, an application is loaded on such an address.

* 70000000-78000000
The Win32 subsystem library is usually mapped here.

* 7ffb316-7ffd3fff
Code Page.

* 7FFDE000-7FFDEFFF
Thread Environment Block in user mode.

* 7FFDF000-7FFDFFFF
Process Environment Block in user mode.

* 7FFE0000-7FFE0FFF

Shared data zone.

* 7FFFF000-7FFFFFFF
Protected Area.

02. Windows NT and FLAT Models
======================================

Since i286, Intel's processor has implemented a four-level protection mechanism, with four privilege levels. Code and data can have a certain level of privileges. In this way, applications, system programs, kernels, and so on all run on their own privileged level, and they cannot freely access code and data higher than their own privileged level. In fact, no Intel processor-based operating system can use all four privileged levels (unknown ones are not counted ). The Windows NT operating system is no exception and only uses two rings ). Run the kernel at level 0 (highest privilege level) and at level 3 (lowest privilege level) at the user level. The Intel processor provides a powerful memory segmentation mechanism, which works with the privileged level to achieve segment-level protection (for example, each logical segment of a program can be described in a descriptor table ). However, Windows NT implements the FLAT model. This minimizes the usage of sub-accounts. The Global Descriptor Table of the processor is managed by the Windows NT operating system and contains the following Descriptors (obtained by SoftIcea ):

Sel. Type Base Limit DPL Attributes
GDTbase = 80036000 Limit = 03FF
0008 Code32 00000000 FFFFFFFF 0 P RE
0010 Data32 00000000 FFFFFFFF 0 P RW
001B Code32 00000000 FFFFFFFF 3 P RE
0023 Data32 00000000 FFFFFFFF 3 P RW
0028 TSS32 8024D000 limit 20ab 0 P B
0030 Data32 FFDFF000 1_1fff 0 P RW
003B Data32 7FFD9000 00000FFF 3 P RW
0043 Data16 00000400 0000 FFFF 3 P RW
0048 LDT E1190000 000001FF 0 P
0050 TSS32 80149F60 00000068 0 P
0058 TSS32 80149FC8 00000068 0 P
0060 Data16 00022940 0000 FFFF 0 P RW
0068 Data16 000B8000 running 3fff 0 P RW
0070 Data16 FFFF7000 000003FF 0 P RW
0078 Code16 80400000 0000 FFFF 0 P RE
0080 Data16 80400000 0000 FFFF 0 P RW
0088 Data16 00000000 00000000 0 P RW
0090 Reserved 00000000 00000000 0 NP
...
00E0 Reserved 00008003 00006100 0 NP
00E8 Data16 00000000 0000 FFFF 0 P RW
00F0 Code16 80117DB0 0000028D 0 P EO
00F8 Data16 00000000 0000 FFFF 0 P RW
0100 Reserved 00008003 00006108 0 NP
...
03F8 Reserved 00000000 00000000 0 NP

The first four choices are all in linear address space. In addition, the first two Select Sub-Descriptor Privilege Level DPL (Descriptor Privilege Level) is equal to 0, and the last two are three. Select 8 and 10 for use by the user application. In the FLAT model, the application itself does not care about the content of the segment register. During ring3, CS, DS, and SS registers are always 8, 10, and 10 respectively. In this way, the system code can monitor the value of the segment register. Select Sub-1b and 23 for addressing when the kernel (driver, System Code) is working. Select Sub-30 and 3b to point to the Kernel Process Region and Thread Information Block respectively. When the code runs in ring0, the FS register value is 30. If the code runs in ring3, the FS value is 3b. When you select Sub-30, it always points to the descriptor whose base address is FFDFF000. The base address indicated by sub-3b is dependent on the user thread. Select Sub-48 to define the Local Descriptor Table LDT (Local Descriptor Table ). LDT is only used in Virtual DOS machine (VDM) applications. When the process is running, the corresponding pointer is loaded in the LDTR register of the processor. Otherwise, the value of LDTR is 0. LDT is mainly used in Windows 3. x applications. Windows 3. x applications run in WOW (Windows On Windows), while WOW is implemented in the VDM process. The LDT usage of the VDM process is the same as that in Win3.x. There will always be two TSS types in the GDT table. This is because the Windows NT operating system running on Intel processor does not use the task switching mechanism based on the task gate. IDT contains the following Descriptors (obtained by SoftIcea ):

Int Type Sel: Offset Attributes Symbol/Owner
IDTbase = F8500FC8 Limit = 07FF
0000 IntG32 0008: 8013EC54 DPL = 0 P _ KiTrap00
...
0007 IntG32 0008: 8013F968 DPL = 0 P _ KiTrap07
0008 TaskG 0050: 00001338 DPL = 0 P
0009 IntG32 0008: 8013FCA8 DPL = 0 P _ KiTrap09
...
0012 IntG32 0008: 80141148 DPL = 0 P _ KiTrap0F
...
0