tema 5 - windows - transparencia 1
TRANSCRIPT
-
7/27/2019 Tema 5 - Windows - Transparencia 1
1/19
1
Sistemas Operativos
Kernel de Windows - I
Sistemas Operativos
Versin: Abril 2013
Palabras Claves: Windows, Kernel,Executive, Process, System, Threads
-
7/27/2019 Tema 5 - Windows - Transparencia 1
2/19
2
Copyright Notice 2000-2005 David A. Solomon and Mark Russinovich
These materials are part of the WindowsOperating System Internals CurriculumDevelopment Kit, developed by David A.Solomon and Mark E. Russinovich withAndreas Polze
Microsoft has licensed these materials fromDavid Solomon Expert Seminars, Inc. for
distribution to academic organizationssolely for use in academic environments(and not for commercial use)
Simplified OS Architecture
Systemsupport
processes
Serviceprocesses
Userapplications
Environmentsubsystems
Subsystem DLLs
Executive
Kernel Device drivers
Hardware Abstraction Layer (HAL)
Windowingand graphics
UserMode
KernelMode
-
7/27/2019 Tema 5 - Windows - Transparencia 1
3/19
3
OS Architecture
Multiple personality OS design
user applications don't call the native Windows operating systemservices directly
Subsystem DLLs is to translate a documented function into theappropriate internal (and undocumented) Windows system servicecalls.
Environment subsystem processes
Manage client processes in their world
Impose semantics such as process model, security
Originally three environment subsystems: Windows, POSIX, and
OS/2Windows 2000 only included Windows and POSIX
Windows XP only includes Windows
Enhanced POSIX subsystem available with Services for Unix
Included with Windows Server 2003 R2
Kernel-ModeComponents: Core OS
Executive
base operating system services,
memory management, process and thread management,
security, I/O, interprocess communication.
Kernel
low-level operating system functions,
thread scheduling, interrupt and exception dispatching,
multiprocessor synchronization.
provides a set of routines and basic objects that the rest of theexecutive uses to implement higher-level constructs.
Both contained in file Ntoskrnl.exe
-
7/27/2019 Tema 5 - Windows - Transparencia 1
4/19
4
Device drivers (*.sys)
hardware device drivers translate user I/O function calls intospecific hardware device I/O requests
virtual devices - system volumes and network protocols
Windowing and Graphics Driver(Win32k.sys)
graphical user interface (GUI) functions (USER and GDI)
windows, user interface controls, and drawing
Hardware Abstraction Layer(Hal.dll)
isolates the kernel, device drivers, and executive from hardware
Hides platform-specific hardware differences (motherboards)
Kernel-Mode
Components: Drivers
Background SystemProcesses
Core system processes,
logon process, the session manager, etc.
not started by the service control manager
Service processes
Host Windows services
i.e.; Task Scheduler and Spooler services
Many Windows server applications, such as Microsoft
SQL Server and Microsoft Exchange Server, alsoinclude components that run as services.
-
7/27/2019 Tema 5 - Windows - Transparencia 1
5/19
5
Portability
When Windows NT was designed, there was no dominant processorarchitecture
Therefore it was designed to be portable
How achieved?
