Title: Modern Operation System Kernels Microsoft Windows Internals 4th ed' Chapter 3 part2 Windows System M
1Modern Operation System Kernels(Microsoft
Windows Internals 4th ed.)Chapter 3
part-2Windows System Mechanisms
- Group 3
- ?? ??? ??? ??? ???
2Outline
- Windows Error Reporting
- System Service Dispatching
- 32-Bit System Service Dispatching
- 64-Bit System Service Dispatching
- Kernel-Mode System Service Dispatching
- Service Descriptor Tables
3Windows Error Reporting
- Windows Error Reporting automates the submission
of both user-mode process crashes as well as
kernel-mode system crashes. (Chapter 14) - These settings are stored in the registry under
the Key HKLM\Software\Microsoft\PCHealth\ErrorRepo
rting .
4Windows Error Reporting
5Windows Error Reporting
6Windows Error Reporting
- If the registry value HKLM\SOFTWARE\Microsoft\Wind
ows NT\CurrentVersion\AeDebug\Auto is set to zero
or the Debugger string contains the text
Drwtsn32,the unhandled exception filter loads
\Windows\System\Faultrep.dll into failing process
and calls its ReportFault function.
7Windows Error Reporting
8Windows Error Reporting
- The error report (a minidump and a text file with
details on the DLL version numbers loaded in the
process)is sent to Microsofts online crash
analysis server. - Microsoft provides to qualified customers a tool
set called Corporate Error Reporting that the
administrator with the option to take selective
error reports and submit them to Microsoft.
9System Service Dispatching
- A system service dispatch is triggered as a
result of executing an instruction assigned to
system service dispatching. - The instruction that Windows uses for system
service dispatching depends on the processor in
which its executing.
1032-Bit System Service Dispatching
- A numeric argument passed in the EAX processor
register indicates the system service number
being requested. - The EBX register points to the list of parameters
the caller passes to the system service.
1132-Bit System Service Dispatching
- On x86 Pentium II processors and higher, Windows
uses the special sysenter instruction, which
Intel defined specifically for fast system
service dispatches. - The system service number is passed in the EAX
processor register, and the EDX register points
to the list of caller arguments. - To return to user-mode, the system service
dispatcher usually executes the sysexit
instruction.
1232-Bit System Service Dispatching
- On K6 and higher 32-bit AMD processors, Windows
uses the special syscall instruction, which
functions similar to the x86 sysenter
instruction. - The system call number is passed in the EAX
register, and the stack stores the caller
arguments. - After completing the dispatch, the kernel
executes the sysret instruction.
1332-Bit System Service Dispatching
- ntdll!NtReadFile
- 77f5bfa8 b8b7000000 mov eax,0xb7
- 77f5bfad ba0003fe7f mov edx,0x7ffe0300
- 77f5bfb2 ffd2 call edx
- 77f5bfb4 c22400 ret 0x24
- SharedUserData!SystemCallStub
- 7ffe0300 8bd4 mov edx,esp
- 7ffe0302 0f34 sysenter
- 7ffe0304 c3 ret
1464-Bit System Service Dispatching
- On the x64 architecture, Windows uses the syscall
instruction, which functions like the AMD K6's
syscall instruction, for system service
dispatching, passing the system call number in
the EAX register, the first four parameters in
registers, and any parameters beyond those four
on the stack
1564-Bit System Service Dispatching
- On the IA64 architecture, Windows uses the epc
(Enter Privileged Mode) instruction. The first
eight system call arguments are passed in
registers, and the rest are passed on the stack .
1664-Bit System Service Dispatching
- ntdll!NtReadFile
- 00000000'77f9fc60 4c8bd1 mov r10,rcx
- 00000000'77f9fc63 b8bf000000 mov eax,0xbf
- 00000000'77f9fc68 0f05 syscall
- 00000000'77f9fc6a c3 ret
17Kernel-Mode System Service Dispatching
- The kernel uses this argument to locate the
system service information in the system service
dispatch table. - Copies the caller's arguments from the thread's
user-mode stack to its kernel-mode stack ), and
then executes the system service.
18Kernel-Mode System Service Dispatching
19Kernel-Mode System Service Dispatching
20Kernel-Mode System Service Dispatching
- Each thread has a pointer to its system service
table. - Windows has two built-in system service tables,
but up to four are supported. - The system service dispatcher determines which
table contains the requested service by
interpreting a 2-bit field in the 32-bit system
service number as a table index. - The low 12 bits of the system service number
serve as the index into the table specified by
the table index.
21Kernel-Mode System Service Dispatching
22Service Descriptor Tables
- KeServiceDescriptorTable, defines the core
executive system services implemented in
Ntosrknl.exe - KeServiceDescriptorTableShadow, includes the
Windows USER and GDI services implemented in the
kernel-mode part of the Windows subsystem,
Win32k.sys.
