SlideShare ist ein Scribd-Unternehmen logo

Windows内核技术介绍

J
jeffz
Technologie
1 von 40
Downloaden Sie, um offline zu lesen
Windows Kernel Technologies 潘爱民 2010-9-11
Outline • Windows Architecture Overview • System Trap • Windows I/O Model & Device Drivers • Windows Subsystem
NT Timeline: first 20 years 2/1989 Design and Coding Begins 7/1993 NT 3.1 9/1994 NT 3.5 5/1995 NT 3.51 7/1996 NT 4.0 12/1999 NT 5.0 Windows 2000 8/2001 NT 5.1 Windows XP 3/2003 NT 5.2 Windows Server 2003 8/2004 NT 5.2 Windows XP SP2 4/2005 NT 5.2 Windows XP 64 Bit Edition (WS03SP1) 10/2006 NT 6.0 Windows Vista (client) 2/2008 NT 6.0 Windows Server 2008 (Vista SP1) 10/2009 NT 6.1 Win7 & Server 2008 R2
Windows Architecture 系统和服 系统和服 应用程序 系统和服 系统和服 系统和服 务进程 Windows 子 务进程 务进程 .NET 务进程 务进程 系统进程 系统 DLL NTDLL.DLL 用户模式 内核模式 执行体(Executive) Windows 子系 内核(或微内核) 设备驱动 统内核模块 硬件抽象层(HAL) 程序
About Windows APIs • Provided by Windows Subsystem DLLs • Three types: ̵ ① No kernel-mode interactions are needed. (e.g. PtInRect, IsRectEmpty, GetCurrentProcess); ̵ ② Call into kernel once or more (e.g. CreateFile, PostMessage and BitBlt); ̵ ③ Communications with the Windows subsystem process (csrss) are needed. (e.g. CreateProcess) 应用程序 ① 系统DLL Csrss进程 ② 用户模式 ③ 内核模式 ntoskrnl win32k
Call into Kernel 应用程序 系统 DLL,如 Kernel32.dll、User32.dll 等 Ntdll.dll 系统服务存根函数 KiXxxSystemCall int 2e/sysenter 用户模式 iretd/sysexit 内核模式 KiServiceExit KiSystemService 服务分发 执行体系统服务
Example System Service: NtCreateFile • The Call stack of creating a file in a user thread f5484c94 808e3375 nt!IopCreateFile f5484cf0 808e50ec nt!IoCreateFile f5484d30 80882a2c nt!NtCreateFile 内核模式 007deed8 7c8211f4 ntdll!KiFastSystemCallRet 用户模式 007deedc 76cf2707 ntdll!ZwCreateFile+0xc 007def54 76cf276b iphlpapi!OpenTCPDriver+0xad 007def64 76cf278f iphlpapi!CheckTcpipState+0x62 007def98 76cf299a iphlpapi!GetIpStatsFromStack+0xd 007df00c 76cf32de iphlpapi!GetInterfaceInfo+0x38 007df028 76cf3230 iphlpapi!GetAdapterNameToIndexInfo+0x1e 007df060 76cf6a6b iphlpapi!GetAdapterInfo+0x18 007df0b4 4e7fdf36 iphlpapi!GetAdapterInfoEx+0x1c 007df504 4e7fe2f9 WINHTTP!CIpConfig::GetAdapterListOnNT5+0x6e 007dfac4 4e7fe938 WINHTTP!CIpConfig::GetAdapterList+0x58 007dfad0 4e7fd3ee WINHTTP!CIpConfig::CIpConfig+0x23 007dfaf0 4e7cd1cc WINHTTP!DetectAutoProxyUrl+0x26 007dfb28 4e7cd9b5 WINHTTP!CAutoProxy::DetectAutoProxyUrl+0xa4 007dfb58 4e7cdafb WINHTTP!CAutoProxy::GetProxyForURL+0x33 007dfb6c 4e7cdcd8 WINHTTP!InProcGetProxyForUrl+0x20
Example Call Stack with .NET 0012f2f4 77d19418 ntdll!KiFastSystemCallRet 用户模式 0012f38c 7b1d8997 user32!NtUserWaitMessage+0xc 0012f3e4 7b1d87e1 System_Windows_Forms_ni+0x208997 0012f414 7b6eddc6 System_Windows_Forms_ni+0x2087e1 .NET Runtime 0012f460 79e71b4c System_Windows_Forms_ni+0x71ddc6 Common Langueage 0012f470 79e821f9 mscorwks!CallDescrWorker+0x33 Runtime 0012f4f0 79e96571 mscorwks!CallDescrWorkerWithHandler+0xa3 0012f634 79e965a4 mscorwks!MethodDesc::CallDescr+0x19c 0012f650 79e965c2 mscorwks!MethodDesc::CallTargetWorker+0x1f 0012f668 79f0788d mscorwks!MethodDescCallSite::Call+0x1a 0012f7cc 79f077ad mscorwks!ClassLoader::RunMain+0x223 0012fa34 79f07cfd mscorwks!Assembly::ExecuteMainMethod+0xa6 0012ff04 79f07ee7 mscorwks!SystemDomain::ExecuteMainMethod+0x456 0012ff54 79f07e17 mscorwks!ExecuteEXE+0x59 0012ff9c 7900b77b mscorwks!_CorExeMain+0x15c 0012ffac 7900b73d mscoree!_CorExeMain+0x2e .NET Runtime 0012ffb8 79004de3 mscoree!ShellShim__CorExeMain+0x29 Execution Engine 0012ffc0 7c817077 mscoree!_CorExeMain_Exported+0x8 0012fff0 00000000 kernel32!BaseProcessStart+0x23
Windows I/O Model • Asychronous, Packet-based, Extensible • Device discovery supports plug-and-play (PnP) ̵ volumes automatically detected and mounted ̵ power management support (ACPI) • Drivers attach to per device driver stacks ̵ Drivers can filter actions of other drivers in each stack • Integrated kernel support ̵ memory manager provides DMA support ̵ HAL provides device access, PnP manages device resources ̵ Cache manager provides file-level caching via MM file-mapping • Multiple I/O completion mechanisms: ̵ synchronous ̵ update user-mode memory status ̵ signal events ̵ callbacks within initiating thread ̵ I/O Completion Port
I/O Architecture 用户模式 内核模式 注册表 I/O 管理器 PnP 管理器 电源管理器 WMI 支持 配置管理器 I/O 系统 驱动程序 驱动程序 …… 驱动程序 HAL 硬件控制器 …… 硬件控制器
I/O Manager Objects • Driver objects represent loaded drivers. ̵ NtLoadDriver/NtUnloadDriver ̵ IoCreateDriver • Drivers create device objects to represent devices. ̵ IoCreateDevice • All I/O requests are made to device objects. • File objects represent open instances of device objects.
Object Relationships 驱动程序 1 设备对象 1a 设备对象 1b 设备对象 1c 驱动程序 2 设备对象 2a 设备对象 2b 驱动程序 3 设备对象 3a 文件对象 #2 文件对象 #1
Structure of Windows Drivers I/O 系统 初始化例程 设备驱动程序 I/O 管理器 增加设备 分发例程 PnP 管理器 卸载例程 电源管理器 可选例程 …… WMI
Loading Device Drivers • Drivers can be loaded by, ̵ The boot loader at boot time. ̵ The I/O manager at system initialization. ̵ The service control manager or PnP manager. • Driver details are obtained from the registry. • Driver object is created and DriverEntry for the driver is invoked. • Drivers provide dispatch routines for various I/O operations. (Create, Read, Write, „). • Drivers can optionally provide fast path entry points.
Layering Drivers • Device objects can be attached one on top of another using IoAttachDevice* APIs to create device stacks. • I/O manager sends IRP to the top of the stack. • Drivers store next lower device object in their private data structure. • Stack tear down done using IoDetachDevice and IoDeleteDevice.
Device Stack Example 81682870 DriverObject -> “DriverKbdclass” 设备名为“DeviceKeyboardClass0” AttachedDevice = null StackSize = 6 AttachedTo = 81682a58 81682a58 DriverObject -> “Driveri8042prt” AttachedDevice = 81682870 StackSize = 5 AttachedTo = 817ad030 817ad030 DriverObject -> “DriverACPI” 设备名为“Device0000003b” AttachedDevice = 81682a58 StackSize = 4 AttachedTo = null
Device Deletion and Driver Unload • Drivers delete devices using IoDeleteDevice. • Drivers are unloaded by calling NtUnloadDriver or by PnP. • No further opens/attaches allowed after a device is marked for deletion or unload. • Driver unload function is invoked when all its device objects have no handles/attaches. • Driver is unloaded when the last reference to driver object goes away.
