SlideShare une entreprise Scribd logo

Windows kernel

Télécharger en tant que PPT, PDF
Sisimon Soman
Sisimon Soman
1  sur  23
Windows Kernel Sisimon E S
Objective • Learn how system calls work. • Different privilege levels. • Memory Manager concepts. • Interrupt Request Levels. • Asynchronous Procedure Calls (APC) and Deferred Procedure Calls (DPC).
Lord of the Rings • x86 processor has 4 layers of protection called Ring 0 – 3. • Privilege code (Kernel ) runs in Ring 0. Processor ensure that privilege instructions (like enable/disable interrupt, ) execute in kernel mode only. • User application runs in Ring 3. • Ring 1 is where the Hyperviser lives..
Rings continued..
How system call works • Cannot directly enter kernel space using jmp or a call instruction. • When make a system call (like CreateFile, ReadFile) OS enter kernel mode (Ring 0) using instruction int 2E (it is called interrupt gate). • Code segment descriptor contain information about the ‘Ring’ at which the code can run. For kernel mode modules it will be always Ring 0. If a user mode program try to do ‘jmp <kernel mode address>’ it will cause access violation, because of the segment descriptor flag says processor should be in Ring 0. • The frequency of entering kernel mode is high (most of the Windows API call cause to enter kernel mode) sysenter is the new optimized instruction to enter kernel mode.
System Call continued.. • Windows maintains a system service dispatch table which is similar to the IDT. Each entry in system service table point to kernel mode system call routine. • The int 2E probe and copy parameters from user mode stack to thread’s kernel mode stack and fetch and execute the correct system call procedure from the system service table. • There are multiple system service tables. One table for NT Native APIs, one table for IIS and GDI etc.
System call mechanism..
Lets try it in WinDBG.. • NtWriteFile: mov eax, 0x0E ; build 2195 system service number for NtWriteFile mov ebx, esp ; point to parameters int 0x2E ; execute system service trap ret 0x2C ; pop parameters off stack and return to caller
IO Request Packet (IRP) • When a thread initiate an IO operation, IO Manager create a data structure call IO Request Packet (IRP). • The IRP contains all information about the request. • IO Manager send the IRP to the top device in the driver stack. • Demo : !irpfind to see all current IRPs. Demo : !irp <irp address> to see information about one IRP.
Memory Manager • x86 Windows box support total 4GB of virtual memory • Lower 2GB (from x00000000 to x7FFFFFFF) for process private storage. • Upper 2GB (x80000000 – xFFFFFFFF) for OS memory requirements. • Upper 2GB is common for all process, in other words half of PDE in is same for all process. • Windows usually map the system call parameters to kernel mode memory so that it can access from any process context. • Interrupts and DPC (will talk about it later) can occur in arbitrary thread context, but still it can access the buffer because it is mapped to kernel.
Memory Manager continued.. • Kernel mode there two types of memory. • Paged Pool and NonPagedPool • NonPagedPool pages will be always on memory. • PagedPool pages can swap to page file according to the memory requirements. • Driver writers should use NonPagedPool judiciously.
Memory Manager continued.. • ExAllocatePool(), ExAllocatePoolWithTag() are the DDK APIs in kernel mode to allocate memory. • We can put tag to the memory allocation so that it is easy to monitor the pool usage. • Memory manager keep the pool tag in the beginning of the allocation (Demo: use WinDBG to check it). • Demo : !poolused command to see the pool tags. • Demo: use poolmon.exe to see the pool tags.
Software Interrupt Request Levels (IRQLs) • Windows has its own interrupt priority schemes know as IRQL. • IRQL levels from 0 to 31, the higher the number means higher priority interrupt level. • HAL map hardware interrupts to IRQL 3 (Device 1) to IRQL 31 (High) • When higher priority interrupt occur, it mask the all lower interrupts and execute the ISR for the higher interrupt. • After executing the ISR, kernel lower the interrupt levels and execute the lower interrupt ISR. • ISR routine should do minimal work and it should defer the major chunk of work to Deferred Procedure Call (DPC) which run at lower IRQL 2.
Software Interrupt Request Levels (IRQLs)
IRQL and DPC • DPC concept is similar to other OS, in Linux it is called bottom half. • DPC is per processor, means a duel processor SMP box contains two DPC Qs. • The ISR routine generally fetch data from hardware and queue a DPC for further processing. • IRQL priority is different from thread scheduling priority.
IRQL and DPC • The scheduler (dispatcher) also runs at IRQL 2. • So a code that execute on or above IRQL 2(dispatch level) cannot preempt. • From the Diagram, see only hardware interrupts and some higher priority interrupts like clock, power fail are above IRQL 2. • Most of the time OS will be in IRQL 0(Passive level) • All user programs and most of the kernel code execute on Passive level only.
IRQL continued.. • Scheduler runs at IRQL 2, so what happen if my driver try to wait on or above dispatch level ?. • Simple system will crash with ‘Blue Screen’, usually with the bug check ID IRQL_NOT_LESSTHAN_EQUAL. • Because if wait above dispatch level, no one there to come and switch the thread. • What happen if try to access a PagedPool in above dispatch level ?. • If the pages are on disk, then a page fault exception will happen, the current thread need to wait and page fault handler will read the pages from page file to page frames in memory. • If page fault happen above the dispatch level, no one there to stop the current thread and schedule the page fault handler. Thus cannot access PagedPool on or above dispatch level.
IRQL 1 - APCs • Asynchronous Procedure Call (APC) run at IRQL 1. • The main duty of APC is to send the data to user thread context. • APC Q is thread specific, each thread has its own APC Q. • User space thread initiate the read operation from a device and either it wait to finish it or continue with another job. • The IO may finish sometime later, now the buffer need to send to the calling thread’s process context. It is the duty of APC.
Initiating an IO
IO Completion

