SlideShare a Scribd company logo

the windows opereting system

Download as PPT, PDF
Ю
Юсуф Сатторов

its about part of windows

Education
1 of 40
The Windows Operating System
Goals • Hardware-portable – Used to support MIPS, PowerPC and Alpha – Currently supports x86, ia64, and amd64 – Multiple vendors build hardware • Software-portable – POSIX, OS2, and Win32 subsystems • OS2 is dead • POSIX is still supported—separate product • Lots of Win32 software out there in the world
Goals • High performance – Anticipated PC speeds approaching minicomputers and mainframes – Async IO model is standard – Support for large physical memories – SMP was an early design goal – Designed to support multi-threaded processes – Kernel has to be reentrant
Process Model • Threads and processes are distinct • Process: – Address space – Handle table (Handles => file descriptors) – Process default security token • Thread: – Execution Context – Optional thread-specific security token
Tokens • “Who you are”—list of identities – Each identity is a SID • Also contains Privileges – Shutdown, Load drivers, Backup, Debug… • Can be passed through LPC ports and named pipe requests – Server side can use this to selectively impersonate the client.
Object Manager • Uniform interface to kernel mode objects. • Handles are 32bit opaque integers • Per-process handle table maps handles to objects and permissions on the objects • Implements refcount GC – Pointer count—total number of references – Handle count—number of open handles
Object Manager • Implements an object namespace – Win32 objects are under BaseNamedObjects – Devices under Device • This includes filesystems – Drive letters are symbolic links • ??C: => the appropriate filesystem device • Some things have other names – Processes and threads are opened by specifying a CID: (Process.Thread)
Standard operations on handles • CloseHandle() • DuplicateHandle() – Takes source and destination process – Very useful for servers • WaitForSingleObject(), WaitForMultipleObjects() – Wait for something to happen – Can wait on up to 64 handles at once
Security Descriptors • Each object has a Security Descriptor – Owner—special SID, CREATOR_OWNER – Group—special SID, CREATOR_GROUP – DACL • Discretionary Access Control List • List of SIDs and granted or denied access rights – SACL • System Access Control List • List of SIDs and access rights to be audited
Access Rights typedef struct _ACCESS_MASK { USHORT SpecificRights; UCHAR StandardRights; UCHAR AccessSystemAcl : 1; UCHAR Reserved : 3; UCHAR GenericAll : 1; UCHAR GenericExecute : 1; UCHAR GenericWrite : 1; UCHAR GenericRead : 1; } ACCESS_MASK;
Security Use • Objects are referred to via handles • Security checks occur when an object is opened – Open requests contain a mask of requested access rights – If granted to the token by the DACL, the handle contains those access rights • Access rights are checked on use – Just a bit test—very fast
Object Open evt = OpenEvent(EVENT_MODIFY_STATE, FALSE, "SomeName"); – Finds the event object by name – Walks the DACL, looking for token SIDs – Keeps looking until all permissions are granted – If access is granted, inserts a handle to the object into the process’s handle table, with EVENT_MODIFY_STATE access
Object Use SetEvent(evt); – SetEvent() requires EVENT_MODIFY_STATE access, and an event object. – The kernel looks up the handle in the process’s handle table. – Checks to make sure that it maps to an event object, and that the granted access bits contain the EVENT_MODIFY_STATE bit. – If all is good, the event is set.
Object Use WaitForSingleObject(evt) – WaitForSingleObject() requires a synchronization object (like an event) and SYNCHRONIZE access. – evt maps to an event object – SYNCHRONIZE access was not requested when the handle was inserted. – Even if the DACL permits it, the wait fails.
Types of Objects • Events – State is set or clear. – Can clear when a wait completes (auto-reset) • Mutexes – Can be acquired by a single thread at a time. – Automatically release when owner exits. • Semaphores – Maintain a count – Waits decrement the count
More objects • Threads, Processes, Timers—like events • Registry Keys – Manipulate data in the registry—centralized store of system configuration info. • LPC Ports – Fast local RPC – Security tokens can transfer over LPC calls • Files
Files & IO • File objects maintain a current offset, and a pointer to the underlying stream. • Default internal model is asynchronous – Synchronous IO just waits for the IO to complete – Async IO can set an event, or run a callback in the thread which queued the IO, or post a message to an IO completion port. • Each request is an IRP
IRPs • Maintain state of IO requests, independent of the thread working on the IO • IRPs are handed off through the device stack to their destinations – Threads process IRPs – Initiating thread processes the IRP until a device returns STATUS_PENDING – Subsequent processing can be done in kernel worker threads
Interrupts IRQL—Interrupt Request Level: 0 => PASSIVE_LEVEL Processor is running threads All usermode code is at IRQL 0 1 => APC_LEVEL; threads, APCs disabled 2 => DISPATCH_LEVEL • Running as the processor: can’t stop! • Can’t take a page fault • Only locks available are KSPIN_LOCKs
Interupts 3-26 => Device Interrupt Service Routines • Device interrupts are mapped to an IRQL and an interrupt service routine; ISR is called at that IRQL 27 => PROFILE_LEVEL—profiling 28 => CLOCK2_LEVEL—clock interrupt 29 => IPI_LEVEL—interprocessor interrupt • Requests another processor to do something 30 => POWER_LEVEL—power failure 31 => HIGH_LEVEL—interrupts disabled
Interrupts • Hardware signals an interrupt • Interrupt’s ISR runs at device IRQL – Has to be fast; get off the processor and allow other ISRs to run – Typically queues a DPC, acknowledges the interrupt, and returns • DPC—Delayed Procedure Call – Further processing at DISPATCH_LEVEL – Queues work to kernel worker threads
IO Completion • Driver calls IO Manager to complete the IRP • IO Manager queues a kernel mode APC to the initiating thread • APC: Asynchronous Procedure Call – Kernel mode APC preempts thread execution – Writes data back to user mode in the context of the thread which initiated the IO – Signals completion of the IO
IO Cache • Classic: block cache – Page mappings translate directly to blocks on the underlying partition. • Windows: stream cache – Page mappings are offsets within a stream. – IO Cache Manager uses the same mappings. – All cache management (trimming) is centralized in the memory manager – All modifications show up in mapped views.
Virtual Memory • Sections—another object type – Can be created to map a file – Can also be created off the pagefile – Optionally named, for shared memory • Reservation – Range of VA which will not be handed out for some other purpose • Committed – VA which actually maps to something
Aside: CreateProcess • Just a user mode Win32 API { NtCreateFile(&file, szImage); NtCreateSection(&sec, file); NtCreateProcess(&proc, sec); NtCreateThread(&thrd, proc); } WaitForSingleObject(proc);
Virtual Memory • Memory Manager maintains processor- specific page table entry mappings. – Some parts of the address space are shared between processes—for instance, the kernel’s address space and the per-session space. • On a pagefault, mm reads in the data • Pages can be mapped without the appropriate access… what to do?
Signals • With threads, signals don’t work very well. • Some software designs expect to touch inaccessible memory. – Large structured files – Concurrent garbage collection – SLists • Single global handler has to somehow know about all possible situations.
Structured Exception Handling • Exceptions unwind the stack – Almost like C++! – C++ matches against a type hierarchy – SEH calls exception filter code—filters are Turing-complete. • Two ways to deal with exceptions: – try/finally – try/except
try/finally res = AllocateSomeResource(); try { SomeOperation(res); } finally { if (AbnormalTermination()) { FreeSomeResource(res); } } return res;
try/except try { SomeOperationWhichMayAV(); } except (Filter( GetExceptionCode(), GetExceptionInformation())) { DoSomethingElse(); }
try/except • GetExceptionCode() – A code indicating the cause of the exception • GetExceptionInformation() – Additional code-specific info – The full processor context • Filter decides what to do – EXCEPTION_EXECUTE_HANDLER – EXCEPTION_CONTINUE_SEARCH – EXCEPTION_CONTINUE_EXECUTION
Structured Exception Handling • On x86, TEB points to stack of EXCEPTION_REGISTRATION_RECORD – auto structs, pointing to handler code – pushed by function prolog – popped by function epilog • On exception, RtlDispatchException() walks the list. – Runs the filters to figure out what to do – Calls handler functions
Structured Exception Handling • On x86, there’s some overhead with pushing and popping the registration record • On ia64, there is no overhead – Stack traces are reliable – It’s always possible to look up the handler • Exception handling is very slow – Especially on ia64 • Used only for truly exceptional conditions
Structured Exception Handling • Used in kernel mode too! – Most user mode access will just work – Still need to validate address ranges & data – Works great for SMP when another thread might be in the middle of modifying the address space – Expected read exceptions are returned as status codes from system calls – Expected writes are returned as SUCCESS – Unexpected => buggy kernel => blue screen
Top-level Exception Filter • Top frame on each thread defines a catchall exception filter • Top-level exception filter: – Notifies the debugger (if being debugged) – Launches a just-in-time debugger (if set up) – Loads faultrep.dll to report the failure
Faultrep.dll • faultrep.dll offers to report the failure back to Microsoft • We analyze the failures – A significant number are recognized instantly; we can tell the user what happened and how to fix it. – The others go through the standard triage process; developers analyze the dumps and figure out what happened.
OCA • 67 million machines running XP • Tens of thousands of drivers • Over 100 drivers on any given machine • One bug in one driver => Crash • A significant number of crashes come from third-party drivers (some of which ship on the CD) • Lots of different problems, though
Driver Verifier • Controlled by verifier.exe • Special-pool’s allocations – Detects allocation overruns & use after free • Validates some behaviors – IRQL—touching paged memory? – DMA buffers • Can inject failures—useful for testing behavior under sub-optimal conditions
Stress • Every night, a couple hundred machines run stress on the latest build • Stress exercises filesystems, memory, GUI, scheduler, &c, trying to uncover low- memory handling problems and race conditions • Every morning, the stress test team triages failed machines • Developers debug the failures
Questions?