File Objects • Also managed by Windows Object Manager, its type is IoFileObjectType ̵ Applications and drivers “open” devices by name ̵ The name is parsed by the Object Manager • Representation of an open instance of a device object ̵ files on a volume are virtual devices • Created by IoCreateFile function, which is invoked by NtCreateFile ̵ When an open succeeds a file handle is added to the process handle table
I/O Processing • IRP • Issues in I/O processing ̵ Fast I/O ̵ Buffer management ̵ I/O completion • I/O Completion port
I/O Request Packet (IRP) • I/O operations are encapsulated in IRPs. • I/O requests travel down a device stack in an IRP. • Each driver gets a stack location which contains parameters for that I/O request. • IRP has major and minor codes to describe I/O operations. • Major codes include create, read, write, PnP, devioctl, cleanup and close. • Irps are associated with a thread that made the I/O request.
I/O Requests from Applications 系统 DLL 用户模式 内核模式 系统服务 NtCreateFile, NtClose, NtReadFile, NtWriteFile, NtDeviceIoControlFile … I/O 管理器 IoCallDriver 驱动程序 驱动程序 驱动程序 ……
IRP Major Codes #define IRP_MJ_CREATE 0x00 #define IRP_MJ_CREATE_NAMED_PIPE 0x01 #define IRP_MJ_CLOSE 0x02 #define IRP_MJ_READ 0x03 #define IRP_MJ_WRITE 0x04 #define IRP_MJ_QUERY_INFORMATION 0x05 #define IRP_MJ_SET_INFORMATION 0x06 #define IRP_MJ_QUERY_EA 0x07 #define IRP_MJ_SET_EA 0x08 #define IRP_MJ_FLUSH_BUFFERS 0x09 #define IRP_MJ_QUERY_VOLUME_INFORMATION 0x0a #define IRP_MJ_SET_VOLUME_INFORMATION 0x0b #define IRP_MJ_DIRECTORY_CONTROL 0x0c #define IRP_MJ_FILE_SYSTEM_CONTROL 0x0d #define IRP_MJ_DEVICE_CONTROL 0x0e #define IRP_MJ_INTERNAL_DEVICE_CONTROL 0x0f
IRP Major Codes (cont.) #define IRP_MJ_SHUTDOWN 0x10 #define IRP_MJ_LOCK_CONTROL 0x11 #define IRP_MJ_CLEANUP 0x12 #define IRP_MJ_CREATE_MAILSLOT 0x13 #define IRP_MJ_QUERY_SECURITY 0x14 #define IRP_MJ_SET_SECURITY 0x15 #define IRP_MJ_POWER 0x16 #define IRP_MJ_SYSTEM_CONTROL 0x17 #define IRP_MJ_DEVICE_CHANGE 0x18 #define IRP_MJ_QUERY_QUOTA 0x19 #define IRP_MJ_SET_QUOTA 0x1a #define IRP_MJ_PNP 0x1b #define IRP_MJ_PNP_POWER IRP_MJ_PNP // Obsolete.... #define IRP_MJ_MAXIMUM_FUNCTION 0x1b
IO Stack Locations in IRPs 原始文件对象 IRP 对象 设备对象 (OriginalFileObject) 文件对象 设备对象 驱动程序 栈单元[0] 一组分发例程 对象 栈单元[1] …… 文件对象 设备对象 驱动程序 一组分发例程 对象 栈单元[n-1] 文件对象 设备对象 驱动程序 一组分发例程 对象
Completing an I/O Request • Servicing an interrupt: ̵ ISR schedules Deferred Procedure Call (DPC); dismisses int. ̵ DPC routine starts next I/O request and completes interrupt servicing ̵ May call completion routine of higher-level driver • I/O completion: ̵ Record the outcome of the operation in an I/O status block ̵ Return data to the calling thread – by queuing a kernel-mode Asynchronous Procedure Call (APC) ̵ APC executes in context of calling thread; copies data; frees IRP; sets calling thread to signaled state ̵ I/O is now considered complete; waiting threads are released
Flow of I/O Processing 调用者线程 IoCallDriver 驱动程序 DPC 分发例程 通知 I/O 插入 DPC 管理器, I/O 请求 是 同步 否 ISR 已完成 I/O 发送 I/O 执行其 命令,并 中断 等待 他任务 传输数据 硬件设备 IoCompleteRequest 在发起者线程中插入 APC 例程 IopCompleteRequest, 或者,直接返回发起者线程 IopCompleteRequest
I/O Processing in a Device Stack I/O 请求 I/O 管理器 IopCompleteRequest APC I/O 管理器 栈顶 驱动程序 1 IoCallDriver 设备对象 (完成例程) IRP IRP CurrentLocation CurrentLocation 驱动程序 1 中间 驱动程序 2 栈顶 设备对象 (分发例程) 设备对象 (完成例程) IRP IRP CurrentLocation CurrentLocation 驱动程序 2 栈底 驱动程序 3 中间 设备对象 (分发例程) 设备对象 (完成例程) IRP IRP CurrentLocation CurrentLocation I/O 管理器 栈底 驱动程序 3 IoCompleteRequest 设备对象 (分发例程) I/O 完成 (a) I/O 请求在设备栈中的传递流程 (b) I/O 请求的完成流程
I/O Completion Port • A kind of executive objects called I/O Completion Port or IoCompletion, its type is IoCompletionObjectType • For balancing the I/O throughput and thread- trashing • The completion port is essential a queue object • A file can be associated with an IoCompletion object, so I/O manager will queue a completion packet to the completion port • The number of active threads which process I/O completion are controlled by the queue object.
How does IOCompletion work NtCreateIoCompletion NtSetInformationFile KeInitializeQueue 线程对象 … 线程对象 I/O 请求 关联 NtRemoveIoCompletion I/O 完成端口 文件对象 CompletionContext 队列 KQUEUE KeRemovetQueue I/O 完成 KeInsertQueue KeInsertQueue IopCompleteRequest NtSetIoCompletion
Windows Subsystem Windows 子系统进程 Windows 应用程序 (csrss.exe) 子系统 DLL NTDLL.DLL 用户模式 内核模式 Win32k.sys (窗口管理、图形接 Windows 内核 口等) 图形设备驱动程序
Windows Subsystem Initialization • DriverEntry in Win32k.sys ̵ KeAddSystemServiceTable ̵ PsEstablishWin32Callouts ̵ MmPageEntireDriver ̵ InitializeGre ̵ Win32UserInitialize ̵ Returns Win32KDriverUnload • Smss Smss 进程 创建“SmApiPort”LPC 端口对象,以接收“创建会话”请求 • Winlogon 加载 Windows 子系统内核模块 win32k.sys 启动 csrss 进程 • Csrss 启动 winlogon 进程 创建窗口站 创建登录桌面和默认桌面 启动 SCM 进程 加载自动-启动的服务和驱动程序 启动 lsass 进程 等待用户按下 Ctrl+Alt+Del
Convert to a GUI thread • What is a GUI thread? ̵ Thread are non-GUI when created ̵ Converted on first call to win32k.sys • Bigger Stack • Win32k.sys notified of creation and destruction • Converts process to GUI • PsConvertToGuiThread ̵ MmCreateKernelStack & KeSwitchKernelStack ̵ KTHREAD->ServiceTable initialized to ntkrnlmp!KeServiceDescriptorTable, replaced with ntkrnlmp!KeServiceDescriptorTableShadow ̵ Call PspW32ProcessCallout 普通线程 GUI线程 ̵ Call PspW32ThreadCallout 内核模式 ntoskrnl win32k
Terminal Services/Multiple Sessions • Multiple Sessions ̵ Console Session ̵ Session 0 in Vista/Win7 ̵ Terminal Sessions ̵ by FUS (Fast User Switching) • For each session ̵ Created by smss (session manager process) ̵ Session space in system space ̵ Its own copies of Win32k.sys, csrss.exe, Winlogon.exe, video driver, print driver, etc.
Session Spaces System Space 0x80000000 Session Space Session Pool (16MB) 0xBC000000 Session View Session Space (20MB) 0xC0000000 SESSION_WS(4MB) Session Image (8MB) 0xFFFFFFFF
Window Management: Window Stations and Desktops 剪贴板 交互式窗口站 键盘 (WinSta0) 鼠标 显示器 登录桌面 交互桌面 屏幕保护桌面 非交互式窗口站 剪贴板 …… …… 不可见桌面
Window Hierarchy 交互式窗口站 默认桌面 顶级窗口列表 子系统会话 (WinSta0) 子窗口 登录桌面 屏幕保护桌面 非交互式窗口站 不可见桌面
Desktop • An surface for output • In a WindowStation • Have a Desktop Heap (assigned from the session view)
Message Path in Win32 RIT 线程 桌面线程 输入(input) GUI 线程 消息队列 鼠标事件 其他 HID 其他线程 寄入(post) 消息队列
References • Mark E. Russinovich and David A. Solomon, Windows Internals (4th/5th Edition), Microsoft Press, 2004/2009. • 潘爱民,Windows内核原理与实现,电子工业出版社, 2010.4 • WRK, Windows Research Kernel(by Microsoft) • Microsoft WDK Documents & Samples
Thanks! Q&A