23Service Descriptor Tables
- The KeAddSystemServiceTable function allows
Win32k.sys and other device drivers to add system
service tables. - With the exception of the Win32k.sys service
table, a service table added with
KeAddSystemServiceTable is copied into both the
KeServiceDescriptorTable array and the
KeServiceDescriptorTableShadow array.
24Service Descriptor Tables
- The system service dispatch instructions for
Windows executive services exist in the system
library Ntdll.dll. - Subsystem DLLs call functions in Ntdll to
implement their documented functions. - The exception is Windows USER and GDI functions,
in which the system service dispatch instructions
are implemented directly in User32.dll and
Gdi32.dllthere is no Ntdll.dll involved.
25Service Descriptor Tables
26Chapter 3Windows System Mechanisms
27- Windows object manager
- Object manager creates, managers, and delete
Windows executive object and abstract data types
that are use to represent operating system
resources such as processes, threads, and the
various synchronization objects.
28Object manager GOAL(1/2)
- Provide a common, uniform mechanism for using
system resources - Isolate object protection to one location in the
operating system so that C2 security compliance
can be achieved - Establish an object-naming scheme that can
readily incorporate existing objects, such as the
devices, files, and directories of a file system,
or other independent collections of objects
29Object manager GOAL(2/2)
- Support the requirements of various operating
system environments - a process to inherit resources from a parent
process - create case-sensitive filenames
- Establish uniform rules for object retention
- (for keeping an object available until all
processes have finished using it)
30Kinds of objects
- Executive object
- objects implemented by various components of
the executive (the process manager, memory
manager, I/O subsystem) - Kernel object
- implemented by the Windows kernel
- Not visible to user-mode
- Created and used only within executive
- Provide fundamental capabilities(e.g.synchronizati
on)
31(No Transcript)
32Executive object
- The executive objects and object services are
primitives that the environment subsystems use to
construct their own versions of objects and other
resources. - Executive objects are created
- By an environment subsystem on behalf of a user
application - By various components of the operating system as
part of their normal operation. - E.g. create a file
33Executive object
34- A thread can synchronize with executive object
- job, process, thread, file, event,
semaphore, mutex, and timer objects. - Other executive objects don't support
synchronize
35Object structure
36Object header attributes
37- All objects of the same type share the same
object body format - The object manager provides a small set of
generic services that operate on the attributes
stored in an object's header and can be used on
objects of any type - Although these generic object services are
supported for all object types, each object has
its own create, open, and query services
38Object services
39Type objects
- Object headers contain data that is common to all
objects but that can take on different values for
each instance of an object - each object has a unique name and can have a
unique security descriptor - you can select from a set of access rights
specific to a type of object when you open a
handle to objects of that type, The executive
supplies - terminate and suspend access for thread objects
- read, write, append, and delete access for file
objects
40- To conserve memory, the object manager stores
these static, object-type-specific attributes
once when creating a new object type - a type object also links together all objects of
the same type ,allowing the object manager to
find and enumerate them, if necessary.
41- Type objects can't be manipulated from user mode
because the object manager supplies no services
for them.
42Object Methods
43Object Methods
44Object Handles and the Process Handle Table
- When a process creates or opens an object by
name, it receives a handle that represents its
access to the object. - All user-mode processes must own a handle to an
object before their threads can use the object. - Executive components and device drivers can
access objects directly because they are running
in kernel mode.
45Object Handles and the Process Handle Table
- An object handle is an index into a
process-specific handle table, pointed to by the
executive process (EPROCESS) block - A process's handle table contains pointers to all
the objects that the process has opened a handle
to.
46Object Handles and the Process Handle Table
- The first handle index is 4, the second 8, and so
on. - Handle tables are implemented as a 3-level
scheme, similar to the way that the x86 memory
management unit implements virtual-to-physical
address translation
47Object Handles and the Process Handle Table
- Windows 2000 process handle table architecture
48Object Handles and the Process Handle Table
- P indicates whether the caller is allowed to
close this handle - I indicates whether processes created by this
process will get a copy of this handle in their
handle tables - A indicates whether closing the object should
generate an audit message. - This flag isn't exposed to Windowsthe object
manager uses it internally.
49Object Handles and the Process Handle Table
- System components and device drivers often need
to open handles to objects that user-mode
applications shouldn't have access to. - This is done by creating handles in the kernel
handle table - referenced internally with the name
ObpKernelHandleTable - The handles in this table are accessible only
from kernel mode and in any process context.