Most Windows OS code and device drivers is written in C
HAL and kernel contain some assembly language
Some components are written in C++:
windowing/graphics subsystem driver
volume manager
Hardware-specific code is isolated in low level layers of the OS (such as
Kernel and the HAL)Provides portable interface
NT 4.0 had support for x86, MIPS, PowerPC, Digital Alpha AXP
PowerPC and MIPS dropped soon after NT 4 release
Alpha AXP dropped in 1999 (supported through SP6)
Key Windows System FilesCore OS components:
NTOSKRNL.EXE** Executive and kernel
HAL.DLL Hardware abstraction layer
NTDLL.DLL Internal support functions and system
service dispatch stubs to executive functions
Core system processes:
SMSS.EXE Session manager processWINLOGON.EXE Logon process
SERVICES.EXE Service controller process
LSASS.EXE Local Security Authority Subsystem
Windowing subsystem:
CSRSS.EXE* Windows subsystem process
WIN32K.SYS USER and GDI kernel-mode components
KERNEL32/USER32/GDI32.DLL Windows subsystem DLLs
-
7/27/2019 Tema 5 - Windows - Transparencia 1
6/19
6
Key System Components
OS/2 WindowsPOSIX
Environment Subsystems
UserApplication
Subsystem DLL
WindowsUser/GDIDeviceDriver
Executive
Device Drivers Kernel
Hardware Abstraction Layer (HAL)
UserMode
KernelMode
System& ServiceProcesses
Windows
Multiple OS PersonalitiesWindows was designed to support multiple personalities, calledenvironment subsystems
Programming interface
File system syntax
Process semantics
Environment subsystems provide exposed, documented interfacebetween application and Windows native API
Each subsystem defines a different set of APIs and semantics
Subsystems implement these by invoking native APIs
Example: Windows CreateFile in Kernel32.Dll calls native NtCreateFile
.exes and .dlls you write are associated witha subsystem
Specified by LINK /SUBSYSTEM option
Cannot mix calls between subsystems
-
7/27/2019 Tema 5 - Windows - Transparencia 1
7/19
7
App calls Subsystem
Function is entirely implemented in user mode
No message sent to environment subsystem process
No Windows executive system service called
Examples: PtInRect(), IsRectEmpty()
Function requires one/more calls to Windows executive
Examples: Windows ReadFile() / WriteFile() implemented usingI/O system services NtReadFile() / NtWriteFile()
Function requires some work in environment subsystemprocess (maintain state of client app)
Client/server request (message) to env. Subsystem (LPC facility)
Subsystem DLL waits for reply before returning to caller
Combinations of 2/3: CreateProcess() / CreateThread()
hardware interfaces (buses, I/O devices, interrupts,interval timers, DMA, memory cache control, etc., etc.)
System Service Dispatcher
Task Manager
Explorer
SvcHost.Exe
WinMgt.Exe
SpoolSv.Exe
ServiceControl Mgr.
LSASS
Object
Mgr.
WindowsUSER,
GDI
File
System
Cache
I/O Mgr
EnvironmentSubsystems
UserApplication
Subsystem DLLs
System Processes Services Applications
Original copyright by Microsoft Corporation.
Used by permission.
SystemThreads
User
Mode
KernelMode
NTDLL.DLL
Device &File Sys.Drivers
WinLogon
Session ManagerServices.Exe POSIX
Windows DLLs
Plugand
PlayMgr.
Power
Mgr.
Security
Reference
Monitor
Virtual
Memory
Processes
&
Threads
Local
Procedure
Call Graphics
Drivers
Kernel
Hardware Abstraction Layer (HAL)
(kernel mode callable interfaces)
Windows Architecture
Configura-
tionMgr
(registry)
OS/2
Windows
-
7/27/2019 Tema 5 - Windows - Transparencia 1
8/19
8
Microkernel OS?
Is Windows a microkernel-based OS?
No not using the academic definition (OS components anddrivers run in their own private address spaces, layered on a primitivemicrokernel)
All kernel components live in a common shared address space
Therefore no protection between OS and drivers
Why not pure microkernel?
Performance separate address spaces would mean context switching to callbasic OS services
Most other commercial OSs (Unix, Linux, VMS etc.) have thesame design
But it does have some attributes of a microkernel OSOS personalities running in user space as separate processes
Kernel-mode components don't reach into one anothersdata structures
Use formal interfaces to pass parameters and access and/or modify data structures
Therefore the term modified microkernel
ExecutiveUpper layer of the operating system
Provides generic operating system functions (services)
Process Manager
Object Manager
Cache Manager
LPC (local procedure call) Facility
Configuration Manager
Memory Manager
Security Reference Monitor
I/O Manager
Power Manager
Plug-and-Play Manager
Almost completely portable C code
Runs in kernel (privileged, ring 0) mode
Most interfaces to executive services not documented
-
7/27/2019 Tema 5 - Windows - Transparencia 1
9/19
9
KernelLower layers of the operating system
Implements processor-dependent functions (x86 vs. Itanium etc.)