Recommandé

Linux booting process!!
Linux booting process!!Linux booting process!!
Linux booting process!!sourav verma
 
Building Mini Embedded Linux System for X86 Arch
Building Mini Embedded Linux System for X86 ArchBuilding Mini Embedded Linux System for X86 Arch
Building Mini Embedded Linux System for X86 ArchSherif Mousa
 
Linux Kernel Tour
Linux Kernel TourLinux Kernel Tour
Linux Kernel Toursamrat das
 
Linux kernel Architecture and Properties
Linux kernel Architecture and PropertiesLinux kernel Architecture and Properties
Linux kernel Architecture and PropertiesSaadi Rahman
 
An Insight into the Linux Booting Process
An Insight into the Linux Booting ProcessAn Insight into the Linux Booting Process
An Insight into the Linux Booting ProcessHardeep Bhurji
 
Linux booting procedure
Linux booting procedureLinux booting procedure
Linux booting procedureDhaval Kaneria
 
Linux device drivers
Linux device drivers Linux device drivers
Linux device drivers Emertxe Information Technologies Pvt Ltd
 
Linux Kernel - Virtual File System
Linux Kernel - Virtual File SystemLinux Kernel - Virtual File System
Linux Kernel - Virtual File SystemAdrian Huang
 

Recommandé

Linux booting process!!
Linux booting process!!Linux booting process!!
Linux booting process!!sourav verma
 
Building Mini Embedded Linux System for X86 Arch
Building Mini Embedded Linux System for X86 ArchBuilding Mini Embedded Linux System for X86 Arch
Building Mini Embedded Linux System for X86 ArchSherif Mousa
 
Linux Kernel Tour
Linux Kernel TourLinux Kernel Tour
Linux Kernel Toursamrat das
 
Linux kernel Architecture and Properties
Linux kernel Architecture and PropertiesLinux kernel Architecture and Properties
Linux kernel Architecture and PropertiesSaadi Rahman
 
An Insight into the Linux Booting Process
An Insight into the Linux Booting ProcessAn Insight into the Linux Booting Process
An Insight into the Linux Booting ProcessHardeep Bhurji
 
Linux booting procedure
Linux booting procedureLinux booting procedure
Linux booting procedureDhaval Kaneria
 
Linux device drivers
Linux device drivers Linux device drivers
Linux device drivers Emertxe Information Technologies Pvt Ltd
 
Linux Kernel - Virtual File System
Linux Kernel - Virtual File SystemLinux Kernel - Virtual File System
Linux Kernel - Virtual File SystemAdrian Huang
 
Linux Initialization Process (2)
Linux Initialization Process (2)Linux Initialization Process (2)
Linux Initialization Process (2)shimosawa
 
Virtualization Support in ARMv8+
Virtualization Support in ARMv8+Virtualization Support in ARMv8+
Virtualization Support in ARMv8+Aananth C N
 
Linux boot process
Linux boot processLinux boot process
Linux boot processArchana Chandrasekharan
 