Recommended

Practical Malware Analysis: Ch 7: Analyzing Malicious Windows Programs
Practical Malware Analysis: Ch 7: Analyzing Malicious Windows Programs Practical Malware Analysis: Ch 7: Analyzing Malicious Windows Programs
Practical Malware Analysis: Ch 7: Analyzing Malicious Windows Programs Sam Bowne
 
Windows内核技术介绍
Windows内核技术介绍Windows内核技术介绍
Windows内核技术介绍jeffz
 
AOS Lab 4: If you liked it, then you should have put a “lock” on it
AOS Lab 4: If you liked it, then you should have put a “lock” on itAOS Lab 4: If you liked it, then you should have put a “lock” on it
AOS Lab 4: If you liked it, then you should have put a “lock” on itZubair Nabi
 
Lec 10-linux-review
Lec 10-linux-reviewLec 10-linux-review
Lec 10-linux-reviewabinaya m
 
Profiling the ACPICA Namespace and Event Handing
Profiling the ACPICA Namespace and Event HandingProfiling the ACPICA Namespace and Event Handing
Profiling the ACPICA Namespace and Event HandingSUSE Labs Taipei
 
Linux device drivers
Linux device drivers Linux device drivers
Linux device drivers Emertxe Information Technologies Pvt Ltd
 
Linux systems - Getting started with setting up and embedded platform
Linux systems - Getting started with setting up and embedded platformLinux systems - Getting started with setting up and embedded platform
Linux systems - Getting started with setting up and embedded platformEmertxe Information Technologies Pvt Ltd
 
