Modern Operation System Kernels Microsoft Windows Internals 4th ed' Chapter 3 part2 Windows System M

1
Modern Operation System Kernels(Microsoft
Windows Internals 4th ed.)Chapter 3
part-2Windows System Mechanisms

• Group 3
• ?? ??? ??? ??? ???

2
Outline

• Windows Error Reporting
• System Service Dispatching
• 32-Bit System Service Dispatching
• 64-Bit System Service Dispatching
• Kernel-Mode System Service Dispatching
• Service Descriptor Tables

3
Windows Error Reporting

• Windows Error Reporting automates the submission
  of both user-mode process crashes as well as
  kernel-mode system crashes. (Chapter 14)
• These settings are stored in the registry under
  the Key HKLM\Software\Microsoft\PCHealth\ErrorRepo
  rting .

4
Windows Error Reporting
5
Windows Error Reporting
6
Windows Error Reporting

• If the registry value HKLM\SOFTWARE\Microsoft\Wind
  ows NT\CurrentVersion\AeDebug\Auto is set to zero
  or the Debugger string contains the text
  Drwtsn32,the unhandled exception filter loads
  \Windows\System\Faultrep.dll into failing process
  and calls its ReportFault function.

7
Windows Error Reporting
8
Windows Error Reporting

• The error report (a minidump and a text file with
  details on the DLL version numbers loaded in the
  process)is sent to Microsofts online crash
  analysis server.
• Microsoft provides to qualified customers a tool
  set called Corporate Error Reporting that the
  administrator with the option to take selective
  error reports and submit them to Microsoft.

9
System Service Dispatching

• A system service dispatch is triggered as a
  result of executing an instruction assigned to
  system service dispatching.
• The instruction that Windows uses for system
  service dispatching depends on the processor in
  which its executing.

10
32-Bit System Service Dispatching

• A numeric argument passed in the EAX processor
  register indicates the system service number
  being requested.
• The EBX register points to the list of parameters
  the caller passes to the system service.

11
32-Bit System Service Dispatching

• On x86 Pentium II processors and higher, Windows
  uses the special sysenter instruction, which
  Intel defined specifically for fast system
  service dispatches.
• The system service number is passed in the EAX
  processor register, and the EDX register points
  to the list of caller arguments.
• To return to user-mode, the system service
  dispatcher usually executes the sysexit
  instruction.

12
32-Bit System Service Dispatching

• On K6 and higher 32-bit AMD processors, Windows
  uses the special syscall instruction, which
  functions similar to the x86 sysenter
  instruction.
• The system call number is passed in the EAX
  register, and the stack stores the caller
  arguments.
• After completing the dispatch, the kernel
  executes the sysret instruction.

13
32-Bit System Service Dispatching

• ntdll!NtReadFile
• 77f5bfa8 b8b7000000 mov eax,0xb7
• 77f5bfad ba0003fe7f mov edx,0x7ffe0300
• 77f5bfb2 ffd2 call edx
• 77f5bfb4 c22400 ret 0x24
• SharedUserData!SystemCallStub
• 7ffe0300 8bd4 mov edx,esp
• 7ffe0302 0f34 sysenter
• 7ffe0304 c3 ret

14
64-Bit System Service Dispatching

• On the x64 architecture, Windows uses the syscall
  instruction, which functions like the AMD K6's
  syscall instruction, for system service
  dispatching, passing the system call number in
  the EAX register, the first four parameters in
  registers, and any parameters beyond those four
  on the stack

15
64-Bit System Service Dispatching

• On the IA64 architecture, Windows uses the epc
  (Enter Privileged Mode) instruction. The first
  eight system call arguments are passed in
  registers, and the rest are passed on the stack .

16
64-Bit System Service Dispatching

• ntdll!NtReadFile
• 00000000'77f9fc60 4c8bd1 mov r10,rcx
• 00000000'77f9fc63 b8bf000000 mov eax,0xbf
• 00000000'77f9fc68 0f05 syscall
• 00000000'77f9fc6a c3 ret

17
Kernel-Mode System Service Dispatching

• The kernel uses this argument to locate the
  system service information in the system service
  dispatch table.
• Copies the caller's arguments from the thread's
  user-mode stack to its kernel-mode stack ), and
  then executes the system service.

18
Kernel-Mode System Service Dispatching
19
Kernel-Mode System Service Dispatching
20
Kernel-Mode System Service Dispatching

• Each thread has a pointer to its system service
  table.
• Windows has two built-in system service tables,
  but up to four are supported.
• The system service dispatcher determines which
  table contains the requested service by
  interpreting a 2-bit field in the 32-bit system
  service number as a table index.
• The low 12 bits of the system service number
  serve as the index into the table specified by
  the table index.

21
Kernel-Mode System Service Dispatching
22
Service Descriptor Tables

• KeServiceDescriptorTable, defines the core
  executive system services implemented in
  Ntosrknl.exe
• KeServiceDescriptorTableShadow, includes the
  Windows USER and GDI services implemented in the
  kernel-mode part of the Windows subsystem,
  Win32k.sys.