Linux memory-management-kamal
Linux memory-management-kamalLinux memory-management-kamal
Linux memory-management-kamalKamal Maiti
 
Kernel. Operating System
Kernel. Operating SystemKernel. Operating System
Kernel. Operating Systempratikkadam78
 
Linux kernel
Linux kernelLinux kernel
Linux kernelMahmoud Shiri Varamini
 
Linux booting process
Linux booting processLinux booting process
Linux booting processPrashant Hegde
 
Course 102: Lecture 26: FileSystems in Linux (Part 1)
Course 102: Lecture 26: FileSystems in Linux (Part 1) Course 102: Lecture 26: FileSystems in Linux (Part 1)
Course 102: Lecture 26: FileSystems in Linux (Part 1) Ahmed El-Arabawy
 
Vmlinux: anatomy of bzimage and how x86 64 processor is booted
Vmlinux: anatomy of bzimage and how x86 64 processor is bootedVmlinux: anatomy of bzimage and how x86 64 processor is booted
Vmlinux: anatomy of bzimage and how x86 64 processor is bootedAdrian Huang
 
Embedded linux system development (slides)
Embedded linux system development (slides)Embedded linux system development (slides)
Embedded linux system development (slides)Jaime Barragan
 
The Linux Block Layer - Built for Fast Storage
The Linux Block Layer - Built for Fast StorageThe Linux Block Layer - Built for Fast Storage
The Linux Block Layer - Built for Fast StorageKernel TLV
 
Storage Management
Storage ManagementStorage Management
Storage ManagementSURBHI SAROHA
 
Operating System-Ch8 memory management
Operating System-Ch8 memory managementOperating System-Ch8 memory management
Operating System-Ch8 memory managementSyaiful Ahdan
 
Linux internal
Linux internalLinux internal
Linux internalmcganesh
 
SFO15-TR9: PSCI, ACPI (and UEFI to boot)
SFO15-TR9: PSCI, ACPI (and UEFI to boot)SFO15-TR9: PSCI, ACPI (and UEFI to boot)
SFO15-TR9: PSCI, ACPI (and UEFI to boot)Linaro
 
DMA Survival Guide
DMA Survival GuideDMA Survival Guide
DMA Survival GuideKernel TLV
 
Embedded Linux Basics
Embedded Linux BasicsEmbedded Linux Basics
Embedded Linux BasicsMarc Leeman
 
Linux scheduler
Linux schedulerLinux scheduler
Linux schedulerLiran Ben Haim
 
The Linux Kernel Implementation of Pipes and FIFOs
The Linux Kernel Implementation of Pipes and FIFOsThe Linux Kernel Implementation of Pipes and FIFOs
The Linux Kernel Implementation of Pipes and FIFOsDivye Kapoor
 
Linux Memory Management
Linux Memory ManagementLinux Memory Management
Linux Memory ManagementAnil Kumar Pugalia
 
Introduction to windows kernel
Introduction to windows kernelIntroduction to windows kernel
Introduction to windows kernelSisimon Soman
 
Introduction to windows kernel
Introduction to windows kernelIntroduction to windows kernel
Introduction to windows kernelSisimon Soman
 

Contenu connexe

Tendances

Linux Initialization Process (2)
Linux Initialization Process (2)Linux Initialization Process (2)
Linux Initialization Process (2)shimosawa
 
Virtualization Support in ARMv8+
Virtualization Support in ARMv8+Virtualization Support in ARMv8+
Virtualization Support in ARMv8+Aananth C N
 
Linux memory-management-kamal
Linux memory-management-kamalLinux memory-management-kamal
Linux memory-management-kamalKamal Maiti
 
Kernel. Operating System
Kernel. Operating SystemKernel. Operating System
Kernel. Operating Systempratikkadam78
 
Course 102: Lecture 26: FileSystems in Linux (Part 1)
Course 102: Lecture 26: FileSystems in Linux (Part 1) Course 102: Lecture 26: FileSystems in Linux (Part 1)
Course 102: Lecture 26: FileSystems in Linux (Part 1) Ahmed El-Arabawy
 
Vmlinux: anatomy of bzimage and how x86 64 processor is booted
Vmlinux: anatomy of bzimage and how x86 64 processor is bootedVmlinux: anatomy of bzimage and how x86 64 processor is booted
Vmlinux: anatomy of bzimage and how x86 64 processor is bootedAdrian Huang
 