Windows internals
Windows internalsWindows internals
Windows internalsPiyush Jain
 

Recommended

Practical Malware Analysis: Ch 7: Analyzing Malicious Windows Programs
Practical Malware Analysis: Ch 7: Analyzing Malicious Windows Programs Practical Malware Analysis: Ch 7: Analyzing Malicious Windows Programs
Practical Malware Analysis: Ch 7: Analyzing Malicious Windows Programs Sam Bowne
 
Windows内核技术介绍
Windows内核技术介绍Windows内核技术介绍
Windows内核技术介绍jeffz
 
AOS Lab 4: If you liked it, then you should have put a “lock” on it
AOS Lab 4: If you liked it, then you should have put a “lock” on itAOS Lab 4: If you liked it, then you should have put a “lock” on it
AOS Lab 4: If you liked it, then you should have put a “lock” on itZubair Nabi
 
Lec 10-linux-review
Lec 10-linux-reviewLec 10-linux-review
Lec 10-linux-reviewabinaya m
 
Profiling the ACPICA Namespace and Event Handing
Profiling the ACPICA Namespace and Event HandingProfiling the ACPICA Namespace and Event Handing
Profiling the ACPICA Namespace and Event HandingSUSE Labs Taipei
 
Linux device drivers
Linux device drivers Linux device drivers
Linux device drivers Emertxe Information Technologies Pvt Ltd
 
Linux systems - Getting started with setting up and embedded platform
Linux systems - Getting started with setting up and embedded platformLinux systems - Getting started with setting up and embedded platform
Linux systems - Getting started with setting up and embedded platformEmertxe Information Technologies Pvt Ltd
 
Windows internals
Windows internalsWindows internals
Windows internalsPiyush Jain
 
AOS Lab 11: Virtualization
AOS Lab 11: VirtualizationAOS Lab 11: Virtualization
AOS Lab 11: VirtualizationZubair Nabi
 
Kgdb kdb modesetting
Kgdb kdb modesettingKgdb kdb modesetting
Kgdb kdb modesettingKaushal Kumar Gupta
 
Device drivers tsp
Device drivers tspDevice drivers tsp
Device drivers tspPradeep Kumar TS
 
Linux Char Device Driver
Linux Char Device DriverLinux Char Device Driver
Linux Char Device DriverGary Yeh
 
Tasklet vs work queues (Deferrable functions in linux)
Tasklet vs work queues (Deferrable functions in linux)Tasklet vs work queues (Deferrable functions in linux)
Tasklet vs work queues (Deferrable functions in linux)RajKumar Rampelli
 
AOS Lab 8: Interrupts and Device Drivers
AOS Lab 8: Interrupts and Device DriversAOS Lab 8: Interrupts and Device Drivers
AOS Lab 8: Interrupts and Device DriversZubair Nabi
 
AOS Lab 1: Hello, Linux!
AOS Lab 1: Hello, Linux!AOS Lab 1: Hello, Linux!
AOS Lab 1: Hello, Linux!Zubair Nabi
 
Security Architecture of the Java platform
Security Architecture of the Java platformSecurity Architecture of the Java platform
Security Architecture of the Java platformMartin Toshev
 
Mac Memory Analysis with Volatility
Mac Memory Analysis with VolatilityMac Memory Analysis with Volatility
Mac Memory Analysis with VolatilityAndrew Case
 
OMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
OMFW 2012: Analyzing Linux Kernel Rootkits with VolatlityOMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
OMFW 2012: Analyzing Linux Kernel Rootkits with VolatlityAndrew Case
 
Linux Kernel I/O Schedulers
Linux Kernel I/O SchedulersLinux Kernel I/O Schedulers
Linux Kernel I/O SchedulersRajKumar Rampelli
 
Linux Programming
Linux ProgrammingLinux Programming
Linux ProgrammingEmertxe Information Technologies Pvt Ltd
 
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...Andrew Case
 
Hardware Probing in the Linux Kernel
Hardware Probing in the Linux KernelHardware Probing in the Linux Kernel
Hardware Probing in the Linux KernelKernel TLV
 
Bh ad-12-stealing-from-thieves-saher-slides
Bh ad-12-stealing-from-thieves-saher-slidesBh ad-12-stealing-from-thieves-saher-slides
Bh ad-12-stealing-from-thieves-saher-slidesMatt Kocubinski
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote ShellcodeAj MaChInE
 
DTrace Topics: Introduction
DTrace Topics: IntroductionDTrace Topics: Introduction
DTrace Topics: IntroductionBrendan Gregg
 
Ukoug15 SIMD outside and inside Oracle 12c (12.1.0.2)
Ukoug15 SIMD outside and inside Oracle 12c (12.1.0.2)Ukoug15 SIMD outside and inside Oracle 12c (12.1.0.2)
Ukoug15 SIMD outside and inside Oracle 12c (12.1.0.2)Laurent Leturgez
 
AOS Lab 12: Network Communication
AOS Lab 12: Network CommunicationAOS Lab 12: Network Communication
AOS Lab 12: Network CommunicationZubair Nabi
 
Hunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory ForensicsHunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory ForensicsAndrew Case
 
Anna marras - Palestra: Vender e empreender além da crise
Anna marras - Palestra: Vender e empreender além da criseAnna marras - Palestra: Vender e empreender além da crise
Anna marras - Palestra: Vender e empreender além da criseLandoaldo Lima
 
Prezentacio XANGA 2015 (1)
Prezentacio XANGA 2015 (1)Prezentacio XANGA 2015 (1)
Prezentacio XANGA 2015 (1)Istv Herdon
 

More Related Content

What's hot

AOS Lab 11: Virtualization
AOS Lab 11: VirtualizationAOS Lab 11: Virtualization
AOS Lab 11: VirtualizationZubair Nabi
 
