Windows kernel snooping

Windows is a very good OS, from today, I would like to share with you the joy of Windows to us! I only so will their own study notes to share with you, one is to let oneself more in-depth understanding of windows, then there are what omissions, hope you correct!! Come on, start our Windows tour!

One, Windows2000 architecture
(1) System model
In most multi-user OS, user programs and system programs are separate---system programs are running at a higher priority (core State), while user programs run on a lower level. The System program has the operation right to the system data and the hardware, and the user program wants the operating system data or the hardware only through the system program. The system program is given in the form of a service in Windows2000. When a user program accesses system data, it is implemented by making a request to the appropriate service, at which point the CPU runs through a trap to get into the kernel mentality. When the requested service finishes returning, Windows2000 is responsible for recovering the register state of the user thread (in Windows2000, where the CPU is scheduled on a thread), and so on, allowing the user thread to continue running. Windows2000, kernel and device drivers are run in the kernel mentality, they use the same memory space, which means that data belonging to one component may be modified by other components, potentially risky! Each component can be co-operative, and in order to accomplish a task, cooperation between these components is often required. About system models in the days to come we'll talk slowly
(2) Portability
Windows2000 is designed to work on a variety of hardware platforms, and we may find it strange how it can be ported. We know that the instruction system on each platform is different, so, the code on different platforms is certainly not the same, so the means to achieve portability is not very mysterious, mainly the following two points:
1,windows2000 is hierarchical, the bottom part is platform-related, and the upper part is platform-independent. That is, for each hardware platform to have an implementation of the bottom part, and the bottom layer of the interface is unified, so the upper layer is not concerned about how to achieve the bottom, it is concerned about the interface between them. In Windows2000, two important parts of implementing portability are the kernel (kenel) and the hardware Abstraction layer (HAL), which we'll talk about in more detail in two sections.
Most of the 2,windows2000 is written in C, and part of it is written in C + +, and assembly language is used only in places that deal directly with hardware and where performance requirements are high.

The above system structure diagram in a lot of books have, it is windows2000 structure diagram, below we come to detail the function of each part:

As we can see, in the user state, Windows2000 has three subsystems, respectively, WIN32,POSIX,OS/2. The most important is Win32, which is responsible for the input and output management, without it, the system will not work, the other two subsystems need to be configured to start. Our main focus is on Win32, because this is the most widely used. We should pay special attention to the following three key points: subsystem process, subsystem dynamic link library, user process.

(1) Subsystem process: The Win32 subsystem in WINDOWS2000 is in the form of a process (Csrss.exe). It is responsible for all Win32 user processes, the creation and revocation of threads, the creation and revocation of temporary files, and the management of the console.

(2) Subsystem dynamic link library: The Win32 subsystem uses the dynamic link library, which has most of the functions required by the subsystem.

(3) User-created applications that run on top of the WN32 subsystem.

User processes do not directly invoke system services, they call the subsystem dynamic-link library directly, and when a program calls a function of a subsystem dynamic-link library, one of the following three scenarios may occur:

(1) The required functions are all provided by the subsystem dynamic link library, which means that the program runs completely in the user state.

(2) need to invoke one or more services running in the kernel mentality.

(3) Need subsystem process assistance to complete, at this time, the user process to the subsystem process to send a C/s request, the specific work by the subsystem process to complete.

In particular, when a user process invokes a system service, it is actually run by setting a trap into a kernel mentality, and the operation is given to the system service scheduler to dispatch, without having to create a new process to implement the thread.

Ntdll.dll

The subsystem below is Ntdll.dll, which provides some of the functions required for a dynamic link library of subsystems. Actually, NTDLL. The main function of DLL is to provide a document interface for its lower---execution body, so that each module above it can invoke the service provided by the executor.

Execution Body:

This is an exciting layer, because from this layer we have entered the nuclear mentality of windows, although our specific meaning of nuclear mentality is not too clear, no relationship, as we study in depth you will slowly find this is the most important layer, because all of the main functions of windows are done here, Let's cut it open at 1.1:

This layer contains the following important functions (services):

(1) Functions that can be called directly from the user state, these are ntdll in Chinese (previously mentioned), most of which can invoke a WIN32 API to start the corresponding service.

(2) functions that can only be called from the kernel mentality, some of which are documented in DDK, must be familiar to people who write drivers on Windows

(3) No documented function for internal use of the actuator

The total number of actuators can be divided into the following modules:

(1) Configuration Manager: Responsible for the management of the registry, we will be detailed later

(2) process, Thread Manager: responsible for creating and terminating processes, threads.