Embedded linux system development (slides)
Embedded linux system development (slides)Embedded linux system development (slides)
Embedded linux system development (slides)Jaime Barragan
 
The Linux Block Layer - Built for Fast Storage
The Linux Block Layer - Built for Fast StorageThe Linux Block Layer - Built for Fast Storage
The Linux Block Layer - Built for Fast StorageKernel TLV
 
Operating System-Ch8 memory management
Operating System-Ch8 memory managementOperating System-Ch8 memory management
Operating System-Ch8 memory managementSyaiful Ahdan
 
Linux internal
Linux internalLinux internal
Linux internalmcganesh
 
SFO15-TR9: PSCI, ACPI (and UEFI to boot)
SFO15-TR9: PSCI, ACPI (and UEFI to boot)SFO15-TR9: PSCI, ACPI (and UEFI to boot)
SFO15-TR9: PSCI, ACPI (and UEFI to boot)Linaro
 
DMA Survival Guide
DMA Survival GuideDMA Survival Guide
DMA Survival GuideKernel TLV
 
Embedded Linux Basics
Embedded Linux BasicsEmbedded Linux Basics
Embedded Linux BasicsMarc Leeman
 
The Linux Kernel Implementation of Pipes and FIFOs
The Linux Kernel Implementation of Pipes and FIFOsThe Linux Kernel Implementation of Pipes and FIFOs
The Linux Kernel Implementation of Pipes and FIFOsDivye Kapoor
 

Tendances (20)

Linux Initialization Process (2)
Linux Initialization Process (2)Linux Initialization Process (2)
Linux Initialization Process (2)
 
Virtualization Support in ARMv8+
Virtualization Support in ARMv8+Virtualization Support in ARMv8+
Virtualization Support in ARMv8+
 
Linux boot process
Linux boot processLinux boot process
Linux boot process
 
Linux memory-management-kamal
Linux memory-management-kamalLinux memory-management-kamal
Linux memory-management-kamal
 
Kernel. Operating System
Kernel. Operating SystemKernel. Operating System
Kernel. Operating System
 
Linux kernel
Linux kernelLinux kernel
Linux kernel
 
Linux booting process
Linux booting processLinux booting process
Linux booting process
 
Course 102: Lecture 26: FileSystems in Linux (Part 1)
Course 102: Lecture 26: FileSystems in Linux (Part 1) Course 102: Lecture 26: FileSystems in Linux (Part 1)
Course 102: Lecture 26: FileSystems in Linux (Part 1)
 
Vmlinux: anatomy of bzimage and how x86 64 processor is booted
Vmlinux: anatomy of bzimage and how x86 64 processor is bootedVmlinux: anatomy of bzimage and how x86 64 processor is booted
Vmlinux: anatomy of bzimage and how x86 64 processor is booted
 
Embedded linux system development (slides)
Embedded linux system development (slides)Embedded linux system development (slides)
Embedded linux system development (slides)
 
The Linux Block Layer - Built for Fast Storage
The Linux Block Layer - Built for Fast StorageThe Linux Block Layer - Built for Fast Storage
The Linux Block Layer - Built for Fast Storage
 
Storage Management
Storage ManagementStorage Management
Storage Management
 
Operating System-Ch8 memory management
Operating System-Ch8 memory managementOperating System-Ch8 memory management
Operating System-Ch8 memory management
 
Linux internal
Linux internalLinux internal
Linux internal
 
SFO15-TR9: PSCI, ACPI (and UEFI to boot)
SFO15-TR9: PSCI, ACPI (and UEFI to boot)SFO15-TR9: PSCI, ACPI (and UEFI to boot)
SFO15-TR9: PSCI, ACPI (and UEFI to boot)
 
DMA Survival Guide
DMA Survival GuideDMA Survival Guide
DMA Survival Guide
 
Embedded Linux Basics
Embedded Linux BasicsEmbedded Linux Basics
Embedded Linux Basics
 
Linux scheduler
Linux schedulerLinux scheduler
Linux scheduler
 
The Linux Kernel Implementation of Pipes and FIFOs
The Linux Kernel Implementation of Pipes and FIFOsThe Linux Kernel Implementation of Pipes and FIFOs
The Linux Kernel Implementation of Pipes and FIFOs
 
Linux Memory Management
Linux Memory ManagementLinux Memory Management
Linux Memory Management
 