Linux Char Device Driver
Linux Char Device DriverLinux Char Device Driver
Linux Char Device DriverGary Yeh
 
Tasklet vs work queues (Deferrable functions in linux)
Tasklet vs work queues (Deferrable functions in linux)Tasklet vs work queues (Deferrable functions in linux)
Tasklet vs work queues (Deferrable functions in linux)RajKumar Rampelli
 
AOS Lab 8: Interrupts and Device Drivers
AOS Lab 8: Interrupts and Device DriversAOS Lab 8: Interrupts and Device Drivers
AOS Lab 8: Interrupts and Device DriversZubair Nabi
 
AOS Lab 1: Hello, Linux!
AOS Lab 1: Hello, Linux!AOS Lab 1: Hello, Linux!
AOS Lab 1: Hello, Linux!Zubair Nabi
 
Security Architecture of the Java platform
Security Architecture of the Java platformSecurity Architecture of the Java platform
Security Architecture of the Java platformMartin Toshev
 
Mac Memory Analysis with Volatility
Mac Memory Analysis with VolatilityMac Memory Analysis with Volatility
Mac Memory Analysis with VolatilityAndrew Case
 
OMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
OMFW 2012: Analyzing Linux Kernel Rootkits with VolatlityOMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
OMFW 2012: Analyzing Linux Kernel Rootkits with VolatlityAndrew Case
 
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...Andrew Case
 
Hardware Probing in the Linux Kernel
Hardware Probing in the Linux KernelHardware Probing in the Linux Kernel
Hardware Probing in the Linux KernelKernel TLV
 
Bh ad-12-stealing-from-thieves-saher-slides
Bh ad-12-stealing-from-thieves-saher-slidesBh ad-12-stealing-from-thieves-saher-slides
Bh ad-12-stealing-from-thieves-saher-slidesMatt Kocubinski
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote ShellcodeAj MaChInE
 
DTrace Topics: Introduction
DTrace Topics: IntroductionDTrace Topics: Introduction
DTrace Topics: IntroductionBrendan Gregg
 
Ukoug15 SIMD outside and inside Oracle 12c (12.1.0.2)
Ukoug15 SIMD outside and inside Oracle 12c (12.1.0.2)Ukoug15 SIMD outside and inside Oracle 12c (12.1.0.2)
Ukoug15 SIMD outside and inside Oracle 12c (12.1.0.2)Laurent Leturgez
 
AOS Lab 12: Network Communication
AOS Lab 12: Network CommunicationAOS Lab 12: Network Communication
AOS Lab 12: Network CommunicationZubair Nabi
 
Hunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory ForensicsHunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory ForensicsAndrew Case
 

What's hot (20)

AOS Lab 11: Virtualization
AOS Lab 11: VirtualizationAOS Lab 11: Virtualization
AOS Lab 11: Virtualization
 
Kgdb kdb modesetting
Kgdb kdb modesettingKgdb kdb modesetting
Kgdb kdb modesetting
 
Device drivers tsp
Device drivers tspDevice drivers tsp
Device drivers tsp
 
Linux Char Device Driver
Linux Char Device DriverLinux Char Device Driver
Linux Char Device Driver
 
Tasklet vs work queues (Deferrable functions in linux)
Tasklet vs work queues (Deferrable functions in linux)Tasklet vs work queues (Deferrable functions in linux)
Tasklet vs work queues (Deferrable functions in linux)
 
AOS Lab 8: Interrupts and Device Drivers
AOS Lab 8: Interrupts and Device DriversAOS Lab 8: Interrupts and Device Drivers
AOS Lab 8: Interrupts and Device Drivers
 
AOS Lab 1: Hello, Linux!
AOS Lab 1: Hello, Linux!AOS Lab 1: Hello, Linux!
AOS Lab 1: Hello, Linux!
 
Security Architecture of the Java platform
Security Architecture of the Java platformSecurity Architecture of the Java platform
Security Architecture of the Java platform
 
Mac Memory Analysis with Volatility
Mac Memory Analysis with VolatilityMac Memory Analysis with Volatility
Mac Memory Analysis with Volatility
 
OMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
OMFW 2012: Analyzing Linux Kernel Rootkits with VolatlityOMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
OMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
 
Linux Kernel I/O Schedulers
Linux Kernel I/O SchedulersLinux Kernel I/O Schedulers
Linux Kernel I/O Schedulers
 
Linux Programming
Linux ProgrammingLinux Programming
Linux Programming
 
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
 
Hardware Probing in the Linux Kernel
Hardware Probing in the Linux KernelHardware Probing in the Linux Kernel
Hardware Probing in the Linux Kernel
 
Bh ad-12-stealing-from-thieves-saher-slides
Bh ad-12-stealing-from-thieves-saher-slidesBh ad-12-stealing-from-thieves-saher-slides
Bh ad-12-stealing-from-thieves-saher-slides
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
 
DTrace Topics: Introduction
DTrace Topics: IntroductionDTrace Topics: Introduction
DTrace Topics: Introduction
 
Ukoug15 SIMD outside and inside Oracle 12c (12.1.0.2)
Ukoug15 SIMD outside and inside Oracle 12c (12.1.0.2)Ukoug15 SIMD outside and inside Oracle 12c (12.1.0.2)
Ukoug15 SIMD outside and inside Oracle 12c (12.1.0.2)
 
AOS Lab 12: Network Communication
AOS Lab 12: Network CommunicationAOS Lab 12: Network Communication
AOS Lab 12: Network Communication
 
Hunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory ForensicsHunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory Forensics
 

Viewers also liked

Anna marras - Palestra: Vender e empreender além da crise
Anna marras - Palestra: Vender e empreender além da criseAnna marras - Palestra: Vender e empreender além da crise
Anna marras - Palestra: Vender e empreender além da criseLandoaldo Lima
 
