Windows Kernel principle Series 01-Basic Concepts

1.Windows API

The Windows application Programming Interface (API) is a system programming interface for WINDWOS operating system user mode, which is included in the WINDWOSSDK.

2. About. NET

. NET consists of a class library called the FCL and a common language runtime called the CLR. The FCL is built on the CLR, and the CLR is a standard set of COM servers that provide features such as garbage collection, instant compile type checking, and so on. Because of these features of the CLR, the productivity of developers is improved. The relationship between the NET Framework and the build is as follows:

. NET application

User mode (managed code) ——————————

Class Library (FCL)

                                                                         

CLR (COM server)

User mode (unmanaged code) ——————————

Windows API DLLs

                                                                             

Kernel-mode Windows kernel

3. Services, functions, and routines

The service has several meanings on Windows:

1.Windwos API : specifically the API in Windows subsystem , included in User32.dll,gdi.dll,advapi.dll,kerenalbase.dll

2. Native System Services : Working under any subsystem, system calls provided by the operations decency, contained in Ntdll, are the only entry points of the kernel, and the Windwos API is implemented by invoking these APIs, the encapsulation of these APIs on the WINDWOS subsystem.

3. Kernel support functions : Routines that can only be called in kernel mode

4.Window Services, processes initiated by Windows Service Manager

5. DLL: A set of callable routines

4. Process

A process is a container that contains the various resources that are included when a program instance executes:

1. Private Virtual address space

You can use shared memory or readprocessmemory to break this limit.

The process uses VAD to manage the virtual address space, using the AVL tree internally.

2. Executable programs and associated DLLs

3. Open Handle Table: point to various system resources: file, semaphore, etc.

4. Access token: Identifies the user associated with the process, security group, privileges, UAC virtualization status, session, Limited User state

5. Process ID (sharing a space with thread ID, not heavy)

6. At least one executable thread

7. A parent process (which may no longer exist, can be displayed as a non-parent process in a generic tool)

PS: Determining the validity of a parent process can be compared with the start time of the current process and the start time of the parent process ID corresponding to the process.

5. Threads

A thread is an entity inside a process and a scheduling entity that Windows performs this process. Threads include some of the following components:

1. A set of processor states and CPU registers (called thread contexts, which need to be toggled when switching threads), can be obtained by GetThreadContext.

2. Two stacks, one for kernel mode execution, the other for user mode execution. Because kernel mode and user mode are separate, kernel mode can access the user mode memory, but in order to fully isolate, need to separate the stack. Another reason for separation is that the previous system call was based on an int 2e soft interrupt, not directly calling the past. Now the implementation is Sysenter, will also jump to a specified address, and the current user-state stack pointer with register AX pass past.

3.TLS, thread-local storage, consists of a TLS table in process and a TLS table maintained by each thread, each maintaining a pointer to each table item. Using an index in a thread to access this table item, the TLS table of the process holds the index occupancy, and each thread holds the value corresponding to a particular index in that thread. Implementing the same index can get different values in different threads.

4. Thread ID

5. Token (optional), multi-threaded server to impersonate the customer's security environment, or to simulate system permissions ...

6. Fiber Process

A user-state thread that, in order to avoid the overhead of kernel-mode thread switching, uses the user-state mode dispatch (UMS), which does not automatically abandon execution until the switchtofiber is called or exited.

7. Virtual Memory

Windows uses a linear address of the virtual memory system, so that each process has a large amount of virtual memory space. Implemented by paging mechanism. and use the page file or file map to write infrequently used data to the hard disk to free up more physical memory.

The WINDWOS uses 3GB mode or Address window extensions (AWE) to extend the address space of 32-bit programs. AWE allows users to map different physical memory to their own 2G (3G) User space.

8. Kernel mode and user mode

to protect the operating system itself, the operating system divides the system into user mode (RING3) and kernel mode (RING0) using the processor's privileged-level mechanism, RING0 allows privileged instructions to be executed, Ring3 to RING0 requires a specific way to enter, and receives protection. In kernel mode, all code shares a virtual address space, and the driver runs in kernel mode, so the instability of the drive can affect the stability of the system. Drivers are required to force signatures in 64-bit Windows.

9. Terminal Services and multiple sessions

Terminal Services is a server that accepts multiple session requests to implement a local or remote session. Remote sessions can be created using Remote Desktop.

10. Objects and handles

with the help of a kernel component of an object manager , Windows manages the object and references it using a handle. The object Manager provides several services:

1. Provide a readable name for system resources

2. Sharing resources and data between processes

3. Protect resources and avoid unauthorized access

4. Reference tracking automatically frees objects when they are no longer in use.

11. Security

Core security features of Windows include:

1. Self-contained and enforced integrity protection for shareable objects

2. Security audits (for the subject or the user initiating them and the record of initiating the action)

3. Authentication at Login

4. Prohibit users from accessing uninitialized resources to access data already released by other users

Windows supports 3 kinds of object access control forms:

1. Autonomous access control: by the owner of the object authorized or denied access to these objects, when the user is logged in will get a set of security credentials (tokens), when he tried to access the object, the system will use his security credentials ( tokens ) and the object's access control List (ACL) For comparison.

2. Privileged access control: protected objects can be accessed even if the owner is not contacted. Administrator

3. Enforce integrity protection: used for object access within the same account. Uac