Similaire à Windows kernel

Introduction to windows kernel
Introduction to windows kernelIntroduction to windows kernel
Introduction to windows kernelSisimon Soman
 
Introduction to windows kernel
Introduction to windows kernelIntroduction to windows kernel
Introduction to windows kernelSisimon Soman
 
Windows kernel and memory io subsystem
Windows kernel and memory io subsystemWindows kernel and memory io subsystem
Windows kernel and memory io subsystemSisimon Soman
 
Computer_Organization and architecture _unit 1.pptx
Computer_Organization and architecture _unit 1.pptxComputer_Organization and architecture _unit 1.pptx
Computer_Organization and architecture _unit 1.pptxManimegalaM3
 
Computer Organization: Introduction to Microprocessor and Microcontroller
Computer Organization: Introduction to Microprocessor and MicrocontrollerComputer Organization: Introduction to Microprocessor and Microcontroller
Computer Organization: Introduction to Microprocessor and MicrocontrollerAmrutaMehata
 
CNIT 127 Ch 1: Before you Begin
CNIT 127 Ch 1: Before you BeginCNIT 127 Ch 1: Before you Begin
CNIT 127 Ch 1: Before you BeginSam Bowne
 
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012DefCamp
 
CNIT 127 Ch Ch 1: Before you Begin
CNIT 127 Ch Ch 1: Before you BeginCNIT 127 Ch Ch 1: Before you Begin
CNIT 127 Ch Ch 1: Before you BeginSam Bowne
 
Beneath the Linux Interrupt handling
Beneath the Linux Interrupt handlingBeneath the Linux Interrupt handling
Beneath the Linux Interrupt handlingBhoomil Chavda
 
Part I:Introduction to assembly language
Part I:Introduction to assembly languagePart I:Introduction to assembly language
Part I:Introduction to assembly languageAhmed M. Abed
 
Multithreaded processors ppt
Multithreaded processors pptMultithreaded processors ppt
Multithreaded processors pptSiddhartha Anand
 
Parallel Processors (SIMD)
Parallel Processors (SIMD) Parallel Processors (SIMD)
Parallel Processors (SIMD) Ali Raza
 
Parallel Processors (SIMD)
Parallel Processors (SIMD) Parallel Processors (SIMD)
Parallel Processors (SIMD) Ali Raza
 
Windows内核技术介绍
Windows内核技术介绍Windows内核技术介绍
Windows内核技术介绍jeffz
 
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...CanSecWest
 

Similaire à Windows kernel (20)

Introduction to windows kernel
Introduction to windows kernelIntroduction to windows kernel
Introduction to windows kernel
 
Introduction to windows kernel
Introduction to windows kernelIntroduction to windows kernel
Introduction to windows kernel
 
Windows kernel and memory io subsystem
Windows kernel and memory io subsystemWindows kernel and memory io subsystem
Windows kernel and memory io subsystem
 
Computer_Organization and architecture _unit 1.pptx
Computer_Organization and architecture _unit 1.pptxComputer_Organization and architecture _unit 1.pptx
Computer_Organization and architecture _unit 1.pptx
 
Computer Organization: Introduction to Microprocessor and Microcontroller
Computer Organization: Introduction to Microprocessor and MicrocontrollerComputer Organization: Introduction to Microprocessor and Microcontroller
Computer Organization: Introduction to Microprocessor and Microcontroller
 
Os lectures
Os lecturesOs lectures
Os lectures
 
Os introduction
Os introductionOs introduction
Os introduction
 
Os introduction
Os introductionOs introduction
Os introduction
 
CNIT 127 Ch 1: Before you Begin
CNIT 127 Ch 1: Before you BeginCNIT 127 Ch 1: Before you Begin
CNIT 127 Ch 1: Before you Begin
 
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
 
CNIT 127 Ch Ch 1: Before you Begin
CNIT 127 Ch Ch 1: Before you BeginCNIT 127 Ch Ch 1: Before you Begin
CNIT 127 Ch Ch 1: Before you Begin
 
Beneath the Linux Interrupt handling
Beneath the Linux Interrupt handlingBeneath the Linux Interrupt handling
Beneath the Linux Interrupt handling
 
Part I:Introduction to assembly language
Part I:Introduction to assembly languagePart I:Introduction to assembly language
Part I:Introduction to assembly language
 
Multithreaded processors ppt
Multithreaded processors pptMultithreaded processors ppt
Multithreaded processors ppt
 