23
Service Descriptor Tables

• The KeAddSystemServiceTable function allows
  Win32k.sys and other device drivers to add system
  service tables.
• With the exception of the Win32k.sys service
  table, a service table added with
  KeAddSystemServiceTable is copied into both the
  KeServiceDescriptorTable array and the
  KeServiceDescriptorTableShadow array.

24
Service Descriptor Tables

• The system service dispatch instructions for
  Windows executive services exist in the system
  library Ntdll.dll.
• Subsystem DLLs call functions in Ntdll to
  implement their documented functions.
• The exception is Windows USER and GDI functions,
  in which the system service dispatch instructions
  are implemented directly in User32.dll and
  Gdi32.dllthere is no Ntdll.dll involved.

25
Service Descriptor Tables
26
Chapter 3Windows System Mechanisms

• Object Manager

27

• Windows object manager
• Object manager creates, managers, and delete
  Windows executive object and abstract data types
  that are use to represent operating system
  resources such as processes, threads, and the
  various synchronization objects.

28
Object manager GOAL(1/2)

• Provide a common, uniform mechanism for using
  system resources
• Isolate object protection to one location in the
  operating system so that C2 security compliance
  can be achieved
• Establish an object-naming scheme that can
  readily incorporate existing objects, such as the
  devices, files, and directories of a file system,
  or other independent collections of objects

29
Object manager GOAL(2/2)

• Support the requirements of various operating
  system environments
• a process to inherit resources from a parent
  process
• create case-sensitive filenames
• Establish uniform rules for object retention
• (for keeping an object available until all
  processes have finished using it)

30
Kinds of objects

• Executive object
• objects implemented by various components of
  the executive (the process manager, memory
  manager, I/O subsystem)
• Kernel object
• implemented by the Windows kernel
• Not visible to user-mode
• Created and used only within executive
• Provide fundamental capabilities(e.g.synchronizati
  on)

31
(No Transcript)
32
Executive object

• The executive objects and object services are
  primitives that the environment subsystems use to
  construct their own versions of objects and other
  resources.
• Executive objects are created
• By an environment subsystem on behalf of a user
  application
• By various components of the operating system as
  part of their normal operation.
• E.g. create a file

33
Executive object
34

• A thread can synchronize with executive object
• job, process, thread, file, event,
  semaphore, mutex, and timer objects.
• Other executive objects don't support
  synchronize

35
Object structure
36
Object header attributes
37

• All objects of the same type share the same
  object body format
• The object manager provides a small set of
  generic services that operate on the attributes
  stored in an object's header and can be used on
  objects of any type
• Although these generic object services are
  supported for all object types, each object has
  its own create, open, and query services

38
Object services
39
Type objects

• Object headers contain data that is common to all
  objects but that can take on different values for
  each instance of an object
• each object has a unique name and can have a
  unique security descriptor
• you can select from a set of access rights
  specific to a type of object when you open a
  handle to objects of that type, The executive
  supplies
• terminate and suspend access for thread objects
• read, write, append, and delete access for file
  objects

40

• To conserve memory, the object manager stores
  these static, object-type-specific attributes
  once when creating a new object type
• a type object also links together all objects of
  the same type ,allowing the object manager to
  find and enumerate them, if necessary.

41

• Type objects can't be manipulated from user mode
  because the object manager supplies no services
  for them.

42
Object Methods
43
Object Methods
44
Object Handles and the Process Handle Table

• When a process creates or opens an object by
  name, it receives a handle that represents its
  access to the object.
• All user-mode processes must own a handle to an
  object before their threads can use the object.
• Executive components and device drivers can
  access objects directly because they are running
  in kernel mode.

45
Object Handles and the Process Handle Table

• An object handle is an index into a
  process-specific handle table, pointed to by the
  executive process (EPROCESS) block
• A process's handle table contains pointers to all
  the objects that the process has opened a handle
  to.

46
Object Handles and the Process Handle Table

• The first handle index is 4, the second 8, and so
  on.
• Handle tables are implemented as a 3-level
  scheme, similar to the way that the x86 memory
  management unit implements virtual-to-physical
  address translation

47
Object Handles and the Process Handle Table

• Windows 2000 process handle table architecture

48
Object Handles and the Process Handle Table

• P indicates whether the caller is allowed to
  close this handle
• I indicates whether processes created by this
  process will get a copy of this handle in their
  handle tables
• A indicates whether closing the object should
  generate an audit message.
• This flag isn't exposed to Windowsthe object
  manager uses it internally.

49
Object Handles and the Process Handle Table

• System components and device drivers often need
  to open handles to objects that user-mode
  applications shouldn't have access to.
• This is done by creating handles in the kernel
  handle table
• referenced internally with the name
  ObpKernelHandleTable
• The handles in this table are accessible only
  from kernel mode and in any process context.