Prezentacio XANGA 2015 (1)
Prezentacio XANGA 2015 (1)Prezentacio XANGA 2015 (1)
Prezentacio XANGA 2015 (1)Istv Herdon
 
Fusion homes noida
Fusion homes noidaFusion homes noida
Fusion homes noidaDhra Sharma
 
Graphic history of architecture
Graphic history of architectureGraphic history of architecture
Graphic history of architecturearchinn
 
รักษาโรคมะเร็ง
รักษาโรคมะเร็งรักษาโรคมะเร็ง
รักษาโรคมะเร็งpornkanok02
 
Polecane miejsce
Polecane miejscePolecane miejsce
Polecane miejsceYuki Sanada
 
Files matter-zav11
Files matter-zav11Files matter-zav11
Files matter-zav11Finceptum Oy
 
ở đâu làm phim quảng cáo sáng tạo
ở đâu làm phim quảng cáo sáng tạoở đâu làm phim quảng cáo sáng tạo
ở đâu làm phim quảng cáo sáng tạolashandra659
 
49 daothiha vh1003_3938
49 daothiha vh1003_393849 daothiha vh1003_3938
49 daothiha vh1003_3938Thêm Em
 

Viewers also liked (13)

Anna marras - Palestra: Vender e empreender além da crise
Anna marras - Palestra: Vender e empreender além da criseAnna marras - Palestra: Vender e empreender além da crise
Anna marras - Palestra: Vender e empreender além da crise
 
Prezentacio XANGA 2015 (1)
Prezentacio XANGA 2015 (1)Prezentacio XANGA 2015 (1)
Prezentacio XANGA 2015 (1)
 
Aaron rodgers
Aaron rodgers Aaron rodgers
Aaron rodgers
 
Fusion homes noida
Fusion homes noidaFusion homes noida
Fusion homes noida
 
Hypothesis presentation
Hypothesis presentationHypothesis presentation
Hypothesis presentation
 
Graphic history of architecture
Graphic history of architectureGraphic history of architecture
Graphic history of architecture
 
รักษาโรคมะเร็ง
รักษาโรคมะเร็งรักษาโรคมะเร็ง
รักษาโรคมะเร็ง
 
Polecane miejsce
Polecane miejscePolecane miejsce
Polecane miejsce
 
Andy pettitte
Andy pettitteAndy pettitte
Andy pettitte
 
How did you attract
How did you attractHow did you attract
How did you attract
 
Files matter-zav11
Files matter-zav11Files matter-zav11
Files matter-zav11
 
ở đâu làm phim quảng cáo sáng tạo
ở đâu làm phim quảng cáo sáng tạoở đâu làm phim quảng cáo sáng tạo
ở đâu làm phim quảng cáo sáng tạo
 
49 daothiha vh1003_3938
49 daothiha vh1003_393849 daothiha vh1003_3938
49 daothiha vh1003_3938
 

Similar to the windows opereting system

CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...CanSecWest
 
Process and Threads in Linux - PPT
Process and Threads in Linux - PPTProcess and Threads in Linux - PPT
Process and Threads in Linux - PPTQUONTRASOLUTIONS
 
Identifying and Supporting 'X-compatible' Hardware Blocks
Identifying and Supporting 'X-compatible' Hardware BlocksIdentifying and Supporting 'X-compatible' Hardware Blocks
Identifying and Supporting 'X-compatible' Hardware BlocksChen-Yu Tsai
 
CNIT 127 14: Protection Mechanisms
CNIT 127 14: Protection MechanismsCNIT 127 14: Protection Mechanisms
CNIT 127 14: Protection MechanismsSam Bowne
 
Operating system enhancements to prevent misuse of systems
Operating system enhancements to prevent misuse of systemsOperating system enhancements to prevent misuse of systems
Operating system enhancements to prevent misuse of systemsDayal Dilli
 
CNIT 127 14: Protection Mechanisms
CNIT 127 14: Protection MechanismsCNIT 127 14: Protection Mechanisms
CNIT 127 14: Protection MechanismsSam Bowne
 
Operating Systems 1 (5/12) - Architectures (Unix)
Operating Systems 1 (5/12) - Architectures (Unix)Operating Systems 1 (5/12) - Architectures (Unix)
Operating Systems 1 (5/12) - Architectures (Unix)Peter Tröger
 
Introduction Linux Device Drivers
Introduction Linux Device DriversIntroduction Linux Device Drivers
Introduction Linux Device DriversNEEVEE Technologies
 
Workshop - Linux Memory Analysis with Volatility
Workshop - Linux Memory Analysis with VolatilityWorkshop - Linux Memory Analysis with Volatility
Workshop - Linux Memory Analysis with VolatilityAndrew Case
 
Recon2013 alex ionescu-i got 99 problems but a kernel pointer ain't one
Recon2013 alex ionescu-i got 99 problems but a kernel pointer ain't oneRecon2013 alex ionescu-i got 99 problems but a kernel pointer ain't one
Recon2013 alex ionescu-i got 99 problems but a kernel pointer ain't oneArtem I. Baranov
 
The linux kernel hidden inside windows 10
The linux kernel hidden inside windows 10The linux kernel hidden inside windows 10
The linux kernel hidden inside windows 10mark-smith
 
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...DefconRussia
 
Oracle WebLogic Diagnostics & Perfomance tuning
Oracle WebLogic Diagnostics & Perfomance tuningOracle WebLogic Diagnostics & Perfomance tuning
Oracle WebLogic Diagnostics & Perfomance tuningMichel Schildmeijer
 

Similar to the windows opereting system (20)

13 superscalar
13 superscalar13 superscalar
13 superscalar
 
13_Superscalar.ppt
13_Superscalar.ppt13_Superscalar.ppt
13_Superscalar.ppt
 
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
 
Process and Threads in Linux - PPT
Process and Threads in Linux - PPTProcess and Threads in Linux - PPT
Process and Threads in Linux - PPT
 
