Sisimon Soman, profile picture
Uploaded bySisimon Soman
PPTX, PDF609 views

Introduction to windows kernel

The document provides an introduction to the Windows kernel and how system calls work. It discusses how system calls enter kernel mode using interrupts, the system service dispatch table, and how the kernel handles system calls. It also describes I/O request packets (IRPs) which are used to encapsulate I/O requests as they pass through different drivers in the kernel. Finally, it covers interrupt request levels (IRQLs) and deferred procedure calls (DPCs) which are used for interrupt handling in the kernel.

Embed presentation

Downloaded 31 times
Introduction to Windows Kernel Sisimon Soman
How system call works • Cannot directly enter kernel space using jmp or a call instruction. • When make a system call (like CreateFile, ReadFile) OS enter kernel mode (Ring 0) using instruction int 2E (it is called interrupt gate). • Code segment descriptor contain information about the ‘Ring’ at which the code can run. For kernel mode modules it will be always Ring 0. If a user mode program try to do ‘jmp <kernel mode address>’ it will cause access violation, because of the segment descriptor flag says processor should be in Ring 0. • The frequency of entering kernel mode is high (most of the Windows API call cause to enter kernel mode) sysenter is the new optimized instruction to enter kernel mode.
Rings continued..
System Call continued.. • Windows maintains a system service dispatch table which is similar to the IDT. Each entry in system service table point to kernel mode system call routine. • The int 2E probe and copy parameters from user mode stack to thread’s kernel mode stack and fetch and execute the correct system call procedure from the system service table. • There are multiple system service tables. One table for NT Native APIs, one table for IIS and GDI etc.
Lets try it in WinDBG.. • NtWriteFile: mov eax, 0x0E ; build 2195 system service number for NtWriteFile mov ebx, esp ; point to parameters int 0x2E ; execute system service trap ret 0x2C ; pop parameters off stack and return to caller
App issue ReadFile NtReadFile User Land Kernel Land IO Manager IO Mgr create IRP Packet, IRP send to driver stack File System Volume Manager Disk Class Driver Hardware Driver
What is IO Request Packet (IRP) • IO Operation passes thru, – Different stages. – Different threads. – Different drivers. • IRP Encapsulate the IO request. • IRP is thread independent.
IRP Continued.. • Compare IRP with Windows Messages -MSG structure. • Each driver in the stack do its own task, finally forward the IRP to the lower driver in the stack. • IRP can be processed synchronously or asynchronously.
IRP Continued.. • Usually lower level hardware driver takes more time. H/W driver can mark the IRP for pending and return. • When H/W finish IO, H/W driver complete the IRP by calling IoCompleteRequest(). • IoCompleteRequest() call IO completion routine set by drivers in stack and complete the IO.
Structure of IRP • Fixed IRP Header IRP Header • Variable Stack locations – – One sub stack per driver Stack Location 1 Stack Location 2 Stack Location 3 Stack Location N
Flow of IRP IRP for Storage Stack Storage Stack IRP Header File System Stack Location 1 Volume Manager Stack Location 2 Disk Class Driver Stack Location 3 Hardware Driver Stack Location 4 Forward IRP to lower driver in the stack
Flow of IRP Completion IRP for Storage Stack Storage Stack IRP Header File System – Stack Location 1 Completion Routine Volume Manager – Stack Location 2 Completion Routine Disk Class Driver – Stack Location 3 Completion Routine Hardware Driver – Stack Location 4 Complete the IRP Call the completion routine while completing the IRP
IRP Header • IO buffer Information. • Flags – Page IO Flag – No Caching IO flag • IO Status – On Completion set this to IO Completed. • IRP cancel routine
IRP Stack Location • IO Manager get the driver count in the stack from the top device in the stack. • While creating IRP, IO manager allocate the IO stack locations equal to the device count from the top device object.
Contents of IO Stack Location • IO Completion routine specific to the driver. • File object specific to the request.
Software Interrupt Request Levels (IRQLs) • Windows has its own interrupt priority schemes know as IRQL. • IRQL levels from 0 to 31, the higher the number means higher priority interrupt level. • HAL map hardware interrupts to IRQL 3 (Device 1) to IRQL 31 (High) • When higher priority interrupt occur, it mask the all lower interrupts and execute the ISR for the higher interrupt. • After executing the ISR, kernel lower the interrupt levels and execute the lower interrupt ISR. • ISR routine should do minimal work and it should defer the major chunk of work to Deferred Procedure Call (DPC) which run at lower IRQL 2.
Software Interrupt Request Levels (IRQLs)
IRQL and DPC • DPC concept is similar to other OS, in Linux it is called bottom half. • DPC is per processor, means a duel processor SMP box contains two DPC Qs. • The ISR routine generally fetch data from hardware and queue a DPC for further processing. • IRQL priority is different from thread scheduling priority.
IRQL and DPC • The scheduler (dispatcher) also runs at IRQL 2. • So a code that execute on or above IRQL 2(dispatch level) cannot preempt. • From the Diagram, see only hardware interrupts and some higher priority interrupts like clock, power fail are above IRQL 2. • Most of the time OS will be in IRQL 0(Passive level) • All user programs and most of the kernel code execute on Passive level only.
IRQL continued.. • Scheduler runs at IRQL 2, so what happen if my driver try to wait on or above dispatch level ?. • Simple system will crash with ‘Blue Screen’, usually with the bug check ID IRQL_NOT_LESSTHAN_EQUAL. • Because if wait above dispatch level, no one there to come and switch the thread. • What happen if try to access a PagedPool in above dispatch level ?. • If the pages are on disk, then a page fault exception will happen, the current thread need to wait and page fault handler will read the pages from page file to page frames in memory. • If page fault happen above the dispatch level, no one there to stop the current thread and schedule the page fault handler. Thus cannot access PagedPool on or above dispatch level.
IRQL 1 - APCs • Asynchronous Procedure Call (APC) run at IRQL 1. • The main duty of APC is to send the data to user thread context. • APC Q is thread specific, each thread has its own APC Q. • User space thread initiate the read operation from a device and either it wait to finish it or continue with another job. • The IO may finish sometime later, now the buffer need to send to the calling thread’s process context. It is the duty of APC.