Empfohlen

Reverse eningeering
Reverse eningeeringReverse eningeering
Reverse eningeeringKent Huang
 
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...44CON
 
Introduction to UBI
Introduction to UBIIntroduction to UBI
Introduction to UBIRoy Lee
 
MySQL Atchitecture and Concepts
MySQL Atchitecture and ConceptsMySQL Atchitecture and Concepts
MySQL Atchitecture and ConceptsTuyen Vuong
 
Data structure,abstraction,abstract data type,static and dynamic,time and spa...
Data structure,abstraction,abstract data type,static and dynamic,time and spa...Data structure,abstraction,abstract data type,static and dynamic,time and spa...
Data structure,abstraction,abstract data type,static and dynamic,time and spa...Hassan Ahmed
 
Linux Char Device Driver
Linux Char Device DriverLinux Char Device Driver
Linux Char Device DriverGary Yeh
 
[CB16] DeathNote of Microsoft Windows Kernel by Peter Hlavaty & Jin Long
[CB16] DeathNote of Microsoft Windows Kernel by Peter Hlavaty & Jin Long[CB16] DeathNote of Microsoft Windows Kernel by Peter Hlavaty & Jin Long
[CB16] DeathNote of Microsoft Windows Kernel by Peter Hlavaty & Jin LongCODE BLUE
 
Introduction to loaders
Introduction to loadersIntroduction to loaders
Introduction to loadersTech_MX
 

Empfohlen

Reverse eningeering
Reverse eningeeringReverse eningeering
Reverse eningeeringKent Huang
 
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...44CON
 
Introduction to UBI
Introduction to UBIIntroduction to UBI
Introduction to UBIRoy Lee
 
MySQL Atchitecture and Concepts
MySQL Atchitecture and ConceptsMySQL Atchitecture and Concepts
MySQL Atchitecture and ConceptsTuyen Vuong
 
Data structure,abstraction,abstract data type,static and dynamic,time and spa...
Data structure,abstraction,abstract data type,static and dynamic,time and spa...Data structure,abstraction,abstract data type,static and dynamic,time and spa...
Data structure,abstraction,abstract data type,static and dynamic,time and spa...Hassan Ahmed
 
Linux Char Device Driver
Linux Char Device DriverLinux Char Device Driver
Linux Char Device DriverGary Yeh
 
[CB16] DeathNote of Microsoft Windows Kernel by Peter Hlavaty & Jin Long
[CB16] DeathNote of Microsoft Windows Kernel by Peter Hlavaty & Jin Long[CB16] DeathNote of Microsoft Windows Kernel by Peter Hlavaty & Jin Long
[CB16] DeathNote of Microsoft Windows Kernel by Peter Hlavaty & Jin LongCODE BLUE
 
Introduction to loaders
Introduction to loadersIntroduction to loaders
Introduction to loadersTech_MX
 
Oracle RAC Internals - The Cache Fusion Edition
Oracle RAC Internals - The Cache Fusion EditionOracle RAC Internals - The Cache Fusion Edition
Oracle RAC Internals - The Cache Fusion EditionMarkus Michalewicz
 
UNIT II LINEAR DATA STRUCTURES – STACKS, QUEUES
UNIT II LINEAR DATA STRUCTURES – STACKS, QUEUES UNIT II LINEAR DATA STRUCTURES – STACKS, QUEUES
UNIT II LINEAR DATA STRUCTURES – STACKS, QUEUES Kathirvel Ayyaswamy
 
Less05 storage
Less05 storageLess05 storage
Less05 storageImran Ali
 
System call
System callSystem call
System callDarakhshanNayyab
 
Recorridos en ABB
Recorridos en ABB Recorridos en ABB
Recorridos en ABB Gloria Isabel Bautista Lasprilla
 
Oracle Security Presentation
Oracle Security PresentationOracle Security Presentation
Oracle Security PresentationFrancisco Alvarez
 
Linux MMAP & Ioremap introduction
Linux MMAP & Ioremap introductionLinux MMAP & Ioremap introduction
Linux MMAP & Ioremap introductionGene Chang
 
Introduction to GNU Make Programming Language
Introduction to GNU Make Programming LanguageIntroduction to GNU Make Programming Language
Introduction to GNU Make Programming LanguageShih-Hsiang Lin
 
Interfaces in java
Interfaces in javaInterfaces in java
Interfaces in javaShiv Mehmi
 
Asymmetric Cryptography.pptx
Asymmetric Cryptography.pptxAsymmetric Cryptography.pptx
Asymmetric Cryptography.pptxdiaa46
 
ASP.NET State management
ASP.NET State managementASP.NET State management
ASP.NET State managementShivanand Arur
 
Introduction to ado.net
Introduction to ado.netIntroduction to ado.net
Introduction to ado.netPaneliya Prince
 