Identifying and Supporting 'X-compatible' Hardware Blocks
Identifying and Supporting 'X-compatible' Hardware BlocksIdentifying and Supporting 'X-compatible' Hardware Blocks
Identifying and Supporting 'X-compatible' Hardware Blocks
 
Os
OsOs
Os
 
CNIT 127 14: Protection Mechanisms
CNIT 127 14: Protection MechanismsCNIT 127 14: Protection Mechanisms
CNIT 127 14: Protection Mechanisms
 
In out system
In out systemIn out system
In out system
 
Operating system enhancements to prevent misuse of systems
Operating system enhancements to prevent misuse of systemsOperating system enhancements to prevent misuse of systems
Operating system enhancements to prevent misuse of systems
 
Os introduction
Os introductionOs introduction
Os introduction
 
Os introduction
Os introductionOs introduction
Os introduction
 
CNIT 127 14: Protection Mechanisms
CNIT 127 14: Protection MechanismsCNIT 127 14: Protection Mechanisms
CNIT 127 14: Protection Mechanisms
 
Operating Systems 1 (5/12) - Architectures (Unix)
Operating Systems 1 (5/12) - Architectures (Unix)Operating Systems 1 (5/12) - Architectures (Unix)
Operating Systems 1 (5/12) - Architectures (Unix)
 
Introduction Linux Device Drivers
Introduction Linux Device DriversIntroduction Linux Device Drivers
Introduction Linux Device Drivers
 
Workshop - Linux Memory Analysis with Volatility
Workshop - Linux Memory Analysis with VolatilityWorkshop - Linux Memory Analysis with Volatility
Workshop - Linux Memory Analysis with Volatility
 
Recon2013 alex ionescu-i got 99 problems but a kernel pointer ain't one
Recon2013 alex ionescu-i got 99 problems but a kernel pointer ain't oneRecon2013 alex ionescu-i got 99 problems but a kernel pointer ain't one
Recon2013 alex ionescu-i got 99 problems but a kernel pointer ain't one
 
The linux kernel hidden inside windows 10
The linux kernel hidden inside windows 10The linux kernel hidden inside windows 10
The linux kernel hidden inside windows 10
 
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
 
Windows kernel
Windows kernelWindows kernel
Windows kernel
 
Oracle WebLogic Diagnostics & Perfomance tuning
Oracle WebLogic Diagnostics & Perfomance tuningOracle WebLogic Diagnostics & Perfomance tuning
Oracle WebLogic Diagnostics & Perfomance tuning
 

Recently uploaded

Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17Celine George
 
How to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxHow to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxmanuelaromero2013
 
Solving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxSolving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxOH TEIK BIN
 
Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17Celine George
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)eniolaolutunde
 
CELL CYCLE Division Science 8 quarter IV.pptx
CELL CYCLE Division Science 8 quarter IV.pptxCELL CYCLE Division Science 8 quarter IV.pptx
CELL CYCLE Division Science 8 quarter IV.pptxJiesonDelaCerna
 
Proudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxProudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxthorishapillay1
 
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
Employee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxEmployee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxNirmalaLoungPoorunde1
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxGaneshChakor2
 
How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17Celine George
 
internship ppt on smartinternz platform as salesforce developer
internship ppt on smartinternz platform as salesforce developerinternship ppt on smartinternz platform as salesforce developer
internship ppt on smartinternz platform as salesforce developerunnathinaik
 
Historical philosophical, theoretical, and legal foundations of special and i...
Historical philosophical, theoretical, and legal foundations of special and i...Historical philosophical, theoretical, and legal foundations of special and i...
Historical philosophical, theoretical, and legal foundations of special and i...jaredbarbolino94
 
KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)————IMP.OF KSHARA ...
KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)————IMP.OF KSHARA ...KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)————IMP.OF KSHARA ...
KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)————IMP.OF KSHARA ...M56BOOKSTORE PRODUCT/SERVICE
 
Full Stack Web Development Course for Beginners
Full Stack Web Development Course for BeginnersFull Stack Web Development Course for Beginners
Full Stack Web Development Course for BeginnersSabitha Banu
 
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...Marc Dusseiller Dusjagr
 
Meghan Sutherland In Media Res Media Component
Meghan Sutherland In Media Res Media ComponentMeghan Sutherland In Media Res Media Component
Meghan Sutherland In Media Res Media ComponentInMediaRes1
 
Capitol Tech U Doctoral Presentation - April 2024.pptx
Capitol Tech U Doctoral Presentation - April 2024.pptxCapitol Tech U Doctoral Presentation - April 2024.pptx
Capitol Tech U Doctoral Presentation - April 2024.pptxCapitolTechU
 

Recently uploaded (20)

Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
 
How to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxHow to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptx
 
Solving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxSolving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptx
 
Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)
 
CELL CYCLE Division Science 8 quarter IV.pptx
CELL CYCLE Division Science 8 quarter IV.pptxCELL CYCLE Division Science 8 quarter IV.pptx
CELL CYCLE Division Science 8 quarter IV.pptx
 
ESSENTIAL of (CS/IT/IS) class 06 (database)
ESSENTIAL of (CS/IT/IS) class 06 (database)ESSENTIAL of (CS/IT/IS) class 06 (database)
ESSENTIAL of (CS/IT/IS) class 06 (database)
 
Proudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxProudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptx
 
OS-operating systems- ch04 (Threads) ...
OS-operating systems- ch04 (Threads) ...OS-operating systems- ch04 (Threads) ...
OS-operating systems- ch04 (Threads) ...
 