Parallel Processors (SIMD)
Parallel Processors (SIMD) Parallel Processors (SIMD)
Parallel Processors (SIMD)
 
Parallel Processors (SIMD)
Parallel Processors (SIMD) Parallel Processors (SIMD)
Parallel Processors (SIMD)
 
Window ce
Window ceWindow ce
Window ce
 
Linux Internals - Part II
Linux Internals - Part IILinux Internals - Part II
Linux Internals - Part II
 
Windows内核技术介绍
Windows内核技术介绍Windows内核技术介绍
Windows内核技术介绍
 
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
 

Plus de Sisimon Soman

Windows kernel debugging workshop in florida
Windows kernel debugging workshop in floridaWindows kernel debugging workshop in florida
Windows kernel debugging workshop in floridaSisimon Soman
 
Windows memory manager internals
Windows memory manager internalsWindows memory manager internals
Windows memory manager internalsSisimon Soman
 
Windows kernel debugging session 2
Windows kernel debugging session 2Windows kernel debugging session 2
Windows kernel debugging session 2Sisimon Soman
 
Windows debugging sisimon
Windows debugging sisimonWindows debugging sisimon
Windows debugging sisimonSisimon Soman
 
Storage virtualization citrix blr wide tech talk
Storage virtualization citrix blr wide tech talkStorage virtualization citrix blr wide tech talk
Storage virtualization citrix blr wide tech talkSisimon Soman
 
VDI storage and storage virtualization
VDI storage and storage virtualizationVDI storage and storage virtualization
VDI storage and storage virtualizationSisimon Soman
 
Design Patterns By Sisimon Soman
Design Patterns By Sisimon SomanDesign Patterns By Sisimon Soman
Design Patterns By Sisimon SomanSisimon Soman
 

Plus de Sisimon Soman (9)

Windows kernel debugging workshop in florida
Windows kernel debugging workshop in floridaWindows kernel debugging workshop in florida
Windows kernel debugging workshop in florida
 
Windows memory manager internals
Windows memory manager internalsWindows memory manager internals
Windows memory manager internals
 
Windows kernel debugging session 2
Windows kernel debugging session 2Windows kernel debugging session 2
Windows kernel debugging session 2
 
Windows io manager
Windows io managerWindows io manager
Windows io manager
 
Windows debugging sisimon
Windows debugging sisimonWindows debugging sisimon
Windows debugging sisimon
 
Storage virtualization citrix blr wide tech talk
Storage virtualization citrix blr wide tech talkStorage virtualization citrix blr wide tech talk
Storage virtualization citrix blr wide tech talk
 
VDI storage and storage virtualization
VDI storage and storage virtualizationVDI storage and storage virtualization
VDI storage and storage virtualization
 
COM and DCOM
COM and DCOMCOM and DCOM
COM and DCOM
 
Design Patterns By Sisimon Soman
Design Patterns By Sisimon SomanDesign Patterns By Sisimon Soman
Design Patterns By Sisimon Soman
 