More Related Content

PPT
Windows kernel and memory io subsystem
bySisimon Soman
 
PPTX
Pipelining of Processors
byGaditek
 
PPT
Pipelining
byAJAL A J
 
PPTX
pipelining
bySadaf Rasheed
 
PPTX
pipelining
bysudhir saurav
 
PPTX
Dealing with exceptions Computer Architecture part 2
byGaditek
 
PPT
The Microarchitecure Of FPGA Based Soft Processor
byDeepak Tomar
 
PDF
Xilinx vs Intel (Altera) FPGA performance comparison
byRoy Messinger
 
Windows kernel and memory io subsystem
bySisimon Soman
 
Pipelining of Processors
byGaditek
 
Pipelining
byAJAL A J
 
pipelining
bySadaf Rasheed
 
pipelining
bysudhir saurav
 
Dealing with exceptions Computer Architecture part 2
byGaditek
 
The Microarchitecure Of FPGA Based Soft Processor
byDeepak Tomar
 
Xilinx vs Intel (Altera) FPGA performance comparison
byRoy Messinger
 

What's hot

PPT
Pipelining in computer architecture
byRamakrishna Reddy Bijjam
 
PPTX
Os lectures
byAdnan Ghafoor
 
PPT
Computer architecture pipelining
byMazin Alwaaly
 
PPT
Performance Enhancement with Pipelining
byAneesh Raveendran
 
PPTX
Pipeline & Nonpipeline Processor
bySmit Shah
 
PDF
Pipelining
bysarith divakar
 
PPT
Pipelining In computer
byTalesun Solar USA Ltd.
 
