Published on

Published in: Technology
1 Comment
  • thank you!, it's very good information!
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide


  1. 1. Windows Kernel Technologies 潘爱民 2010-9-11
  2. 2. Outline • Windows Architecture Overview • System Trap • Windows I/O Model & Device Drivers • Windows Subsystem
  3. 3. NT Timeline: first 20 years 2/1989 Design and Coding Begins 7/1993 NT 3.1 9/1994 NT 3.5 5/1995 NT 3.51 7/1996 NT 4.0 12/1999 NT 5.0 Windows 2000 8/2001 NT 5.1 Windows XP 3/2003 NT 5.2 Windows Server 2003 8/2004 NT 5.2 Windows XP SP2 4/2005 NT 5.2 Windows XP 64 Bit Edition (WS03SP1) 10/2006 NT 6.0 Windows Vista (client) 2/2008 NT 6.0 Windows Server 2008 (Vista SP1) 10/2009 NT 6.1 Win7 & Server 2008 R2
  4. 4. Windows Architecture 系统和服 系统和服 应用程序 系统和服 系统和服 系统和服 务进程 Windows 子 务进程 务进程 .NET 务进程 务进程 系统进程 系统 DLL NTDLL.DLL 用户模式 内核模式 执行体(Executive) Windows 子系 内核(或微内核) 设备驱动 统内核模块 硬件抽象层(HAL) 程序
  5. 5. About Windows APIs • Provided by Windows Subsystem DLLs • Three types: ̵ ① No kernel-mode interactions are needed. (e.g. PtInRect, IsRectEmpty, GetCurrentProcess); ̵ ② Call into kernel once or more (e.g. CreateFile, PostMessage and BitBlt); ̵ ③ Communications with the Windows subsystem process (csrss) are needed. (e.g. CreateProcess) 应用程序 ① 系统DLL Csrss进程 ② 用户模式 ③ 内核模式 ntoskrnl win32k
  6. 6. Call into Kernel 应用程序 系统 DLL,如 Kernel32.dll、User32.dll 等 Ntdll.dll 系统服务存根函数 KiXxxSystemCall int 2e/sysenter 用户模式 iretd/sysexit 内核模式 KiServiceExit KiSystemService 服务分发 执行体系统服务
  7. 7. Example System Service: NtCreateFile • The Call stack of creating a file in a user thread f5484c94 808e3375 nt!IopCreateFile f5484cf0 808e50ec nt!IoCreateFile f5484d30 80882a2c nt!NtCreateFile 内核模式 007deed8 7c8211f4 ntdll!KiFastSystemCallRet 用户模式 007deedc 76cf2707 ntdll!ZwCreateFile+0xc 007def54 76cf276b iphlpapi!OpenTCPDriver+0xad 007def64 76cf278f iphlpapi!CheckTcpipState+0x62 007def98 76cf299a iphlpapi!GetIpStatsFromStack+0xd 007df00c 76cf32de iphlpapi!GetInterfaceInfo+0x38 007df028 76cf3230 iphlpapi!GetAdapterNameToIndexInfo+0x1e 007df060 76cf6a6b iphlpapi!GetAdapterInfo+0x18 007df0b4 4e7fdf36 iphlpapi!GetAdapterInfoEx+0x1c 007df504 4e7fe2f9 WINHTTP!CIpConfig::GetAdapterListOnNT5+0x6e 007dfac4 4e7fe938 WINHTTP!CIpConfig::GetAdapterList+0x58 007dfad0 4e7fd3ee WINHTTP!CIpConfig::CIpConfig+0x23 007dfaf0 4e7cd1cc WINHTTP!DetectAutoProxyUrl+0x26 007dfb28 4e7cd9b5 WINHTTP!CAutoProxy::DetectAutoProxyUrl+0xa4 007dfb58 4e7cdafb WINHTTP!CAutoProxy::GetProxyForURL+0x33 007dfb6c 4e7cdcd8 WINHTTP!InProcGetProxyForUrl+0x20
  8. 8. Example Call Stack with .NET 0012f2f4 77d19418 ntdll!KiFastSystemCallRet 用户模式 0012f38c 7b1d8997 user32!NtUserWaitMessage+0xc 0012f3e4 7b1d87e1 System_Windows_Forms_ni+0x208997 0012f414 7b6eddc6 System_Windows_Forms_ni+0x2087e1 .NET Runtime 0012f460 79e71b4c System_Windows_Forms_ni+0x71ddc6 Common Langueage 0012f470 79e821f9 mscorwks!CallDescrWorker+0x33 Runtime 0012f4f0 79e96571 mscorwks!CallDescrWorkerWithHandler+0xa3 0012f634 79e965a4 mscorwks!MethodDesc::CallDescr+0x19c 0012f650 79e965c2 mscorwks!MethodDesc::CallTargetWorker+0x1f 0012f668 79f0788d mscorwks!MethodDescCallSite::Call+0x1a 0012f7cc 79f077ad mscorwks!ClassLoader::RunMain+0x223 0012fa34 79f07cfd mscorwks!Assembly::ExecuteMainMethod+0xa6 0012ff04 79f07ee7 mscorwks!SystemDomain::ExecuteMainMethod+0x456 0012ff54 79f07e17 mscorwks!ExecuteEXE+0x59 0012ff9c 7900b77b mscorwks!_CorExeMain+0x15c 0012ffac 7900b73d mscoree!_CorExeMain+0x2e .NET Runtime 0012ffb8 79004de3 mscoree!ShellShim__CorExeMain+0x29 Execution Engine 0012ffc0 7c817077 mscoree!_CorExeMain_Exported+0x8 0012fff0 00000000 kernel32!BaseProcessStart+0x23
