Windows Kernel Internals II System Extensions University of
- Slides: 17
Windows Kernel Internals II System Extensions University of Tokyo – July 2004 Dave Probert, Ph. D. Advanced Operating Systems Group Windows Core Operating Systems Division Microsoft Corporation © Microsoft Corporation 2004 1
Kernel Extension Mechanisms I/O Extensions – File System Filters – New File Systems – Device Filter Drivers – Device Drivers Object Manager – New object types Registry – Hook most operations Notifications – Image Loading – Process Create/Exit – Thread Create/Exit Export Drivers Random bit editing © Microsoft Corporation 2004 2
Kernel Communication • • IOCTLs Handles on new object types LPC Most usermode-to-usermode mechanisms – Shared memory – Kernel synchronization objects – Named. Pipes © Microsoft Corporation 2004 3
Kernel Extensions Two main toolkits for writing extensions: – IFSKit – for file system filters and file systems – DDK – for all others, including device drivers Generically called ‘drivers’ and use driver mechanisms to wire into the system – Driver. Entry routine creates a device object for the device – Device object can be named in NT namespace – Access via I/O ops (open/read/write/ioctl/close) Service Control Manager loads/unloads drivers as ‘services’ © Microsoft Corporation 2004 4
Published Kernel Interfaces I/O related – IO object mgmt, security checks – HW access, DMA, interrupts, DPCs, timers, worker threads – IRPs, physical memory (MDLs), cancel support (include CSQs) – Hardware configuration, plug-and-play, power, bus mgmt Multithreading support – Spinlocks, interlocked operations/queues Kernel facilities – Memory pool allocation, threads, synchronization, run-time, object/handle management Zw related (Kernel-mode version of native Nt APIs) – Files, sections, registry, set/query file/process/thread info © Microsoft Corporation 2004 5
Subsystems NT originally mistaken for a microkernel – Kernel was never micro, but … – But OS personalities were defined by servers Servers are called ‘subsystems’ – Primary subsystems OS/2, Windows, Posix, Wo. W – Each subsystem has three main components: – Subsystem service process (e. g. csrss) – Subsystem API library (e. g. kernel 32, et al) – Hooks in the Create. Process code There are some pseudo-subsystems, e. g. lsass, CLR © Microsoft Corporation 2004 6
Windows Subsystem Windows Applications Win 95 GUI Windows NT command Shell Windows NT sys admin, commands & networking Win 32 APIs winsock Win 32 Subsystem Windows NT Kernel Hardware Abstraction Layer © Microsoft Corporation 2004 7
Posix Subsystem UNIX Applications Workshop tools: gcc, g++ perl, Apache, Tcl/Tk, bash, etc. UNIX, XPG, POSIX. 2 commands & utilities Motif U N I X X 11 UNIX shells S D K telnetd BSD Sockets UNIX /POSIX APIs POSIX/UNIX Subsystem Windows NT Kernel Client NFS Server Gateway Hardware Abstraction Layer © Microsoft Corporation 2004 8
Subsystem Inter-operation UNIX Applications Workshop tools: gcc, g++ perl, Apache, Tcl/Tk, bash, etc. UNIX, XPG, POSIX. 2 commands & utilities Windows Applications Motif U N I X X 11 UNIX shells S D K telnetd BSD Sockets UNIX /POSIX APIs POSIX/UNIX Subsystem X 11 R 6. 3 server Windows Applications Win 95 GUI Windows NT command Shell Windows NT sys admin, commands & networking winsock Win 32 APIs Win 32 Subsystem Windows NT Kernel Client NFS Server Gateway Hardware Abstraction Layer © Microsoft Corporation 2004 9
Services vs Kernels Three sites of OS implementation – In app’s container (libraries) – In separate containers (services) – In central, universally shared container (kernel) Shared nature of kernels makes them less flexible – Single sysentry mechanism – Inter-op requires shared abstractions – Access controls limited Services have natural advantages – Filtering and refinement of operations provides finergrained access control – Easy to provide alternative abstractions © Microsoft Corporation 2004 10
Example: Refining kernel privilege Creating permanent objects in OB requires privilege Drive letters are permanent objects (symlinks) in the Dos. Devices directory Q: So how does the Define. Dos. Device API work? A: It uses a privileged services (csrss) to create the symlink csrss is only willing to create symlinks in Dos. Devices Subsystems can in general refine privileges for clients and safely share state between clients – just like kernels © Microsoft Corporation 2004 11
No kernels: Future of OS Design? Operating systems as a collection of libraries and services? + increased flexibility & extensibility + more robust, better failure isolation/recovery, better security - performance of current CPUs optimized for kernels SPACE, Pebble – Fundamental abstractions: Processors, MMUs, trapvectors vs. Processes, VM, IPC © Microsoft Corporation 2004 12
Back to the present… Windows is extended primarily by adding apps and libraries (e. g. COM components) Primary kernel extensions are for new devices and filtering existing operations Project I explores kernel extensions Project II explores services © Microsoft Corporation 2004 13
Project I – writing a kernel extension Have the Windows DDK installed for WS 03 (aka WNET) Open a new command window set DDK=C: WINDDK37901218 (for example) Run command: %DDK%binsetenv %DDK% chk wnet In the Trivial. Driver directory type: build Find trivial. sys and trivialapp. exe and copy to test machine Run trivialapp. exe on the test machine You’ll see a few messages (the driver loaded/unloaded) Do the same with Trivial. Driver 2 This time it waits, so start/stop taskmgr. exe You will see the names of registry values that were set Use regedit. exe to write some new values in HKCU © Microsoft Corporation 2004 14
Project I - 2 Read through Registry Callbacks. doc Compare Trivial. Driver and Trivial. Driver 2 Read in the DDK documentation about the API Ps. Set. Create. Process. Notify. Routine Have the SDK documentation handy Modify the Trivial. Driver 2 driver to list the process ids of processes as they are created and exit Then modify the app to use to print out the name of the exe for each process created (see the PSAPI functions) This is a hit-or-miss procedure, what would be required for it to be reliable? © Microsoft Corporation 2004 15
Anatomy of Trivial. sys Driver. Entry is called when driver is loaded Creates Device object and symlink Initializes a few dispatch entry points Trivial. Create. Close is called for create/close IRPs Since driver not stacked, only opened by name Routine does nothing but process IRP correctly Trivial. Cleanup is also an effective no-op Trivial. Unload deletes the symlink, IOMgr deletes devobj Trivial. Driver 2 adds read and ioctl functions, and then Arranges for registry callbacks Maintains a buffer which can be read out © Microsoft Corporation 2004 16
Discussion © Microsoft Corporation 2004 17
Windows kernel internals
Tebwin
Windows kernel internals
Windows kernel internals
Notifychangedirectory
Linux kernel internals
Advapi logon process
What does the program do windows ntos kernel system
Windows internals
University of kent extensions
Windows vista kernel
Microsoft-windows-kernel-process
Windows kernel architecture
Windows kernel api
Windows nt vs unix
Syscall fuzzer
Windows kernel architecture
Windows vista kernel extension