Also implements many processor-independent functions that areclosely associated with processor-dependent functions
Main services
Thread waiting, scheduling & context switching
Exception and interrupt dispatching
Operating system synchronization primitives (different for MP vs. UP)
A few of these are exposed to user mode
Not a classic microkernel
shares address space with rest of kernel-mode components
HAL - Hardware Abstraction LayerResponsible for a small part of hardware abstraction
Components on the motherboard not handled by drivers
System timers, Cache coherency, and flushing
SMP support, Hardware interrupt priorities
Subroutine library for the kernel & device drivers
Isolates Kernel and Executive from platform-specific details
Presents uniform model of I/O hardware interface to drivers
Reduced role as of Windows 2000
Bus support moved to bus drivers
Majority of HALs are vendor-independent
HAL also implements some functionsthat appear to be in the Executiveand Kernel
Selected at installation time
See \windows\repair\setup.log to find out which one
Can select manually at boot time with /HAL= in boot.ini
HAL kit
Special kit only for vendors that must write custom HALs (requires approval from Microsoft)
see http://www.microsoft.com/whdc/ddk/HALkit/default.mspx
HalGetInterruptVector
HalGetAdapter
WRITE_PORT_UCHAR
Sample HAL routines:
-
7/27/2019 Tema 5 - Windows - Transparencia 1
10/19
10
Kernel-Mode Device Drivers
Separate loadable modules (drivername.SYS)
Linked like .EXEs
Typically linked against NTOSKRNL.EXE and HAL.DLL
Only one version of each driver binary for both uniprocessor (UP) and multiprocessor(MP) systems
but drivers call routines in the kernel that behave differently for UP vs. MP Versions
Defined in registry
Same area as Windows services (t.b.d.) - differentiated by Type value
Several types:
ordinary, file system, NDIS miniport, SCSI miniport (linked against port drivers), busdrivers
More information in I/O subsystem section
To view loaded drivers, run drivers.exe
Also see list at end of output from pstat.exe includes addresses of each driver
To update & control:
System properties->Hardware Tab->Device Manager
Computer Management->Software Environment->Drivers
System Threads
Functions in OS and some drivers that need to run as real threads
E.g., need to run concurrently with other system activity, wait on timers,perform background housekeeping work
Always run in kernel mode
Notnon-preemptible (unless they raise IRQL to 2 or above)
For details, see DDK documentation on PsCreateSystemThread
What process do they appear in?
System process (NT4: PID 2, W2K: PID 8, XP: PID 4)
In Windows 2000 & later, windowing system threads (from Win32k.sys)appear in csrss.exe (Windows subsystem process)
-
7/27/2019 Tema 5 - Windows - Transparencia 1
11/19
11
Memory Manager
Modified Page Writer for mapped files
Modified Page Writer for paging files
Balance Set Manager
Swapper (kernel stack, working sets)
Zero page thread (thread 0, priority 0)
Security Reference Monitor
Command Server Thread
Network
Redirector and Server Worker Threads
Threads created by drivers for their exclusive use
Examples: Floppy driver, parallel port driver
Pool of Executive Worker Threads
Used by drivers, file systems,
Work queued using ExQueueWorkItem
System thread (ExpWorkerThreadBalanceManager) manages pool
Examples of System Threads
Identifying System Threads:Process Explorer
With Process Explorer:
Double click on Systemprocess
Go to Threads tab sort byCPU time
As explained before, threads runbetween clock ticks (or at highIRQL) and thus dont appear torun
Sort by context switch deltacolumn
-
7/27/2019 Tema 5 - Windows - Transparencia 1
12/19
12
Process-Based CodeOS components that run in separate executables (.exes), in theirown processes
Started by system
Not tied to a user logon
Three types:
Environment Subsystems (already described)
System startup processes
note, system startup processes is not an official MS-defined name
Windows Services
Lets examine the system process tree
Use Tlist /T or Process Explorer
Process-Based Windows Code:
System Startup Processes
First two processes arent real processes
not running a user mode .EXE
no user-mode address space
different utilities report them with different names
data structures for these processes (and their initial threads) are pre-created in
NtosKrnl.Exe and loaded along with the code