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
 
Employee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxEmployee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptx
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptx
 
How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17
 
internship ppt on smartinternz platform as salesforce developer
internship ppt on smartinternz platform as salesforce developerinternship ppt on smartinternz platform as salesforce developer
internship ppt on smartinternz platform as salesforce developer
 
Historical philosophical, theoretical, and legal foundations of special and i...
Historical philosophical, theoretical, and legal foundations of special and i...Historical philosophical, theoretical, and legal foundations of special and i...
Historical philosophical, theoretical, and legal foundations of special and i...
 
KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)————IMP.OF KSHARA ...
KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)————IMP.OF KSHARA ...KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)————IMP.OF KSHARA ...
KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)————IMP.OF KSHARA ...
 
Full Stack Web Development Course for Beginners
Full Stack Web Development Course for BeginnersFull Stack Web Development Course for Beginners
Full Stack Web Development Course for Beginners
 
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
 
Meghan Sutherland In Media Res Media Component
Meghan Sutherland In Media Res Media ComponentMeghan Sutherland In Media Res Media Component
Meghan Sutherland In Media Res Media Component
 
Capitol Tech U Doctoral Presentation - April 2024.pptx
Capitol Tech U Doctoral Presentation - April 2024.pptxCapitol Tech U Doctoral Presentation - April 2024.pptx
Capitol Tech U Doctoral Presentation - April 2024.pptx
 