  9. 9. Windows I/O Model • Asychronous, Packet-based, Extensible • Device discovery supports plug-and-play (PnP) ̵ volumes automatically detected and mounted ̵ power management support (ACPI) • Drivers attach to per device driver stacks ̵ Drivers can filter actions of other drivers in each stack • Integrated kernel support ̵ memory manager provides DMA support ̵ HAL provides device access, PnP manages device resources ̵ Cache manager provides file-level caching via MM file-mapping • Multiple I/O completion mechanisms: ̵ synchronous ̵ update user-mode memory status ̵ signal events ̵ callbacks within initiating thread ̵ I/O Completion Port
  10. 10. I/O Architecture 用户模式 内核模式 注册表 I/O 管理器 PnP 管理器 电源管理器 WMI 支持 配置管理器 I/O 系统 驱动程序 驱动程序 …… 驱动程序 HAL 硬件控制器 …… 硬件控制器
  11. 11. I/O Manager Objects • Driver objects represent loaded drivers. ̵ NtLoadDriver/NtUnloadDriver ̵ IoCreateDriver • Drivers create device objects to represent devices. ̵ IoCreateDevice • All I/O requests are made to device objects. • File objects represent open instances of device objects.
  12. 12. Object Relationships 驱动程序 1 设备对象 1a 设备对象 1b 设备对象 1c 驱动程序 2 设备对象 2a 设备对象 2b 驱动程序 3 设备对象 3a 文件对象 #2 文件对象 #1
  13. 13. Structure of Windows Drivers I/O 系统 初始化例程 设备驱动程序 I/O 管理器 增加设备 分发例程 PnP 管理器 卸载例程 电源管理器 可选例程 …… WMI
  14. 14. Loading Device Drivers • Drivers can be loaded by, ̵ The boot loader at boot time. ̵ The I/O manager at system initialization. ̵ The service control manager or PnP manager. • Driver details are obtained from the registry. • Driver object is created and DriverEntry for the driver is invoked. • Drivers provide dispatch routines for various I/O operations. (Create, Read, Write, „). • Drivers can optionally provide fast path entry points.
  15. 15. Layering Drivers • Device objects can be attached one on top of another using IoAttachDevice* APIs to create device stacks. • I/O manager sends IRP to the top of the stack. • Drivers store next lower device object in their private data structure. • Stack tear down done using IoDetachDevice and IoDeleteDevice.
  16. 16. Device Stack Example 81682870 DriverObject -> “DriverKbdclass” 设备名为“DeviceKeyboardClass0” AttachedDevice = null StackSize = 6 AttachedTo = 81682a58 81682a58 DriverObject -> “Driveri8042prt” AttachedDevice = 81682870 StackSize = 5 AttachedTo = 817ad030 817ad030 DriverObject -> “DriverACPI” 设备名为“Device0000003b” AttachedDevice = 81682a58 StackSize = 4 AttachedTo = null
  17. 17. Device Deletion and Driver Unload • Drivers delete devices using IoDeleteDevice. • Drivers are unloaded by calling NtUnloadDriver or by PnP. • No further opens/attaches allowed after a device is marked for deletion or unload. • Driver unload function is invoked when all its device objects have no handles/attaches. • Driver is unloaded when the last reference to driver object goes away.