Windows kernel

  • 1. Windows Kernel Sisimon E S
  • 2. Objective • Learn how system calls work. • Different privilege levels. • Memory Manager concepts. • Interrupt Request Levels. • Asynchronous Procedure Calls (APC) and Deferred Procedure Calls (DPC).
  • 3.
  • 4. Lord of the Rings • x86 processor has 4 layers of protection called Ring 0 – 3. • Privilege code (Kernel ) runs in Ring 0. Processor ensure that privilege instructions (like enable/disable interrupt, ) execute in kernel mode only. • User application runs in Ring 3. • Ring 1 is where the Hyperviser lives..
  • 6. How system call works • Cannot directly enter kernel space using jmp or a call instruction. • When make a system call (like CreateFile, ReadFile) OS enter kernel mode (Ring 0) using instruction int 2E (it is called interrupt gate). • Code segment descriptor contain information about the ‘Ring’ at which the code can run. For kernel mode modules it will be always Ring 0. If a user mode program try to do ‘jmp <kernel mode address>’ it will cause access violation, because of the segment descriptor flag says processor should be in Ring 0. • The frequency of entering kernel mode is high (most of the Windows API call cause to enter kernel mode) sysenter is the new optimized instruction to enter kernel mode.
  • 7. System Call continued.. • Windows maintains a system service dispatch table which is similar to the IDT. Each entry in system service table point to kernel mode system call routine. • The int 2E probe and copy parameters from user mode stack to thread’s kernel mode stack and fetch and execute the correct system call procedure from the system service table. • There are multiple system service tables. One table for NT Native APIs, one table for IIS and GDI etc.
  • 9.
  • 10. Lets try it in WinDBG.. • NtWriteFile: mov eax, 0x0E ; build 2195 system service number for NtWriteFile mov ebx, esp ; point to parameters int 0x2E ; execute system service trap ret 0x2C ; pop parameters off stack and return to caller
  • 11. IO Request Packet (IRP) • When a thread initiate an IO operation, IO Manager create a data structure call IO Request Packet (IRP). • The IRP contains all information about the request. • IO Manager send the IRP to the top device in the driver stack. • Demo : !irpfind to see all current IRPs. Demo : !irp <irp address> to see information about one IRP.
  • 12. Memory Manager • x86 Windows box support total 4GB of virtual memory • Lower 2GB (from x00000000 to x7FFFFFFF) for process private storage. • Upper 2GB (x80000000 – xFFFFFFFF) for OS memory requirements. • Upper 2GB is common for all process, in other words half of PDE in is same for all process. • Windows usually map the system call parameters to kernel mode memory so that it can access from any process context. • Interrupts and DPC (will talk about it later) can occur in arbitrary thread context, but still it can access the buffer because it is mapped to kernel.
  • 13.
  • 14. Memory Manager continued.. • Kernel mode there two types of memory. • Paged Pool and NonPagedPool • NonPagedPool pages will be always on memory. • PagedPool pages can swap to page file according to the memory requirements. • Driver writers should use NonPagedPool judiciously.
  • 15. Memory Manager continued.. • ExAllocatePool(), ExAllocatePoolWithTag() are the DDK APIs in kernel mode to allocate memory. • We can put tag to the memory allocation so that it is easy to monitor the pool usage. • Memory manager keep the pool tag in the beginning of the allocation (Demo: use WinDBG to check it). • Demo : !poolused command to see the pool tags. • Demo: use poolmon.exe to see the pool tags.
  • 16. Software Interrupt Request Levels (IRQLs) • Windows has its own interrupt priority schemes know as IRQL. • IRQL levels from 0 to 31, the higher the number means higher priority interrupt level. • HAL map hardware interrupts to IRQL 3 (Device 1) to IRQL 31 (High) • When higher priority interrupt occur, it mask the all lower interrupts and execute the ISR for the higher interrupt. • After executing the ISR, kernel lower the interrupt levels and execute the lower interrupt ISR. • ISR routine should do minimal work and it should defer the major chunk of work to Deferred Procedure Call (DPC) which run at lower IRQL 2.
  • 17. Software Interrupt Request Levels (IRQLs)
  • 18. IRQL and DPC • DPC concept is similar to other OS, in Linux it is called bottom half. • DPC is per processor, means a duel processor SMP box contains two DPC Qs. • The ISR routine generally fetch data from hardware and queue a DPC for further processing. • IRQL priority is different from thread scheduling priority.
  • 19. IRQL and DPC • The scheduler (dispatcher) also runs at IRQL 2. • So a code that execute on or above IRQL 2(dispatch level) cannot preempt. • From the Diagram, see only hardware interrupts and some higher priority interrupts like clock, power fail are above IRQL 2. • Most of the time OS will be in IRQL 0(Passive level) • All user programs and most of the kernel code execute on Passive level only.
  • 20. IRQL continued.. • Scheduler runs at IRQL 2, so what happen if my driver try to wait on or above dispatch level ?. • Simple system will crash with ‘Blue Screen’, usually with the bug check ID IRQL_NOT_LESSTHAN_EQUAL. • Because if wait above dispatch level, no one there to come and switch the thread. • What happen if try to access a PagedPool in above dispatch level ?. • If the pages are on disk, then a page fault exception will happen, the current thread need to wait and page fault handler will read the pages from page file to page frames in memory. • If page fault happen above the dispatch level, no one there to stop the current thread and schedule the page fault handler. Thus cannot access PagedPool on or above dispatch level.
  • 21. IRQL 1 - APCs • Asynchronous Procedure Call (APC) run at IRQL 1. • The main duty of APC is to send the data to user thread context. • APC Q is thread specific, each thread has its own APC Q. • User space thread initiate the read operation from a device and either it wait to finish it or continue with another job. • The IO may finish sometime later, now the buffer need to send to the calling thread’s process context. It is the duty of APC.