Upload
gerald-oliver
View
327
Download
4
Embed Size (px)
Citation preview
计算机系•信息处理实验室
Leture1 concepts and tools
2005 Spring
陈香兰
xlanchen@2005-2-25 Understanding the Inside of Windows2000
2计算机系信息处理实验室
Foundation Concepts and Terms
Win32 API
Services, Functions, and Routines
Processes, Threads, and Jobs
Virtual memory
Kernel Mode vs. User Mode
Objects & handles
…
xlanchen@2005-2-25 Understanding the Inside of Windows2000
3计算机系信息处理实验室
Win32 API
REF2 and REF3
We will explain the internal behavior and implementation of key Win32 API functions
functions that cover areas such as processes, threads, memory management, security, I/O, windowing, and graphics
History: Win3.x
xlanchen@2005-2-25 Understanding the Inside of Windows2000
4计算机系信息处理实验室
Services, Functions, and Routines [1,2,3 ]
Win32 API functions
CreatProcess, CreatFile, GetMessage, …
System services (or executive system services)
Native functions in the 2KOS that are callable from user mode
Similar to: system call (int 0x80, int 0x2e)
NtCreateProcess, NtWriteFile
xlanchen@2005-2-25 Understanding the Inside of Windows2000
5计算机系信息处理实验室
Example:
NtWriteFile:
mov eax, 0x0E ; build 2195 system service
; number for NtWriteFile
mov ebx, esp ; point to parameters
int 0x2E ; execute system service trap
ret 0x2C ; pop parameter of stack and
; return to caller
xlanchen@2005-2-25 Understanding the Inside of Windows2000
6计算机系信息处理实验室
Services, Functions, and Routines [1,2,3]
Kernel support functions (or routines)
Subroutines inside the kernel-mode
ExAllocatePool (for device driver to allocate memory from the 2K system heaps )
Win32 services
Processes started by the Windows 2000 service control manager
xlanchen@2005-2-25 Understanding the Inside of Windows2000
7计算机系信息处理实验室
Services, Functions, and Routines [1,2,3]
DLL (dynamic-link library)
A set of callable subroutines linked together as a binary file that can be dynamically loaded by applications that use the subroutines
Example: Msvcrt.dll (C 运行时库 ), Kernel32.dll (Win32 API 子系统库之
一 )
Advantages: sharable
xlanchen@2005-2-25 Understanding the Inside of Windows2000
8计算机系信息处理实验室
xlanchen@2005-2-25 Understanding the Inside of Windows2000
9计算机系信息处理实验室
Processes, Threads, and Jobs [1,2,3,4]
Program VS. Process
A process include ???
xlanchen@2005-2-25 Understanding the Inside of Windows2000
10计算机系信息处理实验室
Processes, Threads, and Jobs [1,2,3,4]
A 2K Process
A private Virtual address space
An executable program
A list of open handles to various system resources, such as semaphores, communication ports, and files, that are accessible to all threads in the process
A security context
Process id
At least one thread of execution
xlanchen@2005-2-25 Understanding the Inside of Windows2000
11计算机系信息处理实验室
Processes, Threads, and Jobs [1,2,3,4]
A process and its resources
xlanchen@2005-2-25 Understanding the Inside of Windows2000
12计算机系信息处理实验室
Processes, Threads, and Jobs [1,2,3,4]
Thread: the entity within a process that Windows 2000 schedules for execution
Hardware Context
Two stacks
Thread-local-storage
Thread id
…
Threads of the same process share its resources
Shared memory section
Context of a thread
xlanchen@2005-2-25 Understanding the Inside of Windows2000
13计算机系信息处理实验室
Virtual memory [1,2,3,4]
Linear 32bit address space = 4GB
xlanchen@2005-2-25 Understanding the Inside of Windows2000
14计算机系信息处理实验室
Virtual memory [1,2,3,4]
xlanchen@2005-2-25 Understanding the Inside of Windows2000
15计算机系信息处理实验室
Virtual memory [1,2,3,4]
Mapping to physical memory
xlanchen@2005-2-25 Understanding the Inside of Windows2000
16计算机系信息处理实验室
Virtual memory [1,2,3,4]
What if physical memory > virtual memory
AWE for 32bit virtual address space
<=64GB
The long-term solution: 64bit
xlanchen@2005-2-25 Understanding the Inside of Windows2000
17计算机系信息处理实验室
Kernel Mode vs. User Mode
2K uses two processor access modes
Kernel mode and user mode
I386 supports 4 modes
0Kernel mode
3User mode
User mode Kernel mode
Demo
xlanchen@2005-2-25 Understanding the Inside of Windows2000
18计算机系信息处理实验室
Objects & handles
An object is a single, run-time instance of a statically defined object type
An object type comprises a system-defined data type, functions that operate on instances of the data type, and a set of object attributes.
Object attribute, Object methods
Example: process, thread, file, event
Handles: references to an instance of an object
xlanchen@2005-2-25 Understanding the Inside of Windows2000
19计算机系信息处理实验室
Others
Security
supports C2-level security as defined by the U.S. Department of Defense Trusted Computer System Evaluation Criteria (DoD 5200.28-STD, December 1985)
Registry
A system database
the information required to boot and configure the system, systemwide software settings, the security database, and per-user configuration settings
xlanchen@2005-2-25 Understanding the Inside of Windows2000
20计算机系信息处理实验室
Unicode (16bit)
Two versions of Win32 function: unicode(16bit) and ANSI(8bit)
xlanchen@2005-2-25 Understanding the Inside of Windows2000
21计算机系信息处理实验室
Tools for Viewing Windows 2K Internals
Page 11-16
xlanchen@2005-2-25 Understanding the Inside of Windows2000
22计算机系信息处理实验室
Thank you!