  18. 18. File Objects • Also managed by Windows Object Manager, its type is IoFileObjectType ̵ Applications and drivers “open” devices by name ̵ The name is parsed by the Object Manager • Representation of an open instance of a device object ̵ files on a volume are virtual devices • Created by IoCreateFile function, which is invoked by NtCreateFile ̵ When an open succeeds a file handle is added to the process handle table
  19. 19. I/O Processing • IRP • Issues in I/O processing ̵ Fast I/O ̵ Buffer management ̵ I/O completion • I/O Completion port
  20. 20. I/O Request Packet (IRP) • I/O operations are encapsulated in IRPs. • I/O requests travel down a device stack in an IRP. • Each driver gets a stack location which contains parameters for that I/O request. • IRP has major and minor codes to describe I/O operations. • Major codes include create, read, write, PnP, devioctl, cleanup and close. • Irps are associated with a thread that made the I/O request.
  21. 21. I/O Requests from Applications 系统 DLL 用户模式 内核模式 系统服务 NtCreateFile, NtClose, NtReadFile, NtWriteFile, NtDeviceIoControlFile … I/O 管理器 IoCallDriver 驱动程序 驱动程序 驱动程序 ……
  22. 22. IRP Major Codes #define IRP_MJ_CREATE 0x00 #define IRP_MJ_CREATE_NAMED_PIPE 0x01 #define IRP_MJ_CLOSE 0x02 #define IRP_MJ_READ 0x03 #define IRP_MJ_WRITE 0x04 #define IRP_MJ_QUERY_INFORMATION 0x05 #define IRP_MJ_SET_INFORMATION 0x06 #define IRP_MJ_QUERY_EA 0x07 #define IRP_MJ_SET_EA 0x08 #define IRP_MJ_FLUSH_BUFFERS 0x09 #define IRP_MJ_QUERY_VOLUME_INFORMATION 0x0a #define IRP_MJ_SET_VOLUME_INFORMATION 0x0b #define IRP_MJ_DIRECTORY_CONTROL 0x0c #define IRP_MJ_FILE_SYSTEM_CONTROL 0x0d #define IRP_MJ_DEVICE_CONTROL 0x0e #define IRP_MJ_INTERNAL_DEVICE_CONTROL 0x0f
  23. 23. IRP Major Codes (cont.) #define IRP_MJ_SHUTDOWN 0x10 #define IRP_MJ_LOCK_CONTROL 0x11 #define IRP_MJ_CLEANUP 0x12 #define IRP_MJ_CREATE_MAILSLOT 0x13 #define IRP_MJ_QUERY_SECURITY 0x14 #define IRP_MJ_SET_SECURITY 0x15 #define IRP_MJ_POWER 0x16 #define IRP_MJ_SYSTEM_CONTROL 0x17 #define IRP_MJ_DEVICE_CHANGE 0x18 #define IRP_MJ_QUERY_QUOTA 0x19 #define IRP_MJ_SET_QUOTA 0x1a #define IRP_MJ_PNP 0x1b #define IRP_MJ_PNP_POWER IRP_MJ_PNP // Obsolete.... #define IRP_MJ_MAXIMUM_FUNCTION 0x1b
  24. 24. IO Stack Locations in IRPs 原始文件对象 IRP 对象 设备对象 (OriginalFileObject) 文件对象 设备对象 驱动程序 栈单元[0] 一组分发例程 对象 栈单元[1] …… 文件对象 设备对象 驱动程序 一组分发例程 对象 栈单元[n-1] 文件对象 设备对象 驱动程序 一组分发例程 对象
  25. 25. Completing an I/O Request • Servicing an interrupt: ̵ ISR schedules Deferred Procedure Call (DPC); dismisses int. ̵ DPC routine starts next I/O request and completes interrupt servicing ̵ May call completion routine of higher-level driver • I/O completion: ̵ Record the outcome of the operation in an I/O status block ̵ Return data to the calling thread – by queuing a kernel-mode Asynchronous Procedure Call (APC) ̵ APC executes in context of calling thread; copies data; frees IRP; sets calling thread to signaled state ̵ I/O is now considered complete; waiting threads are released
  26. 26. Flow of I/O Processing 调用者线程 IoCallDriver 驱动程序 DPC 分发例程 通知 I/O 插入 DPC 管理器, I/O 请求 是 同步 否 ISR 已完成 I/O 发送 I/O 执行其 命令,并 中断 等待 他任务 传输数据 硬件设备 IoCompleteRequest 在发起者线程中插入 APC 例程 IopCompleteRequest, 或者,直接返回发起者线程 IopCompleteRequest
  27. 27. I/O Processing in a Device Stack I/O 请求 I/O 管理器 IopCompleteRequest APC I/O 管理器 栈顶 驱动程序 1 IoCallDriver 设备对象 (完成例程) IRP IRP CurrentLocation CurrentLocation 驱动程序 1 中间 驱动程序 2 栈顶 设备对象 (分发例程) 设备对象 (完成例程) IRP IRP CurrentLocation CurrentLocation 驱动程序 2 栈底 驱动程序 3 中间 设备对象 (分发例程) 设备对象 (完成例程) IRP IRP CurrentLocation CurrentLocation I/O 管理器 栈底 驱动程序 3 IoCompleteRequest 设备对象 (分发例程) I/O 完成 (a) I/O 请求在设备栈中的传递流程 (b) I/O 请求的完成流程
  28. 28. I/O Completion Port • A kind of executive objects called I/O Completion Port or IoCompletion, its type is IoCompletionObjectType • For balancing the I/O throughput and thread- trashing • The completion port is essential a queue object • A file can be associated with an IoCompletion object, so I/O manager will queue a completion packet to the completion port • The number of active threads which process I/O completion are controlled by the queue object.