PPTX
Pipeline processing - Computer Architecture
byS. Hasnain Raza
 
PDF
Linux Instrumentation
byDarkStarSword
 
PPT
pipelining
bySiddique Ibrahim
 
PPT
Chapter6 pipelining
byGurpreet Singh
 
PPT
Rtos
byseenakumari
 
PDF
Advanced pipelining
bya_spac
 
PPTX
INSTRUCTION PIPELINING
byrubysistec
 
PPT
Pipelining
byAmin Omi
 
PPTX
Pipelining , structural hazards
byMunaam Munawar
 
PPT
Instruction pipelining
byShoaib Commando
 
PPTX
Assembly p1
byraja khizar
 
PPTX
The survey on real time operating systems (1)
bymanojkumarsmks
 
PDF
Instruction pipeline
byajay_a
 
Pipelining in computer architecture
byRamakrishna Reddy Bijjam
 
Os lectures
byAdnan Ghafoor
 
Computer architecture pipelining
byMazin Alwaaly
 
Performance Enhancement with Pipelining
byAneesh Raveendran
 
Pipeline & Nonpipeline Processor
bySmit Shah
 
Pipelining
bysarith divakar
 
Pipelining In computer
byTalesun Solar USA Ltd.
 
Pipeline processing - Computer Architecture
byS. Hasnain Raza
 
Linux Instrumentation
byDarkStarSword
 
pipelining
bySiddique Ibrahim
 
Chapter6 pipelining
byGurpreet Singh
 
Rtos
byseenakumari
 
Advanced pipelining
bya_spac
 
INSTRUCTION PIPELINING
byrubysistec
 
Pipelining
byAmin Omi
 
Pipelining , structural hazards
byMunaam Munawar
 
Instruction pipelining
byShoaib Commando
 
Assembly p1
byraja khizar
 
The survey on real time operating systems (1)
bymanojkumarsmks
 
Instruction pipeline
byajay_a
 

Viewers also liked

PPTX
Introduction to windows kernel
bySisimon Soman
 
PPT
Windows io manager
bySisimon Soman
 
PPT
Processes and Threads in Windows Vista
byTrinh Phuc Tho
 
PPT
Windows kernel debugging session 2
bySisimon Soman
 
PPTX
Windows OS Architecture in Summery
byAsanka Dilruk
 
PPT
Evolution of the Windows Kernel Architecture, by Dave Probert
byyang
 
PPTX
Windows kernel debugging workshop in florida
bySisimon Soman
 
PPT
COM and DCOM
bySisimon Soman
 
PPT
Windows kernel
bySisimon Soman
 
PPT
VDI storage and storage virtualization
bySisimon Soman
 
PPT
Storage virtualization citrix blr wide tech talk
bySisimon Soman
 
PPT
Windows debugging sisimon
bySisimon Soman
 
PPT
Design Patterns By Sisimon Soman
bySisimon Soman
 
Introduction to windows kernel
bySisimon Soman
 
Windows io manager
bySisimon Soman
 
Processes and Threads in Windows Vista
byTrinh Phuc Tho
 
Windows kernel debugging session 2
bySisimon Soman
 
Windows OS Architecture in Summery
byAsanka Dilruk
 
Evolution of the Windows Kernel Architecture, by Dave Probert
byyang
 
Windows kernel debugging workshop in florida
bySisimon Soman
 
COM and DCOM
bySisimon Soman
 
Windows kernel
bySisimon Soman
 
VDI storage and storage virtualization
bySisimon Soman
 
Storage virtualization citrix blr wide tech talk
bySisimon Soman
 
Windows debugging sisimon
bySisimon Soman
 
Design Patterns By Sisimon Soman
bySisimon Soman
 

Similar to Introduction to windows kernel

PPTX
Processor types
byAmr Aboelgood
 
PDF
2 programming.the.microsoft.windows.driver.model.2nd.edition
byMax Jeison Prass
 
PDF
Programming The Microsoft Windows Driver Model 2nd Edition Walter Oney
byughnyjgw009
 
PDF
Understanding Windows NT Internals - Part 3
byArun Seetharaman
 
PPT
Chapter01 (1).ppt
byAvadhRakholiya3
 
PDF
Revo Uninstaller Pro 5.2.6 Crack + License Key 2025 [Full Latest]
bytanveer2030kp
 
PDF
Lect17
byVin Voro
 
PDF
Understanding Windows NT Internals - Part 5
byArun Seetharaman
 
PDF
PDF Replacer Pro Crack 1.8.9 Free Download
byismailzabeh02kp
 
PDF
windowsntinterevo uninstaller pro crack rnals-chapter5-250311141151-a0411...
byfarooq014kp
 