(3) Security reference Monitor: Perform security policy on the local computer to protect the resources of the computer

(4) I/O Manager: Device agnostic for I/O and responsible for assigning I/O requests to the appropriate device drivers for further processing

(5) Plug and Play Manager (PNP): determines which driver the device should be supported by and is responsible for loading the appropriate driver. During the enumeration process at startup, it collects the hardware resources required by each device and allocates appropriate hardware resources such as I/O ports, IRQ,DMA channels, and so on, according to the needs of the device, and it is responsible for sending notification messages to systems and applications when the device in the system changes.

(6) Power management: Coordination of power time, through a reasonable configuration, so that the CPU to reduce power consumption

(7) Buffer Manager: To increase the overall performance of the system by leaving recently used data in the cache

(8) Virtual memory management: This is the most exciting place, the understanding of this part will affect our understanding of the entire system structure, we will explain in detail in the future

(9) WDM Management method routines: Enables device drivers to publish performance and configuration information and accept commands from the user-configured WMI service

The person who has had the programming experience on the Windows platform must be not unfamiliar with the handle (handle), what is the handle exactly?? This often brings some confusion to some beginners. In fact, to really understand the handle will be from the Windows design concept to solve the problem, that is, Wndows is object-oriented, it takes some of the system's resources, processes, files and so on as objects, with the object manager of these objects unified management. For a user to manipulate a response object through a handle, it can be seen as a reference to an object.

Kernel:
The kernel is the next level of execution, which provides some of the most basic functions and simple objects for the executor, while the executing body can accomplish more complicated functions by adding some security attributes, controlling attributes and so on to these simple objects. It is important to provide the following four kinds of functions:
(1) Thread scheduling
(2) Trap handling and asynchronous scheduling
(3) Interrupt handling and scheduling
(4) Multi-processor synchronization

The kernel provides a low-level system primitive and mechanism for the executing body to invoke to implement its functions. The kernel simply provides the underlying mechanism and does not make any strategic transactions. But thread scheduling and exception handling are implemented in the kernel, and the kernel is always running in a nuclear mindset.
A class of objects is called a control object, including the Apc,dpc object and the object that I/O uses, such as the interrupt object.
A class of objects, called dispatch objects, are used for thread scheduling. These objects include threads, mutexes, events, kernel event pairs, semaphores, timers, and timers that can wait.

Hardware support:
Another key function of the kernel is to make the actuator and device drivers independent of the hardware, and this work contains differences in handling multiple aspects: interrupt handling, exception handling, multi-processor synchronization methods

Hardware abstraction Layer (HAL):
This is the most important part of Windows2000 to achieve its portability, HAL is a loadable kernel mindset module (HAL.DLL) that provides the underlying interface to the hardware platform that Windows2000 runs, and Hal hides a variety of hardware-related details such as I/O interfaces, Interrupt controller, multi-processing communication mechanism, etc.----these are platform-dependent. When platform-related information is required, Windows2000 's internal module or user program is implemented via HAL.

Device drivers:

The device driver is the core state of the Loadable module (in. SYS is the extension), which is the interface of the I/O Manager and related hardware devices. They operate in one of the following three environments:
(1) In a user-threaded environment that initializes the I/O function
(2) In kernel-mode system threads
(3) After an interrupt occurs (not running in any process or thread, which process or thread is running when the interrupt occurs)
As mentioned earlier, the WINDOWS2000 device driver does not directly manipulate the hardware, but instead invokes the function in the HAL as an interface to the hardware. Drivers are usually written in C (sometimes in C + +). Therefore, device drivers can achieve platform independence by using the HAL.
There are several device drivers in the following:
(1) Hardware driver: Implements read and write to physical hardware (by using HAL).
(2) file system driver: A driver for file I/O that translates these requests into I/O requests bound to specific devices
(3) file filter driver
(4) Network redirection driver
(5) Protocol Driver
(6) Kernel stream Filter Driver
Because installing a driver is the only way to add user-written user-state code to the system, some programmers can write device drivers to access internal functions of the OS or internal data structures.

Well, that's it. We have a general understanding of the overall structure of the windows2000, and in the following days we will conduct a more in-depth study of each part and give some examples of the procedures to assist the explanation, because we learn it to use, in order to change!

Windows kernel snooping