tema 5 - windows - transparencia 1

7/27/2019 Tema 5 - Windows - Transparencia 1

1/19

1

Sistemas Operativos

Kernel de Windows - I

Sistemas Operativos

Versin: Abril 2013

Palabras Claves: Windows, Kernel,Executive, Process, System, Threads


2/19

2

Copyright Notice 2000-2005 David A. Solomon and Mark Russinovich

These materials are part of the WindowsOperating System Internals CurriculumDevelopment Kit, developed by David A.Solomon and Mark E. Russinovich withAndreas Polze

Microsoft has licensed these materials fromDavid Solomon Expert Seminars, Inc. for

distribution to academic organizationssolely for use in academic environments(and not for commercial use)

Simplified OS Architecture

Systemsupport

processes

Serviceprocesses

Userapplications

Environmentsubsystems

Subsystem DLLs

Executive

Kernel Device drivers

Hardware Abstraction Layer (HAL)

Windowingand graphics

UserMode

KernelMode


3/19

3

OS Architecture

Multiple personality OS design

user applications don't call the native Windows operating systemservices directly

Subsystem DLLs is to translate a documented function into theappropriate internal (and undocumented) Windows system servicecalls.

Environment subsystem processes

Manage client processes in their world

Impose semantics such as process model, security

Originally three environment subsystems: Windows, POSIX, and

OS/2Windows 2000 only included Windows and POSIX

Windows XP only includes Windows

Enhanced POSIX subsystem available with Services for Unix

Included with Windows Server 2003 R2

Kernel-ModeComponents: Core OS

Executive

base operating system services,

memory management, process and thread management,

security, I/O, interprocess communication.

Kernel

low-level operating system functions,

thread scheduling, interrupt and exception dispatching,

multiprocessor synchronization.

provides a set of routines and basic objects that the rest of theexecutive uses to implement higher-level constructs.

Both contained in file Ntoskrnl.exe


4/19

4

Device drivers (*.sys)

hardware device drivers translate user I/O function calls intospecific hardware device I/O requests

virtual devices - system volumes and network protocols

Windowing and Graphics Driver(Win32k.sys)

graphical user interface (GUI) functions (USER and GDI)

windows, user interface controls, and drawing

Hardware Abstraction Layer(Hal.dll)

isolates the kernel, device drivers, and executive from hardware

Hides platform-specific hardware differences (motherboards)

Kernel-Mode

Components: Drivers

Background SystemProcesses

Core system processes,

logon process, the session manager, etc.

not started by the service control manager

Service processes

Host Windows services

i.e.; Task Scheduler and Spooler services

Many Windows server applications, such as Microsoft

SQL Server and Microsoft Exchange Server, alsoinclude components that run as services.


5/19

5

Portability

When Windows NT was designed, there was no dominant processorarchitecture

Therefore it was designed to be portable

How achieved?

Most Windows OS code and device drivers is written in C

HAL and kernel contain some assembly language

Some components are written in C++:

windowing/graphics subsystem driver

volume manager

Hardware-specific code is isolated in low level layers of the OS (such as

Kernel and the HAL)Provides portable interface

NT 4.0 had support for x86, MIPS, PowerPC, Digital Alpha AXP

PowerPC and MIPS dropped soon after NT 4 release

Alpha AXP dropped in 1999 (supported through SP6)

Key Windows System FilesCore OS components:

NTOSKRNL.EXE** Executive and kernel

HAL.DLL Hardware abstraction layer

NTDLL.DLL Internal support functions and system

service dispatch stubs to executive functions

Core system processes:

SMSS.EXE Session manager processWINLOGON.EXE Logon process

SERVICES.EXE Service controller process

LSASS.EXE Local Security Authority Subsystem

Windowing subsystem:

CSRSS.EXE* Windows subsystem process

WIN32K.SYS USER and GDI kernel-mode components

KERNEL32/USER32/GDI32.DLL Windows subsystem DLLs


6/19

6

Key System Components

OS/2 WindowsPOSIX

Environment Subsystems

UserApplication

Subsystem DLL

WindowsUser/GDIDeviceDriver

Executive

Device Drivers Kernel


UserMode

KernelMode

System& ServiceProcesses

Windows

Multiple OS PersonalitiesWindows was designed to support multiple personalities, calledenvironment subsystems

Programming interface

File system syntax

Process semantics

Environment subsystems provide exposed, documented interfacebetween application and Windows native API

Each subsystem defines a different set of APIs and semantics

Subsystems implement these by invoking native APIs

Example: Windows CreateFile in Kernel32.Dll calls native NtCreateFile

.exes and .dlls you write are associated witha subsystem

Specified by LINK /SUBSYSTEM option

Cannot mix calls between subsystems


7/19

7

App calls Subsystem

Function is entirely implemented in user mode

No message sent to environment subsystem process

No Windows executive system service called

Examples: PtInRect(), IsRectEmpty()