PDF
PDF Replacer Pro 1.8.9 Crack Free Download
byalihamzakpa018
 
PDF
AnyDesk Pro 3.7.0 Crack License Key Free Download
byalihamzakpa09
 
PPTX
Processors topic in system on chip architecture
bySrinivasDon
 
PPTX
dma controller Direct Memory Access,The 8237 DMA Controller dma
byAgathiSiva
 
PPT
8251
byAisu
 
PPTX
WINDOWS-CE
byJOLLUSUDARSHANREDDY
 
PPT
Earhart
bysiam hossain
 
PPT
the windows opereting system
byЮсуф Сатторов
 
PPT
Unit2 p1 io organization-97-2003
bySwathi Veeradhi
 
PPT
Al2ed chapter14
byAbdullelah Al-Fahad
 
Processor types
byAmr Aboelgood
 
2 programming.the.microsoft.windows.driver.model.2nd.edition
byMax Jeison Prass
 
Programming The Microsoft Windows Driver Model 2nd Edition Walter Oney
byughnyjgw009
 
Understanding Windows NT Internals - Part 3
byArun Seetharaman
 
Chapter01 (1).ppt
byAvadhRakholiya3
 
Revo Uninstaller Pro 5.2.6 Crack + License Key 2025 [Full Latest]
bytanveer2030kp
 
Lect17
byVin Voro
 
Understanding Windows NT Internals - Part 5
byArun Seetharaman
 
PDF Replacer Pro Crack 1.8.9 Free Download
byismailzabeh02kp
 
windowsntinterevo uninstaller pro crack rnals-chapter5-250311141151-a0411...
byfarooq014kp
 