Lecture 37
Lecture 37Lecture 37
Lecture 37RahulRathi94
 
Oracle Database Security
Oracle Database SecurityOracle Database Security
Oracle Database SecurityTroy Kitch
 
Android Threading
Android ThreadingAndroid Threading
Android ThreadingJussi Pohjolainen
 
Principles of compiler design
Principles of compiler designPrinciples of compiler design
Principles of compiler designJanani Parthiban
 
Less09 locking
Less09 lockingLess09 locking
Less09 lockingAmit Bhalla
 
Paging and Segmentation in Operating System
Paging and Segmentation in Operating SystemPaging and Segmentation in Operating System
Paging and Segmentation in Operating SystemRaj Mohan
 
Google I/O 2011, Android Accelerated Rendering
Google I/O 2011, Android Accelerated RenderingGoogle I/O 2011, Android Accelerated Rendering
Google I/O 2011, Android Accelerated RenderingRomain Guy
 
Ui disk & terminal drivers
Ui disk & terminal driversUi disk & terminal drivers
Ui disk & terminal driversSarang Ananda Rao
 
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012DefCamp
 
CNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgCNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgSam Bowne
 

Weitere ähnliche Inhalte

Was ist angesagt?

Oracle RAC Internals - The Cache Fusion Edition
Oracle RAC Internals - The Cache Fusion EditionOracle RAC Internals - The Cache Fusion Edition
Oracle RAC Internals - The Cache Fusion EditionMarkus Michalewicz
 
UNIT II LINEAR DATA STRUCTURES – STACKS, QUEUES
UNIT II LINEAR DATA STRUCTURES – STACKS, QUEUES UNIT II LINEAR DATA STRUCTURES – STACKS, QUEUES
UNIT II LINEAR DATA STRUCTURES – STACKS, QUEUES Kathirvel Ayyaswamy
 
Less05 storage
Less05 storageLess05 storage
Less05 storageImran Ali
 
Oracle Security Presentation
Oracle Security PresentationOracle Security Presentation
Oracle Security PresentationFrancisco Alvarez
 
Linux MMAP & Ioremap introduction
Linux MMAP & Ioremap introductionLinux MMAP & Ioremap introduction
Linux MMAP & Ioremap introductionGene Chang
 
Introduction to GNU Make Programming Language
Introduction to GNU Make Programming LanguageIntroduction to GNU Make Programming Language
Introduction to GNU Make Programming LanguageShih-Hsiang Lin
 
Interfaces in java
Interfaces in javaInterfaces in java
Interfaces in javaShiv Mehmi
 
Asymmetric Cryptography.pptx
Asymmetric Cryptography.pptxAsymmetric Cryptography.pptx
Asymmetric Cryptography.pptxdiaa46
 
ASP.NET State management
ASP.NET State managementASP.NET State management
ASP.NET State managementShivanand Arur
 
Oracle Database Security
Oracle Database SecurityOracle Database Security
Oracle Database SecurityTroy Kitch
 
Principles of compiler design
Principles of compiler designPrinciples of compiler design
Principles of compiler designJanani Parthiban
 
Paging and Segmentation in Operating System
Paging and Segmentation in Operating SystemPaging and Segmentation in Operating System
Paging and Segmentation in Operating SystemRaj Mohan
 
Google I/O 2011, Android Accelerated Rendering
Google I/O 2011, Android Accelerated RenderingGoogle I/O 2011, Android Accelerated Rendering
Google I/O 2011, Android Accelerated RenderingRomain Guy
 

Was ist angesagt? (20)

Oracle RAC Internals - The Cache Fusion Edition
Oracle RAC Internals - The Cache Fusion EditionOracle RAC Internals - The Cache Fusion Edition
Oracle RAC Internals - The Cache Fusion Edition
 
UNIT II LINEAR DATA STRUCTURES – STACKS, QUEUES
UNIT II LINEAR DATA STRUCTURES – STACKS, QUEUES UNIT II LINEAR DATA STRUCTURES – STACKS, QUEUES
UNIT II LINEAR DATA STRUCTURES – STACKS, QUEUES
 
Less05 storage
Less05 storageLess05 storage
Less05 storage
 
System call
System callSystem call
System call
 
Recorridos en ABB
Recorridos en ABB Recorridos en ABB
Recorridos en ABB
 
Oracle Security Presentation
Oracle Security PresentationOracle Security Presentation
Oracle Security Presentation
 
Linux MMAP & Ioremap introduction
Linux MMAP & Ioremap introductionLinux MMAP & Ioremap introduction
Linux MMAP & Ioremap introduction
 
Introduction to GNU Make Programming Language
Introduction to GNU Make Programming LanguageIntroduction to GNU Make Programming Language
Introduction to GNU Make Programming Language
 
Interfaces in java
Interfaces in javaInterfaces in java
Interfaces in java
 
Asymmetric Cryptography.pptx
Asymmetric Cryptography.pptxAsymmetric Cryptography.pptx
Asymmetric Cryptography.pptx
 
ASP.NET State management
ASP.NET State managementASP.NET State management
ASP.NET State management
 
Introduction to ado.net
Introduction to ado.netIntroduction to ado.net
Introduction to ado.net
 
Lecture 37
Lecture 37Lecture 37
Lecture 37
 
Oracle Database Security
Oracle Database SecurityOracle Database Security
Oracle Database Security
 
Android Threading
Android ThreadingAndroid Threading
Android Threading
 
Principles of compiler design
Principles of compiler designPrinciples of compiler design
Principles of compiler design
 
Less09 locking
Less09 lockingLess09 locking
Less09 locking
 
Paging and Segmentation in Operating System
Paging and Segmentation in Operating SystemPaging and Segmentation in Operating System
Paging and Segmentation in Operating System
 
Google I/O 2011, Android Accelerated Rendering
Google I/O 2011, Android Accelerated RenderingGoogle I/O 2011, Android Accelerated Rendering
Google I/O 2011, Android Accelerated Rendering
 
Ui disk & terminal drivers
Ui disk & terminal driversUi disk & terminal drivers
Ui disk & terminal drivers
 

Ähnlich wie Windows内核技术介绍

Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012DefCamp
 
CNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgCNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgSam Bowne
 
openioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensicsopenioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensicsTakahiro Haruyama
 
Ring 0/-2 Rootkits: bypassing defenses -- DEF CON 2018 USA
Ring 0/-2 Rootkits: bypassing defenses -- DEF CON 2018 USARing 0/-2 Rootkits: bypassing defenses -- DEF CON 2018 USA
Ring 0/-2 Rootkits: bypassing defenses -- DEF CON 2018 USAAlexandre Borges
 
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbgPractical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbgSam Bowne
 
how-to-bypass-AM-PPL
how-to-bypass-AM-PPLhow-to-bypass-AM-PPL
how-to-bypass-AM-PPLnitinscribd
 
One bite and all your dreams will come true: Analyzing and Attacking Apple Ke...
One bite and all your dreams will come true: Analyzing and Attacking Apple Ke...One bite and all your dreams will come true: Analyzing and Attacking Apple Ke...
One bite and all your dreams will come true: Analyzing and Attacking Apple Ke...Priyanka Aash
 
Accelerated .NET Memory Dump Analysis training public slides
Accelerated .NET Memory Dump Analysis training public slidesAccelerated .NET Memory Dump Analysis training public slides
Accelerated .NET Memory Dump Analysis training public slidesDmitry Vostokov
 
CNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgCNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgSam Bowne
 