(Idle) Process id 0Part of the loaded system imageHome for idle thread(s) (not a real process nor real threads)Called System Process in many displays
(System) Process id 2 (8 in Windows 2000; 4 in XP)Part of the loaded system imageHome for kernel-defined threads (not a real process)Thread 0 (routine name Phase1Initialization) launches the firstreal process, running smss.exe......and then becomes the zero page thread
-
7/27/2019 Tema 5 - Windows - Transparencia 1
13/19
13
Process-Based Windows Code:
System Startup Processes (cont.)smss.exe Session Manager
The first created processTakes parameters from\HKEY_LOCAL_MACHINE\System\CurrentControlSet
\Control\Session ManagerLaunches required subsystems (csrss) and then winlogon
csrss.exe Windows subsystem
winlogon.exe Logon process: Launches services.exe & lsass.exe; presents first loginpromptWhen someone logs in, launches apps in \Software\Microsoft\WindowsNT\WinLogon\Userinit
services.exe Service Controller; also, home for many Windows-supplied servicesStarts processes for services not part of services.exe (driven by
\Registry\Machine\System\CurrentControlSet\Services )lsass.exe Local Security Authentication Server
userinit.exe Started after logon; starts Explorer.exe (see \Software\Microsoft\WindowsNT\CurrentVersion\WinLogon\Shell) and exits (hence Explorer appears tobe an orphan)
explorer.exe and its children are the creators of all interactive apps
Objects and Handles
Many Windows APIs take arguments that are handles to system-defined datastructures, or objects
App calls CreateXxx, which creates an object and returns a handle to it
App then uses the handle value in API calls that operate on that object
Three types of Windows objects (and therefore handles):
Windows kernel objects (events, mutexes, files, processes, threads, etc.)
Objects are managed by the Windows Object Manager, and represent datastructures in system address space
Handle values are private to each process
Windows GDI objects (pens, brushes, fonts, etc.)
Objects are managed by the Windows subsystem
Handle values are valid system-wide / session-wide
Windows User objects (windows, menus, etc.)
Objects are managed by the Windows subsystem
Handle values are valid system-wide / session-wide
-
7/27/2019 Tema 5 - Windows - Transparencia 1
14/19
14
Handles and SecurityProcess handle table
Is unique for each process
But is in system address space, hence cannot be modified from user mode
Hence, is trusted
Security checks are made when handle table entry is created
i.e. at CreateXxx time
Handle table entry indicates the validated access rights to the object
Read, Write, Delete, Terminate, etc.
APIs that take an already-opened handle look in the handle tableentry before performing the function
For example: TerminateProcess checks to see if the handle was opened for
Terminate access
No need to check file ACL, process or thread access token, etc., on every writerequest---checking is done at file handle creation, i.e. file open, time
HandleCount = 1
ReferenceCount = 1
Event Object
Handles, Pointers, and Objects
Handle Table
Process A
Handle Table
Process B
System Space
handles
index
Handle to a kernel object is an indexinto the process handle table, andhence is invalid in any other process
Handle table entry contains thesystem-space address (8xxxxxxx orabove) of the data structure; thisaddress is the same regardless ofprocess context
Although handle table is per-process, it is actually in systemaddress space (hence protected)
-
7/27/2019 Tema 5 - Windows - Transparencia 1
15/19
15
Object ManagerExecutive component for managing system-definedobjects
Objects are data structures with optional names
Objects managed here include Windows Kernel objects, butnot Windows User or GDI objects
Object manager implements user-mode handles and theprocess handle table
Object manager is not used for all Windows data
structuresGenerally, only those types that need to be shared, named, orexported to user mode
Some data structures are called objects but are not managedby the object manager (e.g. DPC objects)
Object Manager
In part, a heap manager
Allocates memory for data structure from system-wide, kernel spaceheaps(pageable or nonpageable)
with a few extra functions:
Assigns name to data structure (optional)
Allows lookup by nameObjects can be protected by ACL-based security
Provides uniform naming, sharing, and protection scheme
Simplifies C2 security certification by centralizing all object protection inone place
Maintains counts of handles and references (stored pointers in kernelspace) to each object
