Windows Kernel Internals Win 32 K sys David
- Slides: 24
Windows Kernel Internals Win 32 K. sys David B. Probert, Ph. D. Windows Kernel Development Microsoft Corporation © Microsoft Corporation
Topics • • • Background Entry Points Architecture GUI Threads Initialization & Shutdown Memory Manager & Win 32 k User Mode callbacks & LPC © Microsoft Corporation
What is win 32 k? • Kernel side of the Windows Sub-System • Graphical User Interface (GUI) infrastructure of the operating system. • Includes kernel side of: – Window Manager (USER) – Graphic Device Interfacce (GDI) – Dx thunks to dxg. sys (Direct. X) © Microsoft Corporation
Win 32 k & the OS CSRSS. EXE Win. Logon. EXE User mode Processes USER 32. DLL Kernel 32. DLL NTDLL. DLL W 32 UMode. lib DLLs USER 32. DLL Win 32 k. sys NT Kernel © Microsoft Corporation
W 32 umode. lib DLLs • User 32. dll, Imm 32. dll – Window Manager • Gdi 32. dll, Ms. Img 32. dll - GDI • d 3 d 8 thk. dll – Direct. X thunks • CSRSS’s Winsrv. dll – Console, TS, Hard. Error. • Twsrc_32. dll – print driver • F 3 ahvoas – keyboard drivers © Microsoft Corporation
Win 32 k Entry Points User Mode Stubs • About 600 entry points. • Ntwindowscorekmodeservices. tab • Gensrv. exe generates usrstubs. c, used to build w 32 umode. lib. • Stubs – Index – Syscall (int 2 e in x 86) – Params in the stack © Microsoft Corporation
Win 32 k Entry Points Kernel Service Table • Gensrv. exe generates Systable. asm • Builds three tables in win 32 k. sys – W 32 p. Service. Table (function & Return value) – W 32 p. Argument – Table. Provided to NT kernel via Ke. Add. System. Service. Table on initialization • ntbasentoskei 386trap. asm © Microsoft Corporation
Win 32 k Entry Points User Mode Memory • • Must not blue screen! Probing – range/alignment check Capturing Try-excepts – Must have probed first – Small blocks © Microsoft Corporation
What is a GUI thread? • Thread are non-GUI when created • Converted on first call to win 32 k. sys – Bigger Stack – Win 32 k. sys notified of creation and destruction – Converts process to GUI • How to recognize a GUI thread: – KTHREAD->Win 32 Thread pointer. – In user mode TEB->Win 32 Thread. Info – Programmatically – Is. Gui. Thread(f. Convert) – Whistler only © Microsoft Corporation
Convertion to GUI Thread • ntbasentoskei 386trap. asm • Ps. Convert. To. Gui. Thread – Mm. Create. Kernel. Stack & Ke. Switch. Kernel. Stack – KTHREAD->Service. Table initialized to ntkrnlmp!Ke. Service. Descriptor. Table, replaced with ntkrnlmp!Ke. Service. Descriptor. Table. Shadow – Call Psp. W 32 Process. Callout – Call Psp. W 32 Thread. Callout © Microsoft Corporation
GUI Initialization • SMSS. EXE – Identifies Session components – HKLMSYSTEMCurrent. Control. SetControlSession Managersubsystem – kmode (win 32 k. sys) - Windows (CSRSS. EXE) – “Initial command” (Hardcoded to Winlogon. exe) • Csrss and Winlogon loaded via Rtl. Create. User. Process • Win 32 k loaded via Mm. Load. System. Image (Nt. Set. System. Information) © Microsoft Corporation
Initialization Win 32 k!Driver. Entry • • • Ke. Add. System. Service. Table Ps. Establish. Win 32 Callouts Mm. Page. Entire. Driver Initialize. Gre Win 32 User. Initialize Returns Win 32 KDriver. Unload © Microsoft Corporation
Intialization Ps. Establish. Win 32 Callouts • • W 32 p. Process. Callout W 32 p. Thread. Callout User. Global. Atom. Table. Callout User. Power. Event. Callout User. Power. State. Callout User. Job. Callout Nt. Gdi. Flush. User. Batch © Microsoft Corporation
Initialization Winsrv!User. Server. Dll. Initialization • CSRSS is expect to create first GUI thread. • Win 32 k!Nt. User. Initialize – Init. Video – Font initialization • Notification thread. – NLS (registry cache), Power, Media (CD), Net changes (TS) • Api. Port thread (LPC) © Microsoft Corporation