RING 0/-2 ROOKITS : COMPROMISING DEFENSES
RING 0/-2 ROOKITS : COMPROMISING DEFENSES RING 0/-2 ROOKITS : COMPROMISING DEFENSES
RING 0/-2 ROOKITS : COMPROMISING DEFENSESPriyanka Aash
 
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the CoreNSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the CoreNoSuchCon
 
[2009 CodeEngn Conference 03] koheung - 윈도우 커널 악성코드에 대한 분석 및 방법
[2009 CodeEngn Conference 03] koheung - 윈도우 커널 악성코드에 대한 분석 및 방법[2009 CodeEngn Conference 03] koheung - 윈도우 커널 악성코드에 대한 분석 및 방법
[2009 CodeEngn Conference 03] koheung - 윈도우 커널 악성코드에 대한 분석 및 방법GangSeok Lee
 
Typhoon Managed Execution Toolkit
Typhoon Managed Execution ToolkitTyphoon Managed Execution Toolkit
Typhoon Managed Execution ToolkitDimitry Snezhkov
 
Finding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated DisassemblyFinding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated DisassemblyPriyanka Aash
 
Formbook - In-depth malware analysis (Botconf 2018)
Formbook - In-depth malware analysis (Botconf 2018)Formbook - In-depth malware analysis (Botconf 2018)
Formbook - In-depth malware analysis (Botconf 2018)Rémi Jullian
 
Android Boot Time Optimization
Android Boot Time OptimizationAndroid Boot Time Optimization
Android Boot Time OptimizationKan-Ru Chen
 
Android Internals at Linaro Connect Asia 2013
Android Internals at Linaro Connect Asia 2013Android Internals at Linaro Connect Asia 2013
Android Internals at Linaro Connect Asia 2013Opersys inc.
 

Ähnlich wie Windows内核技术介绍 (20)

Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
 
CNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgCNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbg
 
openioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensicsopenioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensics
 
Ring 0/-2 Rootkits: bypassing defenses -- DEF CON 2018 USA
Ring 0/-2 Rootkits: bypassing defenses -- DEF CON 2018 USARing 0/-2 Rootkits: bypassing defenses -- DEF CON 2018 USA
Ring 0/-2 Rootkits: bypassing defenses -- DEF CON 2018 USA
 
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbgPractical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
 
how-to-bypass-AM-PPL
how-to-bypass-AM-PPLhow-to-bypass-AM-PPL
how-to-bypass-AM-PPL
 
One bite and all your dreams will come true: Analyzing and Attacking Apple Ke...
One bite and all your dreams will come true: Analyzing and Attacking Apple Ke...One bite and all your dreams will come true: Analyzing and Attacking Apple Ke...
One bite and all your dreams will come true: Analyzing and Attacking Apple Ke...
 
Accelerated .NET Memory Dump Analysis training public slides
Accelerated .NET Memory Dump Analysis training public slidesAccelerated .NET Memory Dump Analysis training public slides
Accelerated .NET Memory Dump Analysis training public slides
 
CNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgCNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbg
 
RING 0/-2 ROOKITS : COMPROMISING DEFENSES
RING 0/-2 ROOKITS : COMPROMISING DEFENSES RING 0/-2 ROOKITS : COMPROMISING DEFENSES
RING 0/-2 ROOKITS : COMPROMISING DEFENSES
 
Faults inside System Software
Faults inside System SoftwareFaults inside System Software
Faults inside System Software
 
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the CoreNSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
 
[2009 CodeEngn Conference 03] koheung - 윈도우 커널 악성코드에 대한 분석 및 방법
[2009 CodeEngn Conference 03] koheung - 윈도우 커널 악성코드에 대한 분석 및 방법[2009 CodeEngn Conference 03] koheung - 윈도우 커널 악성코드에 대한 분석 및 방법
[2009 CodeEngn Conference 03] koheung - 윈도우 커널 악성코드에 대한 분석 및 방법
 
Typhoon Managed Execution Toolkit
Typhoon Managed Execution ToolkitTyphoon Managed Execution Toolkit
Typhoon Managed Execution Toolkit
 
Android Internals
Android InternalsAndroid Internals
Android Internals
 
Finding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated DisassemblyFinding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated Disassembly
 
Formbook - In-depth malware analysis (Botconf 2018)
Formbook - In-depth malware analysis (Botconf 2018)Formbook - In-depth malware analysis (Botconf 2018)
Formbook - In-depth malware analysis (Botconf 2018)
 
Android Boot Time Optimization
Android Boot Time OptimizationAndroid Boot Time Optimization
Android Boot Time Optimization
 
Windows kernel
Windows kernelWindows kernel
Windows kernel
 
Android Internals at Linaro Connect Asia 2013
Android Internals at Linaro Connect Asia 2013Android Internals at Linaro Connect Asia 2013
Android Internals at Linaro Connect Asia 2013
 

Mehr von jeffz

Wind.js无障碍调试与排错
Wind.js无障碍调试与排错Wind.js无障碍调试与排错
Wind.js无障碍调试与排错jeffz
 
JavaScript现代化排错实践
JavaScript现代化排错实践JavaScript现代化排错实践
JavaScript现代化排错实践jeffz
 
Jscex:案例、阻碍、体会、展望
Jscex:案例、阻碍、体会、展望Jscex:案例、阻碍、体会、展望
Jscex:案例、阻碍、体会、展望jeffz
 
Jscex:案例、经验、阻碍、展望
Jscex:案例、经验、阻碍、展望Jscex:案例、经验、阻碍、展望
Jscex:案例、经验、阻碍、展望jeffz
 
The Evolution of Async Programming (GZ TechParty C#)
The Evolution of Async Programming (GZ TechParty C#)The Evolution of Async Programming (GZ TechParty C#)
The Evolution of Async Programming (GZ TechParty C#)jeffz
 
深入浅出Jscex
深入浅出Jscex深入浅出Jscex
深入浅出Jscexjeffz
 
Mono for .NET Developers
Mono for .NET DevelopersMono for .NET Developers
Mono for .NET Developersjeffz
 
Javascript Uncommon Programming
Javascript Uncommon ProgrammingJavascript Uncommon Programming
Javascript Uncommon Programmingjeffz
 
Jscex: Write Sexy JavaScript (中文)
Jscex: Write Sexy JavaScript (中文)Jscex: Write Sexy JavaScript (中文)
Jscex: Write Sexy JavaScript (中文)jeffz
 
Jscex: Write Sexy JavaScript
Jscex: Write Sexy JavaScriptJscex: Write Sexy JavaScript
Jscex: Write Sexy JavaScriptjeffz
 
单点登录解决方案的架构与实现
单点登录解决方案的架构与实现单点登录解决方案的架构与实现
单点登录解决方案的架构与实现jeffz
 
Documentation Insight技术架构与开发历程
Documentation Insight技术架构与开发历程Documentation Insight技术架构与开发历程
Documentation Insight技术架构与开发历程jeffz
 
Windows Phone应用开发心得
Windows Phone应用开发心得Windows Phone应用开发心得
Windows Phone应用开发心得jeffz
 
分布式版本管理
分布式版本管理分布式版本管理
分布式版本管理jeffz
 
使用.NET构建轻量级分布式框架
使用.NET构建轻量级分布式框架使用.NET构建轻量级分布式框架
使用.NET构建轻量级分布式框架jeffz
 
针对iPad平台的高性能网站架构
针对iPad平台的高性能网站架构针对iPad平台的高性能网站架构
针对iPad平台的高性能网站架构jeffz
 
企业开发领域的语言特性
企业开发领域的语言特性企业开发领域的语言特性
企业开发领域的语言特性jeffz
 
The Evolution of Async-Programming on .NET Platform (TUP, Full)
The Evolution of Async-Programming on .NET Platform (TUP, Full)The Evolution of Async-Programming on .NET Platform (TUP, Full)
The Evolution of Async-Programming on .NET Platform (TUP, Full)jeffz
 