Object cannot be freed back to the heap until all handles and referencesare gone
-
7/27/2019 Tema 5 - Windows - Transparencia 1
16/19
16
Executive Objects
Object type Represents
Object directory Container object for other objects: implementhierarchical namespace to store other object types
Symbolic link Mechanism for referring to an object name indirectly
Process Virtual address space and control informationnecessary for execution of thread objects
Thread Executable entity within a process
Section Region of shared memory (file mapping object inWindows API)
File Instance of an opened file or I/O device
Port Mechanism to pass messages between processes
Access token Security profile (security ID, user rights) of a processor thread
Executive Objects (contd.)Object type Represents
Event Object with persistent state (signaled or not) usablefor synchronization or notification
Semaphore Counter and resource gate for critical section
Mutant Synchronization construct to serialize resourceaccess
Timer Mechanism to notify a thread when a fixed period oftime elapses
Queue Method for threads to enqueue/dequeuenotifications of I/O completions (Windows I/Ocompletion port)
Key Reference to registry data visible in objectmanager namespace
Profile Mechanism for measuring execution time for aprocess within an address range
-
7/27/2019 Tema 5 - Windows - Transparencia 1
17/19
17
Object nameObject directorySecurity descriptorQuota chargesOpen handle countOpen handles listObject typeReference count
Object-specific data
Object Structure
Object header
Object body
Process 1
Process 2
Process 3
Type nameAccess types
Synchronizable? (Y/N)Pageable? (Y/N)Methods:
open, close, deleteparse, security,query name
Type object contains static, object-type specific data:- shared among all instances of an object type- link all instances together (enumeration)
Type object
Object nameObject directorySecurity descriptorQuota chargesOpen handle countOpen handles listObject typeReference count
Object-specific data
Object nameObject directorySecurity descriptorQuota chargesOpen handle countOpen handles listObject typeReference count
Object-specific data
Object Methods
Process opens handle to object \Device\Floppy0\docs\resume.doc
Object manager traverses name tree until it reaches Floppy0
Calls parse method for object Floppy0 with arg \docs\resume.doc
Method When method is called
Open When an object handle is opened
Close When an object handle is closed
Delete Before the object manager deletes an object
Query name When a thread requests the name of an object, such as a file, thatexists in a secondary object domain
Parse When the object manager is searching for an object name that exists ina secondary object domain
Security When a process reads/changes protection of an objects, such as a file,that exists in a secondary object domain
Example:
-
7/27/2019 Tema 5 - Windows - Transparencia 1
18/19
18
Object Manager Namespace
System and session-wide internal namespace for all objectsexported by the operating system
View with Winobj from www.sysinternals.com
Interesting Object Directories
in \ObjectTypes
objects that define types of objects
in \BaseNamedObjects
these will appear when Windows programs use
CreateEvent, etc.mutant (Windows mutex)
queue (Windows I/O completion port)
section (Windows file mapping object)
event
Semaphore
In \GLOBAL??
DOS device name mappings for console session
-
7/27/2019 Tema 5 - Windows - Transparencia 1
19/19
Object Manager NamespaceNamespace:
Hierarchical directory structure (based on file system model)
System-wide (not per-process)
With Terminal Services, Windows objects are per-session by default
Can override this with global\ prefix on object names
Volatile (not preserved across boots)
As of Server 2003, requires SeCreateGlobalPrivilege
Namespace can be extended by secondary object managers (e.g. file system)
Hook mechanism to call external parse routine (method)
Supports case sensitive or case blind
Supports symbolic links (used to implement drive letters, etc.)
Lookup done on object creation or access by name
Not on access by handle
Not all objects managed by the object manager are named
e.g. file objects are not named
un-named objects are not visible in WinObj
Otras Referencias
Windows Academic Program:http://www.microsoft.com/education/faculty
connection/articles/articledetails.aspx?cid=2416 (27/05/2010)
SO 2009 - Fac. de Informtica -
U.N.L.P.