  29. 29. How does IOCompletion work NtCreateIoCompletion NtSetInformationFile KeInitializeQueue 线程对象 … 线程对象 I/O 请求 关联 NtRemoveIoCompletion I/O 完成端口 文件对象 CompletionContext 队列 KQUEUE KeRemovetQueue I/O 完成 KeInsertQueue KeInsertQueue IopCompleteRequest NtSetIoCompletion
  30. 30. Windows Subsystem Windows 子系统进程 Windows 应用程序 (csrss.exe) 子系统 DLL NTDLL.DLL 用户模式 内核模式 Win32k.sys (窗口管理、图形接 Windows 内核 口等) 图形设备驱动程序
  31. 31. Windows Subsystem Initialization • DriverEntry in Win32k.sys ̵ KeAddSystemServiceTable ̵ PsEstablishWin32Callouts ̵ MmPageEntireDriver ̵ InitializeGre ̵ Win32UserInitialize ̵ Returns Win32KDriverUnload • Smss Smss 进程 创建“SmApiPort”LPC 端口对象,以接收“创建会话”请求 • Winlogon 加载 Windows 子系统内核模块 win32k.sys 启动 csrss 进程 • Csrss 启动 winlogon 进程 创建窗口站 创建登录桌面和默认桌面 启动 SCM 进程 加载自动-启动的服务和驱动程序 启动 lsass 进程 等待用户按下 Ctrl+Alt+Del
  32. 32. Convert to a GUI thread • What is a GUI thread? ̵ Thread are non-GUI when created ̵ Converted on first call to win32k.sys • Bigger Stack • Win32k.sys notified of creation and destruction • Converts process to GUI • PsConvertToGuiThread ̵ MmCreateKernelStack & KeSwitchKernelStack ̵ KTHREAD->ServiceTable initialized to ntkrnlmp!KeServiceDescriptorTable, replaced with ntkrnlmp!KeServiceDescriptorTableShadow ̵ Call PspW32ProcessCallout 普通线程 GUI线程 ̵ Call PspW32ThreadCallout 内核模式 ntoskrnl win32k
  33. 33. Terminal Services/Multiple Sessions • Multiple Sessions ̵ Console Session ̵ Session 0 in Vista/Win7 ̵ Terminal Sessions ̵ by FUS (Fast User Switching) • For each session ̵ Created by smss (session manager process) ̵ Session space in system space ̵ Its own copies of Win32k.sys, csrss.exe, Winlogon.exe, video driver, print driver, etc.
  34. 34. Session Spaces System Space 0x80000000 Session Space Session Pool (16MB) 0xBC000000 Session View Session Space (20MB) 0xC0000000 SESSION_WS(4MB) Session Image (8MB) 0xFFFFFFFF
  35. 35. Window Management: Window Stations and Desktops 剪贴板 交互式窗口站 键盘 (WinSta0) 鼠标 显示器 登录桌面 交互桌面 屏幕保护桌面 非交互式窗口站 剪贴板 …… …… 不可见桌面
  36. 36. Window Hierarchy 交互式窗口站 默认桌面 顶级窗口列表 子系统会话 (WinSta0) 子窗口 登录桌面 屏幕保护桌面 非交互式窗口站 不可见桌面
  37. 37. Desktop • An surface for output • In a WindowStation • Have a Desktop Heap (assigned from the session view)
  38. 38. Message Path in Win32 RIT 线程 桌面线程 输入(input) GUI 线程 消息队列 鼠标事件 其他 HID 其他线程 寄入(post) 消息队列
  39. 39. References • Mark E. Russinovich and David A. Solomon, Windows Internals (4th/5th Edition), Microsoft Press, 2004/2009. • 潘爱民,Windows内核原理与实现,电子工业出版社, 2010.4 • WRK, Windows Research Kernel(by Microsoft) • Microsoft WDK Documents & Samples
  40. 40. Thanks! Q&A