Function requires one/more calls to Windows executive

Examples: Windows ReadFile() / WriteFile() implemented usingI/O system services NtReadFile() / NtWriteFile()

Function requires some work in environment subsystemprocess (maintain state of client app)

Client/server request (message) to env. Subsystem (LPC facility)

Subsystem DLL waits for reply before returning to caller

Combinations of 2/3: CreateProcess() / CreateThread()

hardware interfaces (buses, I/O devices, interrupts,interval timers, DMA, memory cache control, etc., etc.)

System Service Dispatcher

Task Manager

Explorer

SvcHost.Exe

WinMgt.Exe

SpoolSv.Exe

ServiceControl Mgr.

LSASS

Object

Mgr.

WindowsUSER,

GDI

File

System

Cache

I/O Mgr

EnvironmentSubsystems

UserApplication

Subsystem DLLs

System Processes Services Applications

Original copyright by Microsoft Corporation.

Used by permission.

SystemThreads

User

Mode

KernelMode

NTDLL.DLL

Device &File Sys.Drivers

WinLogon

Session ManagerServices.Exe POSIX

Windows DLLs

Plugand

PlayMgr.

Power

Mgr.

Security

Reference

Monitor

Virtual

Memory

Processes

&

Threads

Local

Procedure

Call Graphics

Drivers

Kernel


(kernel mode callable interfaces)

Windows Architecture

Configura-

tionMgr

(registry)

OS/2

Windows


8/19

8

Microkernel OS?

Is Windows a microkernel-based OS?

No not using the academic definition (OS components anddrivers run in their own private address spaces, layered on a primitivemicrokernel)

All kernel components live in a common shared address space

Therefore no protection between OS and drivers

Why not pure microkernel?

Performance separate address spaces would mean context switching to callbasic OS services

Most other commercial OSs (Unix, Linux, VMS etc.) have thesame design

But it does have some attributes of a microkernel OSOS personalities running in user space as separate processes

Kernel-mode components don't reach into one anothersdata structures

Use formal interfaces to pass parameters and access and/or modify data structures

Therefore the term modified microkernel

ExecutiveUpper layer of the operating system

Provides generic operating system functions (services)

Process Manager

Object Manager

Cache Manager

LPC (local procedure call) Facility

Configuration Manager

Memory Manager

Security Reference Monitor

I/O Manager

Power Manager

Plug-and-Play Manager

Almost completely portable C code

Runs in kernel (privileged, ring 0) mode

Most interfaces to executive services not documented


9/19

9

KernelLower layers of the operating system

Implements processor-dependent functions (x86 vs. Itanium etc.)

Also implements many processor-independent functions that areclosely associated with processor-dependent functions

Main services

Thread waiting, scheduling & context switching

Exception and interrupt dispatching

Operating system synchronization primitives (different for MP vs. UP)

A few of these are exposed to user mode

Not a classic microkernel

shares address space with rest of kernel-mode components

HAL - Hardware Abstraction LayerResponsible for a small part of hardware abstraction

Components on the motherboard not handled by drivers

System timers, Cache coherency, and flushing

SMP support, Hardware interrupt priorities

Subroutine library for the kernel & device drivers

Isolates Kernel and Executive from platform-specific details

Presents uniform model of I/O hardware interface to drivers

Reduced role as of Windows 2000

Bus support moved to bus drivers

Majority of HALs are vendor-independent

HAL also implements some functionsthat appear to be in the Executiveand Kernel

Selected at installation time

See \windows\repair\setup.log to find out which one

Can select manually at boot time with /HAL= in boot.ini

HAL kit

Special kit only for vendors that must write custom HALs (requires approval from Microsoft)

see http://www.microsoft.com/whdc/ddk/HALkit/default.mspx

HalGetInterruptVector

HalGetAdapter

WRITE_PORT_UCHAR

Sample HAL routines:


10/19

10

Kernel-Mode Device Drivers

Separate loadable modules (drivername.SYS)

Linked like .EXEs

Typically linked against NTOSKRNL.EXE and HAL.DLL

Only one version of each driver binary for both uniprocessor (UP) and multiprocessor(MP) systems

but drivers call routines in the kernel that behave differently for UP vs. MP Versions

Defined in registry

Same area as Windows services (t.b.d.) - differentiated by Type value

Several types:

ordinary, file system, NDIS miniport, SCSI miniport (linked against port drivers), busdrivers

More information in I/O subsystem section

To view loaded drivers, run drivers.exe

Also see list at end of output from pstat.exe includes addresses of each driver

To update & control:

System properties->Hardware Tab->Device Manager

Computer Management->Software Environment->Drivers

System Threads

Functions in OS and some drivers that need to run as real threads

E.g., need to run concurrently with other system activity, wait on timers,perform background housekeeping work

Always run in kernel mode

Notnon-preemptible (unless they raise IRQL to 2 or above)

For details, see DDK documentation on PsCreateSystemThread

What process do they appear in?