50
Object Security

• In the executive, when a process creates an
  object or opens a handle to an existing object,
  the process must specify a set of desired access
  rights
• that is, what it wants to do with the object

51
Object Security

• It can request either a set of standard access
  rights (such as read, write, and execute) that
  apply to all object types or specific access
  rights that vary depending on the object type.

52
Object Security

• When a process opens a handle to an object, the
  object manager calls the security reference
  monitor, sending it the process's set of desired
  access rights.
• The security reference monitor checks whether the
  object's security descriptor permits the type of
  access the process is requesting.
• If it does, the reference monitor returns a set
  of granted access rights that the process is
  allowed, and the object manager stores them in
  the object handle it creates.

53
I will present

• Microsoft Windows Internals Microsoft Windows
  Server 2003, Windows XP, and Windows 2000, 4th
  ed.
• Chapter 3 System Mechanisms
• Object Structure
• Object Retention
• Resource Accounting
• Object Names
• Session Namespace, and
• Two Experiments
• Page 141 149

54
Outline

• Object Retention
• Resource Accounting
• Object Names
• Experiment Looking at the Base Named Objects
• Session Namespace
• Experiment Viewing Namespace Instancing

55
Object Retention

• 2 types of objects
• Temporary remain while in use
• Permanent remain until explicitly freed
• Object retention
• retains temporary objects only when theyre in
  use
• 2 phases
• Name retention
• Object deletion
• DDK Documentation OSR(MSDN ver.)

56
Object Retention
Figure 3-18. Structure of an object
57
Object Retention
Process A
System space
Handles
Handle table
Event object
Other structure
HandleCount ReferenceCount
0
1
2
0
1
2
3
Index
DuplicateHandle
Process B
Event object
HandleCount ReferenceCount
0
1
0
1
58
Object Retention
59
Object Retention
60
Object Retention

• Programmers need not be concerned that one
  process might delete an object before the other
  process has finished using it.
• How about permanent object?

61
Object retention

• An object is permanent if it was created with the
  OBJ_PERMANENT object attribute flag specified.
• A permanent object is created with a reference
  count of one.
• Use the following steps to delete a permanent
  object that you created
• Call ObDereferenceObject.
• Call the appropriate ZwOpenXxx or ZwCreateXxx
  routine to get a handle for the object, if
  necessary.
• Call ZwMakeTemporaryObject with the handle
  obtained in step 2.
• Call ZwClose with the handle obtained in step 2.

62
Outline

• Object Retention
• Resource Accounting
• Object Names
• Experiment Looking at the Base Named Objects
• Session Namespace
• Experiment Viewing Namespace Instancing

63
Resource Accounting

• Like object retention, resource accounting is
  closely related to the use of object handles.
• Quota system?
• complicated
• Resource accounting
• Quota charges record how much memory will be
  subtracted from pool quota when opening a handle
  to an object.

64
Resource Accounting
No limit
Different from the text book
65
Outline

• Object Retention
• Resource Accounting
• Object Names
• Experiment Looking at the Base Named Objects
• Session Namespace
• Experiment Viewing Namespace Instancing

66
Object Names

• Object manager requires the following information
  to help track objects
• A way to distinguish one object from another
• A method for finding and retrieving a particular
  object
• Allow processes to share objects
• Look up timing
• When a process creates a named object
• When a process opens a handle to a named object

67
Object Names

• Case-sensitive or case-insensitive?
• Unique name wont collide with others
• Global, but can not across a network
• Parse method
• Object directories (object directory object)
• Like file system directories
• Symbolic links (symbolic link object)
• A, B, C ? floppy, hard disk

68
Object Names
Must have these 2 directories
69
Object Names
Directories and links are objects, too
70
Object Names
GLOBAL?? has symbolic links point to disk
partitions
71
Outline

• Object Retention
• Resource Accounting
• Object Names
• Experiment Looking at the Base Named Objects
• Session Namespace
• Experiment Viewing Namespace Instancing

72
Experiment Looking at the Base Named Objects
73
Outline

• Object Retention
• Resource Accounting
• Object Names
• Experiment Looking at the Base Named Objects
• Session Namespace
• Experiment Viewing Namespace Instancing

74
Session Namespace

• How many user would log on to the system
  interactively? (review Chapter 1.)
• A user logged on to the console session
• First instance of namespace ? global namespace
• Additional sessions
• Session-private view ? local namespace
• \DosDevices , \Windows , and \BaseNamedObjects

75
Outline

• Object Retention
• Resource Accounting
• Object Names
• Experiment Looking at the Base Named Objects
• Session Namespace
• Experiment Viewing Namespace Instancing

76
Experiment Viewing Namespace Instancing
There is a link to Global in Session
77
Experiment Viewing Namespace Instancing
78
Experiment Viewing Namespace Instancing
79
Experiment Viewing Namespace Instancing
80
Related Resource

• Windows, NT Object Manager (download wmv, 160MB,
  about 40min)
• Adrian Marinescu
• DDK Documentation OSR(MSDN ver.)