the windows opereting system

  • 2. Goals • Hardware-portable – Used to support MIPS, PowerPC and Alpha – Currently supports x86, ia64, and amd64 – Multiple vendors build hardware • Software-portable – POSIX, OS2, and Win32 subsystems • OS2 is dead • POSIX is still supported—separate product • Lots of Win32 software out there in the world
  • 3. Goals • High performance – Anticipated PC speeds approaching minicomputers and mainframes – Async IO model is standard – Support for large physical memories – SMP was an early design goal – Designed to support multi-threaded processes – Kernel has to be reentrant
  • 4. Process Model • Threads and processes are distinct • Process: – Address space – Handle table (Handles => file descriptors) – Process default security token • Thread: – Execution Context – Optional thread-specific security token
  • 5. Tokens • “Who you are”—list of identities – Each identity is a SID • Also contains Privileges – Shutdown, Load drivers, Backup, Debug… • Can be passed through LPC ports and named pipe requests – Server side can use this to selectively impersonate the client.
  • 6. Object Manager • Uniform interface to kernel mode objects. • Handles are 32bit opaque integers • Per-process handle table maps handles to objects and permissions on the objects • Implements refcount GC – Pointer count—total number of references – Handle count—number of open handles
  • 7. Object Manager • Implements an object namespace – Win32 objects are under BaseNamedObjects – Devices under Device • This includes filesystems – Drive letters are symbolic links • ??C: => the appropriate filesystem device • Some things have other names – Processes and threads are opened by specifying a CID: (Process.Thread)
  • 8. Standard operations on handles • CloseHandle() • DuplicateHandle() – Takes source and destination process – Very useful for servers • WaitForSingleObject(), WaitForMultipleObjects() – Wait for something to happen – Can wait on up to 64 handles at once
  • 9. Security Descriptors • Each object has a Security Descriptor – Owner—special SID, CREATOR_OWNER – Group—special SID, CREATOR_GROUP – DACL • Discretionary Access Control List • List of SIDs and granted or denied access rights – SACL • System Access Control List • List of SIDs and access rights to be audited
  • 10. Access Rights typedef struct _ACCESS_MASK { USHORT SpecificRights; UCHAR StandardRights; UCHAR AccessSystemAcl : 1; UCHAR Reserved : 3; UCHAR GenericAll : 1; UCHAR GenericExecute : 1; UCHAR GenericWrite : 1; UCHAR GenericRead : 1; } ACCESS_MASK;
  • 11. Security Use • Objects are referred to via handles • Security checks occur when an object is opened – Open requests contain a mask of requested access rights – If granted to the token by the DACL, the handle contains those access rights • Access rights are checked on use – Just a bit test—very fast
  • 12. Object Open evt = OpenEvent(EVENT_MODIFY_STATE, FALSE, "SomeName"); – Finds the event object by name – Walks the DACL, looking for token SIDs – Keeps looking until all permissions are granted – If access is granted, inserts a handle to the object into the process’s handle table, with EVENT_MODIFY_STATE access
  • 13. Object Use SetEvent(evt); – SetEvent() requires EVENT_MODIFY_STATE access, and an event object. – The kernel looks up the handle in the process’s handle table. – Checks to make sure that it maps to an event object, and that the granted access bits contain the EVENT_MODIFY_STATE bit. – If all is good, the event is set.
  • 14. Object Use WaitForSingleObject(evt) – WaitForSingleObject() requires a synchronization object (like an event) and SYNCHRONIZE access. – evt maps to an event object – SYNCHRONIZE access was not requested when the handle was inserted. – Even if the DACL permits it, the wait fails.
  • 15. Types of Objects • Events – State is set or clear. – Can clear when a wait completes (auto-reset) • Mutexes – Can be acquired by a single thread at a time. – Automatically release when owner exits. • Semaphores – Maintain a count – Waits decrement the count
  • 16. More objects • Threads, Processes, Timers—like events • Registry Keys – Manipulate data in the registry—centralized store of system configuration info. • LPC Ports – Fast local RPC – Security tokens can transfer over LPC calls • Files
  • 17. Files & IO • File objects maintain a current offset, and a pointer to the underlying stream. • Default internal model is asynchronous – Synchronous IO just waits for the IO to complete – Async IO can set an event, or run a callback in the thread which queued the IO, or post a message to an IO completion port. • Each request is an IRP
  • 18. IRPs • Maintain state of IO requests, independent of the thread working on the IO • IRPs are handed off through the device stack to their destinations – Threads process IRPs – Initiating thread processes the IRP until a device returns STATUS_PENDING – Subsequent processing can be done in kernel worker threads
  • 19. Interrupts IRQL—Interrupt Request Level: 0 => PASSIVE_LEVEL Processor is running threads All usermode code is at IRQL 0 1 => APC_LEVEL; threads, APCs disabled 2 => DISPATCH_LEVEL • Running as the processor: can’t stop! • Can’t take a page fault • Only locks available are KSPIN_LOCKs
  • 20. Interupts 3-26 => Device Interrupt Service Routines • Device interrupts are mapped to an IRQL and an interrupt service routine; ISR is called at that IRQL 27 => PROFILE_LEVEL—profiling 28 => CLOCK2_LEVEL—clock interrupt 29 => IPI_LEVEL—interprocessor interrupt • Requests another processor to do something 30 => POWER_LEVEL—power failure 31 => HIGH_LEVEL—interrupts disabled
  • 21. Interrupts • Hardware signals an interrupt • Interrupt’s ISR runs at device IRQL – Has to be fast; get off the processor and allow other ISRs to run – Typically queues a DPC, acknowledges the interrupt, and returns • DPC—Delayed Procedure Call – Further processing at DISPATCH_LEVEL – Queues work to kernel worker threads
  • 22. IO Completion • Driver calls IO Manager to complete the IRP • IO Manager queues a kernel mode APC to the initiating thread • APC: Asynchronous Procedure Call – Kernel mode APC preempts thread execution – Writes data back to user mode in the context of the thread which initiated the IO – Signals completion of the IO
  • 23. IO Cache • Classic: block cache – Page mappings translate directly to blocks on the underlying partition. • Windows: stream cache – Page mappings are offsets within a stream. – IO Cache Manager uses the same mappings. – All cache management (trimming) is centralized in the memory manager – All modifications show up in mapped views.
  • 24. Virtual Memory • Sections—another object type – Can be created to map a file – Can also be created off the pagefile – Optionally named, for shared memory • Reservation – Range of VA which will not be handed out for some other purpose • Committed – VA which actually maps to something
  • 25. Aside: CreateProcess • Just a user mode Win32 API { NtCreateFile(&file, szImage); NtCreateSection(&sec, file); NtCreateProcess(&proc, sec); NtCreateThread(&thrd, proc); } WaitForSingleObject(proc);
  • 26. Virtual Memory • Memory Manager maintains processor- specific page table entry mappings. – Some parts of the address space are shared between processes—for instance, the kernel’s address space and the per-session space. • On a pagefault, mm reads in the data • Pages can be mapped without the appropriate access… what to do?
  • 27. Signals • With threads, signals don’t work very well. • Some software designs expect to touch inaccessible memory. – Large structured files – Concurrent garbage collection – SLists • Single global handler has to somehow know about all possible situations.
  • 28. Structured Exception Handling • Exceptions unwind the stack – Almost like C++! – C++ matches against a type hierarchy – SEH calls exception filter code—filters are Turing-complete. • Two ways to deal with exceptions: – try/finally – try/except
  • 29. try/finally res = AllocateSomeResource(); try { SomeOperation(res); } finally { if (AbnormalTermination()) { FreeSomeResource(res); } } return res;
  • 30. try/except try { SomeOperationWhichMayAV(); } except (Filter( GetExceptionCode(), GetExceptionInformation())) { DoSomethingElse(); }
  • 31. try/except • GetExceptionCode() – A code indicating the cause of the exception • GetExceptionInformation() – Additional code-specific info – The full processor context • Filter decides what to do – EXCEPTION_EXECUTE_HANDLER – EXCEPTION_CONTINUE_SEARCH – EXCEPTION_CONTINUE_EXECUTION
  • 32. Structured Exception Handling • On x86, TEB points to stack of EXCEPTION_REGISTRATION_RECORD – auto structs, pointing to handler code – pushed by function prolog – popped by function epilog • On exception, RtlDispatchException() walks the list. – Runs the filters to figure out what to do – Calls handler functions
  • 33. Structured Exception Handling • On x86, there’s some overhead with pushing and popping the registration record • On ia64, there is no overhead – Stack traces are reliable – It’s always possible to look up the handler • Exception handling is very slow – Especially on ia64 • Used only for truly exceptional conditions
  • 34. Structured Exception Handling • Used in kernel mode too! – Most user mode access will just work – Still need to validate address ranges & data – Works great for SMP when another thread might be in the middle of modifying the address space – Expected read exceptions are returned as status codes from system calls – Expected writes are returned as SUCCESS – Unexpected => buggy kernel => blue screen
  • 35. Top-level Exception Filter • Top frame on each thread defines a catchall exception filter • Top-level exception filter: – Notifies the debugger (if being debugged) – Launches a just-in-time debugger (if set up) – Loads faultrep.dll to report the failure
  • 36. Faultrep.dll • faultrep.dll offers to report the failure back to Microsoft • We analyze the failures – A significant number are recognized instantly; we can tell the user what happened and how to fix it. – The others go through the standard triage process; developers analyze the dumps and figure out what happened.
  • 37. OCA • 67 million machines running XP • Tens of thousands of drivers • Over 100 drivers on any given machine • One bug in one driver => Crash • A significant number of crashes come from third-party drivers (some of which ship on the CD) • Lots of different problems, though
  • 38. Driver Verifier • Controlled by verifier.exe • Special-pool’s allocations – Detects allocation overruns & use after free • Validates some behaviors – IRQL—touching paged memory? – DMA buffers • Can inject failures—useful for testing behavior under sub-optimal conditions
  • 39. Stress • Every night, a couple hundred machines run stress on the latest build • Stress exercises filesystems, memory, GUI, scheduler, &c, trying to uncover low- memory handling problems and race conditions • Every morning, the stress test team triages failed machines • Developers debug the failures