System process (NT4: PID 2, W2K: PID 8, XP: PID 4)

In Windows 2000 & later, windowing system threads (from Win32k.sys)appear in csrss.exe (Windows subsystem process)


11/19

11

Memory Manager

Modified Page Writer for mapped files

Modified Page Writer for paging files

Balance Set Manager

Swapper (kernel stack, working sets)

Zero page thread (thread 0, priority 0)

Security Reference Monitor

Command Server Thread

Network

Redirector and Server Worker Threads

Threads created by drivers for their exclusive use

Examples: Floppy driver, parallel port driver

Pool of Executive Worker Threads

Used by drivers, file systems,

Work queued using ExQueueWorkItem

System thread (ExpWorkerThreadBalanceManager) manages pool

Examples of System Threads

Identifying System Threads:Process Explorer

With Process Explorer:

Double click on Systemprocess

Go to Threads tab sort byCPU time

As explained before, threads runbetween clock ticks (or at highIRQL) and thus dont appear torun

Sort by context switch deltacolumn


12/19

12

Process-Based CodeOS components that run in separate executables (.exes), in theirown processes

Started by system

Not tied to a user logon

Three types:

Environment Subsystems (already described)

System startup processes

note, system startup processes is not an official MS-defined name

Windows Services

Lets examine the system process tree

Use Tlist /T or Process Explorer

Process-Based Windows Code:

System Startup Processes

First two processes arent real processes

not running a user mode .EXE

no user-mode address space

different utilities report them with different names

data structures for these processes (and their initial threads) are pre-created in

NtosKrnl.Exe and loaded along with the code

(Idle) Process id 0Part of the loaded system imageHome for idle thread(s) (not a real process nor real threads)Called System Process in many displays

(System) Process id 2 (8 in Windows 2000; 4 in XP)Part of the loaded system imageHome for kernel-defined threads (not a real process)Thread 0 (routine name Phase1Initialization) launches the firstreal process, running smss.exe......and then becomes the zero page thread


13/19

13

Process-Based Windows Code:

System Startup Processes (cont.)smss.exe Session Manager

The first created processTakes parameters from\HKEY_LOCAL_MACHINE\System\CurrentControlSet

\Control\Session ManagerLaunches required subsystems (csrss) and then winlogon

csrss.exe Windows subsystem

winlogon.exe Logon process: Launches services.exe & lsass.exe; presents first loginpromptWhen someone logs in, launches apps in \Software\Microsoft\WindowsNT\WinLogon\Userinit

services.exe Service Controller; also, home for many Windows-supplied servicesStarts processes for services not part of services.exe (driven by

\Registry\Machine\System\CurrentControlSet\Services )lsass.exe Local Security Authentication Server

userinit.exe Started after logon; starts Explorer.exe (see \Software\Microsoft\WindowsNT\CurrentVersion\WinLogon\Shell) and exits (hence Explorer appears tobe an orphan)

explorer.exe and its children are the creators of all interactive apps

Objects and Handles

Many Windows APIs take arguments that are handles to system-defined datastructures, or objects

App calls CreateXxx, which creates an object and returns a handle to it

App then uses the handle value in API calls that operate on that object

Three types of Windows objects (and therefore handles):

Windows kernel objects (events, mutexes, files, processes, threads, etc.)

Objects are managed by the Windows Object Manager, and represent datastructures in system address space

Handle values are private to each process

Windows GDI objects (pens, brushes, fonts, etc.)

Objects are managed by the Windows subsystem

Handle values are valid system-wide / session-wide

Windows User objects (windows, menus, etc.)

Objects are managed by the Windows subsystem

Handle values are valid system-wide / session-wide


14/19

14

Handles and SecurityProcess handle table

Is unique for each process

But is in system address space, hence cannot be modified from user mode

Hence, is trusted

Security checks are made when handle table entry is created

i.e. at CreateXxx time

Handle table entry indicates the validated access rights to the object

Read, Write, Delete, Terminate, etc.