Initialization Winlogon • Creates IO Windowstation (Winsta 0) – Desktop thread – Raw Input Thread (RIT). • Register. Logon. Process. • Creates Logon. Desktop, which causes USER to create disconnect desktop. • Creates default desktop. • Launches Services. exe and svchost. exe -- more windowstations. © Microsoft Corporation
Shutdown • Exit. Windows – Win 32 k notifies Winlogon which makes actual Exit. Windows call – Csrss notifies and shuts down processes. • Non TS – Winlogon calls Nt. Shutdown. System • TS needs to unload win 32 k. sys and exit CSRSS and WINLOGON • Initiate. Win 32 k. Cleanup • Terminate. Process CSRSS • Win 32 KDriver. Unload © Microsoft Corporation
MM & Win 32 k Paging • Needed to support multiple sessions • Mm. Page. Entire. Driver – Treated like a user mode process – code shared, data per instance – the whole thing is pageable. • Pool – Session pool – pageable – Non paged – required for kevent, ktimers, Ob objects, etc © Microsoft Corporation
MM & Win 32 k Address Spaces A 0000 -> A 080. 0000: 8 MB of win 32 k. sys and other images A 080. 0000 -> A 0 c 0. 0000: 4 MB of private Mm per-session data and working set list information A 0 c 0. 0000 -> A 200. 0000: 20 MB of session views for win 32 k desktop heaps and any other mapped files A 200. 0000 -> A 300. 0000: 16 MB of session paged pool to support win 32 k pool allocations A 300. 000 -> A 400. 0000: 16 MB of systemwide-global mapped views © Microsoft Corporation
MM & Win 32 k Configurable Address Spaces • HKLMCurrent. Control. SetControlSession ManagerMemory ManagementSession. View. Size = DWORD n where n is the size of the SESSION view space in MB (default is 20 mb if no key). • HKLMCurrent. Control. SetControlSession ManagerMemory ManagementSession. Pool. Size = DWORD n where n is the size of the SESSION pool space in MB. (default is 16 mb if no key). © Microsoft Corporation
MM & win 32 k Views • Mapping kernel mode memory into user address space. – Read only (usually). • Used to avoid kernel transitions • Mm. Map. View. Of. Section & Mm. Unmap. View. Of. Section © Microsoft Corporation
MM & Win 32 k Stacks • Bigger than regular threads. • Kernel stacks are fixed size – stack fault == blue screen. • Upon entering the kernel (or before calling back to user mode), MM guarantees 12 K of stack are resident. • Can grow up to 64 K (possibly will be changed to 32 K) • In win 64 stack and backstore (for registers). 88 K and 56 K. © Microsoft Corporation
User mode callbacks • Ke. User. Mode. Callback: – api index, – pointer to params & size – pointer to ret data and pointer to size of ret data (user mode memory) • Nt. Current. Peb()->Kernel. Callback. Table loaded at initialization time. © Microsoft Corporation
LPCing • CSRSS Api. Port. • Lpc. Request. Port (CSRSS context) • Lpc. Request. Wait. Reply. Port (Any other context) • Must release critical sections! © Microsoft Corporation
Discussion © Microsoft Corporation
Ntos kernel
Nt kernel & system
Windows kernel internals
Windows kernel internals
Cdrom.sys
Habit 4 think win win video
Win win win lose lose lose
Win-win win-lose lose-lose
Linux kernel internals
Microsoft windows internals
Advapi logon process
Irp hook
Windows vista kernel
Protectvirtualmemory
Rtlcreateprocessparametersex
Windows kernel api
Dave probert
Windows kernel fuzzing
What does the program do windows ntos kernel system
Windows kernel architecture
Windows vista kernel extension
Enlarging the pie
Winwin hesap
Habit 4 think win win summary
Habit 4 think win-win examples