50Object Security
- In the executive, when a process creates an
object or opens a handle to an existing object,
the process must specify a set of desired access
rights - that is, what it wants to do with the object
51Object Security
- It can request either a set of standard access
rights (such as read, write, and execute) that
apply to all object types or specific access
rights that vary depending on the object type.
52Object Security
- When a process opens a handle to an object, the
object manager calls the security reference
monitor, sending it the process's set of desired
access rights. - The security reference monitor checks whether the
object's security descriptor permits the type of
access the process is requesting. - If it does, the reference monitor returns a set
of granted access rights that the process is
allowed, and the object manager stores them in
the object handle it creates.
53I will present
- Microsoft Windows Internals Microsoft Windows
Server 2003, Windows XP, and Windows 2000, 4th
ed. - Chapter 3 System Mechanisms
- Object Structure
- Object Retention
- Resource Accounting
- Object Names
- Session Namespace, and
- Two Experiments
- Page 141 149
54Outline
- Object Retention
- Resource Accounting
- Object Names
- Experiment Looking at the Base Named Objects
- Session Namespace
- Experiment Viewing Namespace Instancing
55Object Retention
- 2 types of objects
- Temporary remain while in use
- Permanent remain until explicitly freed
- Object retention
- retains temporary objects only when theyre in
use - 2 phases
- Name retention
- Object deletion
- DDK Documentation OSR(MSDN ver.)
56Object Retention
Figure 3-18. Structure of an object
57Object Retention
Process A
System space
Handles
Handle table
Event object
Other structure
HandleCount ReferenceCount
0
1
2
0
1
2
3
Index
DuplicateHandle
Process B
Event object
HandleCount ReferenceCount
0
1
0
1
58Object Retention
59Object Retention
60Object Retention
- Programmers need not be concerned that one
process might delete an object before the other
process has finished using it. - How about permanent object?
61Object retention
- An object is permanent if it was created with the
OBJ_PERMANENT object attribute flag specified. - A permanent object is created with a reference
count of one. - Use the following steps to delete a permanent
object that you created - Call ObDereferenceObject.
- Call the appropriate ZwOpenXxx or ZwCreateXxx
routine to get a handle for the object, if
necessary. - Call ZwMakeTemporaryObject with the handle
obtained in step 2. - Call ZwClose with the handle obtained in step 2.
62Outline
- Object Retention
- Resource Accounting
- Object Names
- Experiment Looking at the Base Named Objects
- Session Namespace
- Experiment Viewing Namespace Instancing
63Resource Accounting
- Like object retention, resource accounting is
closely related to the use of object handles. - Quota system?
- complicated
- Resource accounting
- Quota charges record how much memory will be
subtracted from pool quota when opening a handle
to an object.
64Resource Accounting
No limit
Different from the text book
65Outline
- Object Retention
- Resource Accounting
- Object Names
- Experiment Looking at the Base Named Objects
- Session Namespace
- Experiment Viewing Namespace Instancing
66Object Names
- Object manager requires the following information
to help track objects - A way to distinguish one object from another
- A method for finding and retrieving a particular
object - Allow processes to share objects
- Look up timing
- When a process creates a named object
- When a process opens a handle to a named object
67Object Names
- Case-sensitive or case-insensitive?
- Unique name wont collide with others
- Global, but can not across a network
- Parse method
- Object directories (object directory object)
- Like file system directories
- Symbolic links (symbolic link object)
- A, B, C ? floppy, hard disk
68Object Names
Must have these 2 directories
69Object Names
Directories and links are objects, too
70Object Names
GLOBAL?? has symbolic links point to disk
partitions
71Outline
- Object Retention
- Resource Accounting
- Object Names
- Experiment Looking at the Base Named Objects
- Session Namespace
- Experiment Viewing Namespace Instancing
72Experiment Looking at the Base Named Objects
73Outline
- Object Retention
- Resource Accounting
- Object Names
- Experiment Looking at the Base Named Objects
- Session Namespace
- Experiment Viewing Namespace Instancing
74Session Namespace
- How many user would log on to the system
interactively? (review Chapter 1.) - A user logged on to the console session
- First instance of namespace ? global namespace
- Additional sessions
- Session-private view ? local namespace
- \DosDevices , \Windows , and \BaseNamedObjects
75Outline
- Object Retention
- Resource Accounting
- Object Names
- Experiment Looking at the Base Named Objects
- Session Namespace
- Experiment Viewing Namespace Instancing
76Experiment Viewing Namespace Instancing
There is a link to Global in Session
77Experiment Viewing Namespace Instancing
78Experiment Viewing Namespace Instancing
79Experiment Viewing Namespace Instancing
80Related Resource
- Windows, NT Object Manager (download wmv, 160MB,
about 40min) - Adrian Marinescu
- DDK Documentation OSR(MSDN ver.)