APIs that take an already-opened handle look in the handle tableentry before performing the function

For example: TerminateProcess checks to see if the handle was opened for

Terminate access

No need to check file ACL, process or thread access token, etc., on every writerequest---checking is done at file handle creation, i.e. file open, time

HandleCount = 1

ReferenceCount = 1

Event Object

Handles, Pointers, and Objects

Handle Table

Process A

Handle Table

Process B

System Space

handles

index

Handle to a kernel object is an indexinto the process handle table, andhence is invalid in any other process

Handle table entry contains thesystem-space address (8xxxxxxx orabove) of the data structure; thisaddress is the same regardless ofprocess context

Although handle table is per-process, it is actually in systemaddress space (hence protected)


15/19

15

Object ManagerExecutive component for managing system-definedobjects

Objects are data structures with optional names

Objects managed here include Windows Kernel objects, butnot Windows User or GDI objects

Object manager implements user-mode handles and theprocess handle table

Object manager is not used for all Windows data

structuresGenerally, only those types that need to be shared, named, orexported to user mode

Some data structures are called objects but are not managedby the object manager (e.g. DPC objects)

Object Manager

In part, a heap manager

Allocates memory for data structure from system-wide, kernel spaceheaps(pageable or nonpageable)

with a few extra functions:

Assigns name to data structure (optional)

Allows lookup by nameObjects can be protected by ACL-based security

Provides uniform naming, sharing, and protection scheme

Simplifies C2 security certification by centralizing all object protection inone place

Maintains counts of handles and references (stored pointers in kernelspace) to each object

Object cannot be freed back to the heap until all handles and referencesare gone


16/19

16

Executive Objects

Object type Represents

Object directory Container object for other objects: implementhierarchical namespace to store other object types

Symbolic link Mechanism for referring to an object name indirectly

Process Virtual address space and control informationnecessary for execution of thread objects

Thread Executable entity within a process

Section Region of shared memory (file mapping object inWindows API)

File Instance of an opened file or I/O device

Port Mechanism to pass messages between processes

Access token Security profile (security ID, user rights) of a processor thread

Executive Objects (contd.)Object type Represents

Event Object with persistent state (signaled or not) usablefor synchronization or notification

Semaphore Counter and resource gate for critical section

Mutant Synchronization construct to serialize resourceaccess

Timer Mechanism to notify a thread when a fixed period oftime elapses

Queue Method for threads to enqueue/dequeuenotifications of I/O completions (Windows I/Ocompletion port)

Key Reference to registry data visible in objectmanager namespace

Profile Mechanism for measuring execution time for aprocess within an address range


17/19

17

Object nameObject directorySecurity descriptorQuota chargesOpen handle countOpen handles listObject typeReference count

Object-specific data

Object Structure

Object header

Object body

Process 1

Process 2

Process 3

Type nameAccess types

Synchronizable? (Y/N)Pageable? (Y/N)Methods:

open, close, deleteparse, security,query name

Type object contains static, object-type specific data:- shared among all instances of an object type- link all instances together (enumeration)

Type object





Object Methods

Process opens handle to object \Device\Floppy0\docs\resume.doc

Object manager traverses name tree until it reaches Floppy0

Calls parse method for object Floppy0 with arg \docs\resume.doc

Method When method is called

Open When an object handle is opened

Close When an object handle is closed

Delete Before the object manager deletes an object

Query name When a thread requests the name of an object, such as a file, thatexists in a secondary object domain

Parse When the object manager is searching for an object name that exists ina secondary object domain

Security When a process reads/changes protection of an objects, such as a file,that exists in a secondary object domain

Example:


18/19

18

Object Manager Namespace

System and session-wide internal namespace for all objectsexported by the operating system

View with Winobj from www.sysinternals.com

Interesting Object Directories

in \ObjectTypes

objects that define types of objects

in \BaseNamedObjects

these will appear when Windows programs use

CreateEvent, etc.mutant (Windows mutex)

queue (Windows I/O completion port)

section (Windows file mapping object)

event

Semaphore

In \GLOBAL??

DOS device name mappings for console session


19/19

Object Manager NamespaceNamespace:

Hierarchical directory structure (based on file system model)

System-wide (not per-process)

With Terminal Services, Windows objects are per-session by default

Can override this with global\ prefix on object names

Volatile (not preserved across boots)

As of Server 2003, requires SeCreateGlobalPrivilege

Namespace can be extended by secondary object managers (e.g. file system)

Hook mechanism to call external parse routine (method)

Supports case sensitive or case blind

Supports symbolic links (used to implement drive letters, etc.)

Lookup done on object creation or access by name

Not on access by handle

Not all objects managed by the object manager are named

e.g. file objects are not named

un-named objects are not visible in WinObj

Otras Referencias

Windows Academic Program:http://www.microsoft.com/education/faculty

connection/articles/articledetails.aspx?cid=2416 (27/05/2010)

SO 2009 - Fac. de Informtica -

U.N.L.P.

tema 5 - windows - transparencia 1

Documents