The Evolution of Async-Programming on .NET Platform (.Net China, C#)
The Evolution of Async-Programming on .NET Platform (.Net China, C#)The Evolution of Async-Programming on .NET Platform (.Net China, C#)
The Evolution of Async-Programming on .NET Platform (.Net China, C#)jeffz
 
The Evolution of Async-Programming (SD 2.0, JavaScript)
The Evolution of Async-Programming (SD 2.0, JavaScript)The Evolution of Async-Programming (SD 2.0, JavaScript)
The Evolution of Async-Programming (SD 2.0, JavaScript)jeffz
 

Mehr von jeffz (20)

Wind.js无障碍调试与排错
Wind.js无障碍调试与排错Wind.js无障碍调试与排错
Wind.js无障碍调试与排错
 
JavaScript现代化排错实践
JavaScript现代化排错实践JavaScript现代化排错实践
JavaScript现代化排错实践
 
Jscex:案例、阻碍、体会、展望
Jscex:案例、阻碍、体会、展望Jscex:案例、阻碍、体会、展望
Jscex:案例、阻碍、体会、展望
 
Jscex:案例、经验、阻碍、展望
Jscex:案例、经验、阻碍、展望Jscex:案例、经验、阻碍、展望
Jscex:案例、经验、阻碍、展望
 
The Evolution of Async Programming (GZ TechParty C#)
The Evolution of Async Programming (GZ TechParty C#)The Evolution of Async Programming (GZ TechParty C#)
The Evolution of Async Programming (GZ TechParty C#)
 
深入浅出Jscex
深入浅出Jscex深入浅出Jscex
深入浅出Jscex
 
Mono for .NET Developers
Mono for .NET DevelopersMono for .NET Developers
Mono for .NET Developers
 
Javascript Uncommon Programming
Javascript Uncommon ProgrammingJavascript Uncommon Programming
Javascript Uncommon Programming
 
Jscex: Write Sexy JavaScript (中文)
Jscex: Write Sexy JavaScript (中文)Jscex: Write Sexy JavaScript (中文)
Jscex: Write Sexy JavaScript (中文)
 
Jscex: Write Sexy JavaScript
Jscex: Write Sexy JavaScriptJscex: Write Sexy JavaScript
Jscex: Write Sexy JavaScript
 
单点登录解决方案的架构与实现
单点登录解决方案的架构与实现单点登录解决方案的架构与实现
单点登录解决方案的架构与实现
 
Documentation Insight技术架构与开发历程
Documentation Insight技术架构与开发历程Documentation Insight技术架构与开发历程
Documentation Insight技术架构与开发历程
 
Windows Phone应用开发心得
Windows Phone应用开发心得Windows Phone应用开发心得
Windows Phone应用开发心得
 
分布式版本管理
分布式版本管理分布式版本管理
分布式版本管理
 
使用.NET构建轻量级分布式框架
使用.NET构建轻量级分布式框架使用.NET构建轻量级分布式框架
使用.NET构建轻量级分布式框架
 
针对iPad平台的高性能网站架构
针对iPad平台的高性能网站架构针对iPad平台的高性能网站架构
针对iPad平台的高性能网站架构
 
企业开发领域的语言特性
企业开发领域的语言特性企业开发领域的语言特性
企业开发领域的语言特性
 
The Evolution of Async-Programming on .NET Platform (TUP, Full)
The Evolution of Async-Programming on .NET Platform (TUP, Full)The Evolution of Async-Programming on .NET Platform (TUP, Full)
The Evolution of Async-Programming on .NET Platform (TUP, Full)
 
The Evolution of Async-Programming on .NET Platform (.Net China, C#)
The Evolution of Async-Programming on .NET Platform (.Net China, C#)The Evolution of Async-Programming on .NET Platform (.Net China, C#)
The Evolution of Async-Programming on .NET Platform (.Net China, C#)
 
The Evolution of Async-Programming (SD 2.0, JavaScript)
The Evolution of Async-Programming (SD 2.0, JavaScript)The Evolution of Async-Programming (SD 2.0, JavaScript)
The Evolution of Async-Programming (SD 2.0, JavaScript)
 

Kürzlich hochgeladen

SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 

Kürzlich hochgeladen (20)

SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 

Windows内核技术介绍

  • 1. Windows Kernel Technologies 潘爱民 2010-9-11
  • 2. Outline • Windows Architecture Overview • System Trap • Windows I/O Model & Device Drivers • Windows Subsystem
  • 3. NT Timeline: first 20 years 2/1989 Design and Coding Begins 7/1993 NT 3.1 9/1994 NT 3.5 5/1995 NT 3.51 7/1996 NT 4.0 12/1999 NT 5.0 Windows 2000 8/2001 NT 5.1 Windows XP 3/2003 NT 5.2 Windows Server 2003 8/2004 NT 5.2 Windows XP SP2 4/2005 NT 5.2 Windows XP 64 Bit Edition (WS03SP1) 10/2006 NT 6.0 Windows Vista (client) 2/2008 NT 6.0 Windows Server 2008 (Vista SP1) 10/2009 NT 6.1 Win7 & Server 2008 R2
  • 4. Windows Architecture 系统和服 系统和服 应用程序 系统和服 系统和服 系统和服 务进程 Windows 子 务进程 务进程 .NET 务进程 务进程 系统进程 系统 DLL NTDLL.DLL 用户模式 内核模式 执行体(Executive) Windows 子系 内核(或微内核) 设备驱动 统内核模块 硬件抽象层(HAL) 程序
  • 5. About Windows APIs • Provided by Windows Subsystem DLLs • Three types: ̵ ① No kernel-mode interactions are needed. (e.g. PtInRect, IsRectEmpty, GetCurrentProcess); ̵ ② Call into kernel once or more (e.g. CreateFile, PostMessage and BitBlt); ̵ ③ Communications with the Windows subsystem process (csrss) are needed. (e.g. CreateProcess) 应用程序 ① 系统DLL Csrss进程 ② 用户模式 ③ 内核模式 ntoskrnl win32k
  • 6. Call into Kernel 应用程序 系统 DLL,如 Kernel32.dll、User32.dll 等 Ntdll.dll 系统服务存根函数 KiXxxSystemCall int 2e/sysenter 用户模式 iretd/sysexit 内核模式 KiServiceExit KiSystemService 服务分发 执行体系统服务
  • 7. Example System Service: NtCreateFile • The Call stack of creating a file in a user thread f5484c94 808e3375 nt!IopCreateFile f5484cf0 808e50ec nt!IoCreateFile f5484d30 80882a2c nt!NtCreateFile 内核模式 007deed8 7c8211f4 ntdll!KiFastSystemCallRet 用户模式 007deedc 76cf2707 ntdll!ZwCreateFile+0xc 007def54 76cf276b iphlpapi!OpenTCPDriver+0xad 007def64 76cf278f iphlpapi!CheckTcpipState+0x62 007def98 76cf299a iphlpapi!GetIpStatsFromStack+0xd 007df00c 76cf32de iphlpapi!GetInterfaceInfo+0x38 007df028 76cf3230 iphlpapi!GetAdapterNameToIndexInfo+0x1e 007df060 76cf6a6b iphlpapi!GetAdapterInfo+0x18 007df0b4 4e7fdf36 iphlpapi!GetAdapterInfoEx+0x1c 007df504 4e7fe2f9 WINHTTP!CIpConfig::GetAdapterListOnNT5+0x6e 007dfac4 4e7fe938 WINHTTP!CIpConfig::GetAdapterList+0x58 007dfad0 4e7fd3ee WINHTTP!CIpConfig::CIpConfig+0x23 007dfaf0 4e7cd1cc WINHTTP!DetectAutoProxyUrl+0x26 007dfb28 4e7cd9b5 WINHTTP!CAutoProxy::DetectAutoProxyUrl+0xa4 007dfb58 4e7cdafb WINHTTP!CAutoProxy::GetProxyForURL+0x33 007dfb6c 4e7cdcd8 WINHTTP!InProcGetProxyForUrl+0x20
  • 8. Example Call Stack with .NET 0012f2f4 77d19418 ntdll!KiFastSystemCallRet 用户模式 0012f38c 7b1d8997 user32!NtUserWaitMessage+0xc 0012f3e4 7b1d87e1 System_Windows_Forms_ni+0x208997 0012f414 7b6eddc6 System_Windows_Forms_ni+0x2087e1 .NET Runtime 0012f460 79e71b4c System_Windows_Forms_ni+0x71ddc6 Common Langueage 0012f470 79e821f9 mscorwks!CallDescrWorker+0x33 Runtime 0012f4f0 79e96571 mscorwks!CallDescrWorkerWithHandler+0xa3 0012f634 79e965a4 mscorwks!MethodDesc::CallDescr+0x19c 0012f650 79e965c2 mscorwks!MethodDesc::CallTargetWorker+0x1f 0012f668 79f0788d mscorwks!MethodDescCallSite::Call+0x1a 0012f7cc 79f077ad mscorwks!ClassLoader::RunMain+0x223 0012fa34 79f07cfd mscorwks!Assembly::ExecuteMainMethod+0xa6 0012ff04 79f07ee7 mscorwks!SystemDomain::ExecuteMainMethod+0x456 0012ff54 79f07e17 mscorwks!ExecuteEXE+0x59 0012ff9c 7900b77b mscorwks!_CorExeMain+0x15c 0012ffac 7900b73d mscoree!_CorExeMain+0x2e .NET Runtime 0012ffb8 79004de3 mscoree!ShellShim__CorExeMain+0x29 Execution Engine 0012ffc0 7c817077 mscoree!_CorExeMain_Exported+0x8 0012fff0 00000000 kernel32!BaseProcessStart+0x23
  • 9. Windows I/O Model • Asychronous, Packet-based, Extensible • Device discovery supports plug-and-play (PnP) ̵ volumes automatically detected and mounted ̵ power management support (ACPI) • Drivers attach to per device driver stacks ̵ Drivers can filter actions of other drivers in each stack • Integrated kernel support ̵ memory manager provides DMA support ̵ HAL provides device access, PnP manages device resources ̵ Cache manager provides file-level caching via MM file-mapping • Multiple I/O completion mechanisms: ̵ synchronous ̵ update user-mode memory status ̵ signal events ̵ callbacks within initiating thread ̵ I/O Completion Port
  • 10. I/O Architecture 用户模式 内核模式 注册表 I/O 管理器 PnP 管理器 电源管理器 WMI 支持 配置管理器 I/O 系统 驱动程序 驱动程序 …… 驱动程序 HAL 硬件控制器 …… 硬件控制器
  • 11. I/O Manager Objects • Driver objects represent loaded drivers. ̵ NtLoadDriver/NtUnloadDriver ̵ IoCreateDriver • Drivers create device objects to represent devices. ̵ IoCreateDevice • All I/O requests are made to device objects. • File objects represent open instances of device objects.
  • 12. Object Relationships 驱动程序 1 设备对象 1a 设备对象 1b 设备对象 1c 驱动程序 2 设备对象 2a 设备对象 2b 驱动程序 3 设备对象 3a 文件对象 #2 文件对象 #1
  • 13. Structure of Windows Drivers I/O 系统 初始化例程 设备驱动程序 I/O 管理器 增加设备 分发例程 PnP 管理器 卸载例程 电源管理器 可选例程 …… WMI
  • 14. Loading Device Drivers • Drivers can be loaded by, ̵ The boot loader at boot time. ̵ The I/O manager at system initialization. ̵ The service control manager or PnP manager. • Driver details are obtained from the registry. • Driver object is created and DriverEntry for the driver is invoked. • Drivers provide dispatch routines for various I/O operations. (Create, Read, Write, „). • Drivers can optionally provide fast path entry points.
  • 15. Layering Drivers • Device objects can be attached one on top of another using IoAttachDevice* APIs to create device stacks. • I/O manager sends IRP to the top of the stack. • Drivers store next lower device object in their private data structure. • Stack tear down done using IoDetachDevice and IoDeleteDevice.
  • 16. Device Stack Example 81682870 DriverObject -> “DriverKbdclass” 设备名为“DeviceKeyboardClass0” AttachedDevice = null StackSize = 6 AttachedTo = 81682a58 81682a58 DriverObject -> “Driveri8042prt” AttachedDevice = 81682870 StackSize = 5 AttachedTo = 817ad030 817ad030 DriverObject -> “DriverACPI” 设备名为“Device0000003b” AttachedDevice = 81682a58 StackSize = 4 AttachedTo = null
  • 17. Device Deletion and Driver Unload • Drivers delete devices using IoDeleteDevice. • Drivers are unloaded by calling NtUnloadDriver or by PnP. • No further opens/attaches allowed after a device is marked for deletion or unload. • Driver unload function is invoked when all its device objects have no handles/attaches. • Driver is unloaded when the last reference to driver object goes away.