PDF Replacer Pro 1.8.9 Crack Free Download
byalihamzakpa018
 
AnyDesk Pro 3.7.0 Crack License Key Free Download
byalihamzakpa09
 
Processors topic in system on chip architecture
bySrinivasDon
 
dma controller Direct Memory Access,The 8237 DMA Controller dma
byAgathiSiva
 
8251
byAisu
 
WINDOWS-CE
byJOLLUSUDARSHANREDDY
 
Earhart
bysiam hossain
 
the windows opereting system
byЮсуф Сатторов
 
Unit2 p1 io organization-97-2003
bySwathi Veeradhi
 
Al2ed chapter14
byAbdullelah Al-Fahad
 

Introduction to windows kernel

  • 1.
    Introduction to WindowsKernel Sisimon Soman
  • 2.
    How system callworks • Cannot directly enter kernel space using jmp or a call instruction. • When make a system call (like CreateFile, ReadFile) OS enter kernel mode (Ring 0) using instruction int 2E (it is called interrupt gate). • Code segment descriptor contain information about the ‘Ring’ at which the code can run. For kernel mode modules it will be always Ring 0. If a user mode program try to do ‘jmp <kernel mode address>’ it will cause access violation, because of the segment descriptor flag says processor should be in Ring 0. • The frequency of entering kernel mode is high (most of the Windows API call cause to enter kernel mode) sysenter is the new optimized instruction to enter kernel mode.
  • 3.
  • 4.
    System Call continued.. •Windows maintains a system service dispatch table which is similar to the IDT. Each entry in system service table point to kernel mode system call routine. • The int 2E probe and copy parameters from user mode stack to thread’s kernel mode stack and fetch and execute the correct system call procedure from the system service table. • There are multiple system service tables. One table for NT Native APIs, one table for IIS and GDI etc.
  • 5.
    Lets try itin WinDBG.. • NtWriteFile: mov eax, 0x0E ; build 2195 system service number for NtWriteFile mov ebx, esp ; point to parameters int 0x2E ; execute system service trap ret 0x2C ; pop parameters off stack and return to caller
  • 6.
    App issue ReadFile NtReadFile User Land Kernel Land IO Manager IO Mgr create IRP Packet, IRP send to driver stack File System Volume Manager Disk Class Driver Hardware Driver
  • 7.
    What is IORequest Packet (IRP) • IO Operation passes thru, – Different stages. – Different threads. – Different drivers. • IRP Encapsulate the IO request. • IRP is thread independent.
  • 8.
    IRP Continued.. • CompareIRP with Windows Messages -MSG structure. • Each driver in the stack do its own task, finally forward the IRP to the lower driver in the stack. • IRP can be processed synchronously or asynchronously.
  • 9.
    IRP Continued.. • Usuallylower level hardware driver takes more time. H/W driver can mark the IRP for pending and return. • When H/W finish IO, H/W driver complete the IRP by calling IoCompleteRequest(). • IoCompleteRequest() call IO completion routine set by drivers in stack and complete the IO.
  • 10.
    Structure of IRP •Fixed IRP Header IRP Header • Variable Stack locations – – One sub stack per driver Stack Location 1 Stack Location 2 Stack Location 3 Stack Location N
  • 11.
    Flow of IRP IRP for Storage Stack Storage Stack IRP Header File System Stack Location 1 Volume Manager Stack Location 2 Disk Class Driver Stack Location 3 Hardware Driver Stack Location 4 Forward IRP to lower driver in the stack
  • 12.
    Flow of IRPCompletion IRP for Storage Stack Storage Stack IRP Header File System – Stack Location 1 Completion Routine Volume Manager – Stack Location 2 Completion Routine Disk Class Driver – Stack Location 3 Completion Routine Hardware Driver – Stack Location 4 Complete the IRP Call the completion routine while completing the IRP
  • 13.
    IRP Header • IObuffer Information. • Flags – Page IO Flag – No Caching IO flag • IO Status – On Completion set this to IO Completed. • IRP cancel routine
  • 14.
    IRP Stack Location •IO Manager get the driver count in the stack from the top device in the stack. • While creating IRP, IO manager allocate the IO stack locations equal to the device count from the top device object.
  • 15.
    Contents of IOStack Location • IO Completion routine specific to the driver. • File object specific to the request.
  • 16.
    Software Interrupt RequestLevels (IRQLs) • Windows has its own interrupt priority schemes know as IRQL. • IRQL levels from 0 to 31, the higher the number means higher priority interrupt level. • HAL map hardware interrupts to IRQL 3 (Device 1) to IRQL 31 (High) • When higher priority interrupt occur, it mask the all lower interrupts and execute the ISR for the higher interrupt. • After executing the ISR, kernel lower the interrupt levels and execute the lower interrupt ISR. • ISR routine should do minimal work and it should defer the major chunk of work to Deferred Procedure Call (DPC) which run at lower IRQL 2.
  • 17.
  • 18.
    IRQL and DPC •DPC concept is similar to other OS, in Linux it is called bottom half. • DPC is per processor, means a duel processor SMP box contains two DPC Qs. • The ISR routine generally fetch data from hardware and queue a DPC for further processing. • IRQL priority is different from thread scheduling priority.
  • 19.
    IRQL and DPC •The scheduler (dispatcher) also runs at IRQL 2. • So a code that execute on or above IRQL 2(dispatch level) cannot preempt. • From the Diagram, see only hardware interrupts and some higher priority interrupts like clock, power fail are above IRQL 2. • Most of the time OS will be in IRQL 0(Passive level) • All user programs and most of the kernel code execute on Passive level only.
  • 20.
    IRQL continued.. • Schedulerruns at IRQL 2, so what happen if my driver try to wait on or above dispatch level ?. • Simple system will crash with ‘Blue Screen’, usually with the bug check ID IRQL_NOT_LESSTHAN_EQUAL. • Because if wait above dispatch level, no one there to come and switch the thread. • What happen if try to access a PagedPool in above dispatch level ?. • If the pages are on disk, then a page fault exception will happen, the current thread need to wait and page fault handler will read the pages from page file to page frames in memory. • If page fault happen above the dispatch level, no one there to stop the current thread and schedule the page fault handler. Thus cannot access PagedPool on or above dispatch level.
  • 21.
    IRQL 1 -APCs • Asynchronous Procedure Call (APC) run at IRQL 1. • The main duty of APC is to send the data to user thread context. • APC Q is thread specific, each thread has its own APC Q. • User space thread initiate the read operation from a device and either it wait to finish it or continue with another job. • The IO may finish sometime later, now the buffer need to send to the calling thread’s process context. It is the duty of APC.