  • 18. File Objects • Also managed by Windows Object Manager, its type is IoFileObjectType ̵ Applications and drivers “open” devices by name ̵ The name is parsed by the Object Manager • Representation of an open instance of a device object ̵ files on a volume are virtual devices • Created by IoCreateFile function, which is invoked by NtCreateFile ̵ When an open succeeds a file handle is added to the process handle table
  • 19. I/O Processing • IRP • Issues in I/O processing ̵ Fast I/O ̵ Buffer management ̵ I/O completion • I/O Completion port
  • 20. I/O Request Packet (IRP) • I/O operations are encapsulated in IRPs. • I/O requests travel down a device stack in an IRP. • Each driver gets a stack location which contains parameters for that I/O request. • IRP has major and minor codes to describe I/O operations. • Major codes include create, read, write, PnP, devioctl, cleanup and close. • Irps are associated with a thread that made the I/O request.
  • 21. I/O Requests from Applications 系统 DLL 用户模式 内核模式 系统服务 NtCreateFile, NtClose, NtReadFile, NtWriteFile, NtDeviceIoControlFile … I/O 管理器 IoCallDriver 驱动程序 驱动程序 驱动程序 ……
  • 22. IRP Major Codes #define IRP_MJ_CREATE 0x00 #define IRP_MJ_CREATE_NAMED_PIPE 0x01 #define IRP_MJ_CLOSE 0x02 #define IRP_MJ_READ 0x03 #define IRP_MJ_WRITE 0x04 #define IRP_MJ_QUERY_INFORMATION 0x05 #define IRP_MJ_SET_INFORMATION 0x06 #define IRP_MJ_QUERY_EA 0x07 #define IRP_MJ_SET_EA 0x08 #define IRP_MJ_FLUSH_BUFFERS 0x09 #define IRP_MJ_QUERY_VOLUME_INFORMATION 0x0a #define IRP_MJ_SET_VOLUME_INFORMATION 0x0b #define IRP_MJ_DIRECTORY_CONTROL 0x0c #define IRP_MJ_FILE_SYSTEM_CONTROL 0x0d #define IRP_MJ_DEVICE_CONTROL 0x0e #define IRP_MJ_INTERNAL_DEVICE_CONTROL 0x0f
  • 23. IRP Major Codes (cont.) #define IRP_MJ_SHUTDOWN 0x10 #define IRP_MJ_LOCK_CONTROL 0x11 #define IRP_MJ_CLEANUP 0x12 #define IRP_MJ_CREATE_MAILSLOT 0x13 #define IRP_MJ_QUERY_SECURITY 0x14 #define IRP_MJ_SET_SECURITY 0x15 #define IRP_MJ_POWER 0x16 #define IRP_MJ_SYSTEM_CONTROL 0x17 #define IRP_MJ_DEVICE_CHANGE 0x18 #define IRP_MJ_QUERY_QUOTA 0x19 #define IRP_MJ_SET_QUOTA 0x1a #define IRP_MJ_PNP 0x1b #define IRP_MJ_PNP_POWER IRP_MJ_PNP // Obsolete.... #define IRP_MJ_MAXIMUM_FUNCTION 0x1b
  • 24. IO Stack Locations in IRPs 原始文件对象 IRP 对象 设备对象 (OriginalFileObject) 文件对象 设备对象 驱动程序 栈单元[0] 一组分发例程 对象 栈单元[1] …… 文件对象 设备对象 驱动程序 一组分发例程 对象 栈单元[n-1] 文件对象 设备对象 驱动程序 一组分发例程 对象
  • 25. Completing an I/O Request • Servicing an interrupt: ̵ ISR schedules Deferred Procedure Call (DPC); dismisses int. ̵ DPC routine starts next I/O request and completes interrupt servicing ̵ May call completion routine of higher-level driver • I/O completion: ̵ Record the outcome of the operation in an I/O status block ̵ Return data to the calling thread – by queuing a kernel-mode Asynchronous Procedure Call (APC) ̵ APC executes in context of calling thread; copies data; frees IRP; sets calling thread to signaled state ̵ I/O is now considered complete; waiting threads are released
  • 26. Flow of I/O Processing 调用者线程 IoCallDriver 驱动程序 DPC 分发例程 通知 I/O 插入 DPC 管理器, I/O 请求 是 同步 否 ISR 已完成 I/O 发送 I/O 执行其 命令,并 中断 等待 他任务 传输数据 硬件设备 IoCompleteRequest 在发起者线程中插入 APC 例程 IopCompleteRequest, 或者,直接返回发起者线程 IopCompleteRequest
  • 27. I/O Processing in a Device Stack I/O 请求 I/O 管理器 IopCompleteRequest APC I/O 管理器 栈顶 驱动程序 1 IoCallDriver 设备对象 (完成例程) IRP IRP CurrentLocation CurrentLocation 驱动程序 1 中间 驱动程序 2 栈顶 设备对象 (分发例程) 设备对象 (完成例程) IRP IRP CurrentLocation CurrentLocation 驱动程序 2 栈底 驱动程序 3 中间 设备对象 (分发例程) 设备对象 (完成例程) IRP IRP CurrentLocation CurrentLocation I/O 管理器 栈底 驱动程序 3 IoCompleteRequest 设备对象 (分发例程) I/O 完成 (a) I/O 请求在设备栈中的传递流程 (b) I/O 请求的完成流程
  • 28. I/O Completion Port • A kind of executive objects called I/O Completion Port or IoCompletion, its type is IoCompletionObjectType • For balancing the I/O throughput and thread- trashing • The completion port is essential a queue object • A file can be associated with an IoCompletion object, so I/O manager will queue a completion packet to the completion port • The number of active threads which process I/O completion are controlled by the queue object.
  • 29. How does IOCompletion work NtCreateIoCompletion NtSetInformationFile KeInitializeQueue 线程对象 … 线程对象 I/O 请求 关联 NtRemoveIoCompletion I/O 完成端口 文件对象 CompletionContext 队列 KQUEUE KeRemovetQueue I/O 完成 KeInsertQueue KeInsertQueue IopCompleteRequest NtSetIoCompletion
  • 30. Windows Subsystem Windows 子系统进程 Windows 应用程序 (csrss.exe) 子系统 DLL NTDLL.DLL 用户模式 内核模式 Win32k.sys (窗口管理、图形接 Windows 内核 口等) 图形设备驱动程序
  • 31. Windows Subsystem Initialization • DriverEntry in Win32k.sys ̵ KeAddSystemServiceTable ̵ PsEstablishWin32Callouts ̵ MmPageEntireDriver ̵ InitializeGre ̵ Win32UserInitialize ̵ Returns Win32KDriverUnload • Smss Smss 进程 创建“SmApiPort”LPC 端口对象,以接收“创建会话”请求 • Winlogon 加载 Windows 子系统内核模块 win32k.sys 启动 csrss 进程 • Csrss 启动 winlogon 进程 创建窗口站 创建登录桌面和默认桌面 启动 SCM 进程 加载自动-启动的服务和驱动程序 启动 lsass 进程 等待用户按下 Ctrl+Alt+Del
  • 32. Convert to a GUI thread • What is a GUI thread? ̵ Thread are non-GUI when created ̵ Converted on first call to win32k.sys • Bigger Stack • Win32k.sys notified of creation and destruction • Converts process to GUI • PsConvertToGuiThread ̵ MmCreateKernelStack & KeSwitchKernelStack ̵ KTHREAD->ServiceTable initialized to ntkrnlmp!KeServiceDescriptorTable, replaced with ntkrnlmp!KeServiceDescriptorTableShadow ̵ Call PspW32ProcessCallout 普通线程 GUI线程 ̵ Call PspW32ThreadCallout 内核模式 ntoskrnl win32k
  • 33. Terminal Services/Multiple Sessions • Multiple Sessions ̵ Console Session ̵ Session 0 in Vista/Win7 ̵ Terminal Sessions ̵ by FUS (Fast User Switching) • For each session ̵ Created by smss (session manager process) ̵ Session space in system space ̵ Its own copies of Win32k.sys, csrss.exe, Winlogon.exe, video driver, print driver, etc.
  • 34. Session Spaces System Space 0x80000000 Session Space Session Pool (16MB) 0xBC000000 Session View Session Space (20MB) 0xC0000000 SESSION_WS(4MB) Session Image (8MB) 0xFFFFFFFF
  • 35. Window Management: Window Stations and Desktops 剪贴板 交互式窗口站 键盘 (WinSta0) 鼠标 显示器 登录桌面 交互桌面 屏幕保护桌面 非交互式窗口站 剪贴板 …… …… 不可见桌面
  • 36. Window Hierarchy 交互式窗口站 默认桌面 顶级窗口列表 子系统会话 (WinSta0) 子窗口 登录桌面 屏幕保护桌面 非交互式窗口站 不可见桌面
  • 37. Desktop • An surface for output • In a WindowStation • Have a Desktop Heap (assigned from the session view)
  • 38. Message Path in Win32 RIT 线程 桌面线程 输入(input) GUI 线程 消息队列 鼠标事件 其他 HID 其他线程 寄入(post) 消息队列
  • 39. References • Mark E. Russinovich and David A. Solomon, Windows Internals (4th/5th Edition), Microsoft Press, 2004/2009. • 潘爱民,Windows内核原理与实现,电子工业出版社, 2010.4 • WRK, Windows Research Kernel(by Microsoft) • Microsoft WDK Documents & Samples