Transcript Chapter 3 part-2 Windows System Mechanisms Group 3

Modern Operation System Kernels
(Microsoft Windows Internals 4th ed.)
Chapter 3 part-2
Windows System Mechanisms
Group 3
組員: 徐裕量 王貞力 葉怡群 左昌國
Outline
• Windows Error Reporting
• System Service Dispatching
▫
▫
▫
▫
32-Bit System Service Dispatching
64-Bit System Service Dispatching
Kernel-Mode System Service Dispatching
Service Descriptor Tables
Windows Error Reporting
• Windows Error Reporting automates the
submission of both user-mode process crashes
as well as kernel-mode system crashes. (Chapter
14)
• These settings are stored in the registry under
the Key
HKLM\Software\Microsoft\PCHealth\ErrorRep
orting .
Windows Error Reporting
Windows Error Reporting
Windows Error Reporting
• If the registry value
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\AeDebug\Auto is set to zero
or the Debugger string contains the text
“Drwtsn32”,the unhandled exception filter loads
\Windows\System\Faultrep.dll into failing
process and calls its ReportFault function.
Windows Error Reporting
Windows Error Reporting
• The error report (a minidump and a text file with
details on the DLL version numbers loaded in
the process)is sent to Microsoft’s online crash
analysis server.
• Microsoft provides to qualified customers a tool
set called Corporate Error Reporting that the
administrator with the option to take selective
error reports and submit them to Microsoft.
System Service Dispatching
• A system service dispatch is triggered as a result
of executing an instruction assigned to system
service dispatching.
• The instruction that Windows uses for system
service dispatching depends on the processor in
which it’s executing.
32-Bit System Service Dispatching
• A numeric argument passed in the EAX
processor register indicates the system service
number being requested.
• The EBX register points to the list of parameters
the caller passes to the system service.
32-Bit System Service Dispatching
• On x86 Pentium II processors and higher,
Windows uses the special sysenter instruction,
which Intel defined specifically for fast system
service dispatches.
• The system service number is passed in the EAX
processor register, and the EDX register points to
the list of caller arguments.
• To return to user-mode, the system service
dispatcher usually executes the sysexit instruction.
32-Bit System Service Dispatching
• On K6 and higher 32-bit AMD processors,
Windows uses the special syscall instruction,
which functions similar to the x86 sysenter
instruction.
• The system call number is passed in the EAX
register, and the stack stores the caller
arguments.
• After completing the dispatch, the kernel
executes the sysret instruction.
32-Bit System Service Dispatching
ntdll!NtReadFile:
77f5bfa8 b8b7000000
mov eax,0xb7
77f5bfad ba0003fe7f
mov edx,0x7ffe0300
77f5bfb2 ffd2
call edx
77f5bfb4 c22400
ret 0x24
SharedUserData!SystemCallStub:
7ffe0300 8bd4
mov edx,esp
7ffe0302 0f34
sysenter
7ffe0304 c3
ret
64-Bit System Service Dispatching
• On the x64 architecture, Windows uses the
syscall instruction, which functions like the
AMD K6's syscall instruction, for system service
dispatching, passing the system call number in
the EAX register, the first four parameters in
registers, and any parameters beyond those four
on the stack:
64-Bit System Service Dispatching
• On the IA64 architecture, Windows uses the epc
(Enter Privileged Mode) instruction. The first
eight system call arguments are passed in
registers, and the rest are passed on the stack .
64-Bit System Service Dispatching
ntdll!NtReadFile:
00000000'77f9fc60 4c8bd1
mov r10,rcx
00000000'77f9fc63 b8bf000000 mov eax,0xbf
00000000'77f9fc68 0f05
syscall
00000000'77f9fc6a c3
ret
Kernel-Mode System Service
Dispatching
• The kernel uses this argument to locate the
system service information in the system service
dispatch table.
• Copies the caller's arguments from the thread's
user-mode stack to its kernel-mode stack ), and
then executes the system service.
Kernel-Mode System Service
Dispatching
Kernel-Mode System Service
Dispatching
Kernel-Mode System Service
Dispatching
• Each thread has a pointer to its system service
table.
• Windows has two built-in system service tables,
but up to four are supported.
• The system service dispatcher determines which
table contains the requested service by
interpreting a 2-bit field in the 32-bit system
service number as a table index.
• The low 12 bits of the system service number serve
as the index into the table specified by the table
index.
Kernel-Mode System Service Dispatching
Service Descriptor Tables
• KeServiceDescriptorTable, defines the core
executive system services implemented in
Ntosrknl.exe
• KeServiceDescriptorTableShadow, includes the
Windows USER and GDI services implemented
in the kernel-mode part of the Windows
subsystem, Win32k.sys.
Service Descriptor Tables
• The KeAddSystemServiceTable function allows
Win32k.sys and other device drivers to add
system service tables.
• With the exception of the Win32k.sys service
table, a service table added with
KeAddSystemServiceTable is copied into both
the KeServiceDescriptorTable array and the
KeServiceDescriptorTableShadow array.
Service Descriptor Tables
• The system service dispatch instructions for
Windows executive services exist in the system
library Ntdll.dll.
• Subsystem DLLs call functions in Ntdll to
implement their documented functions.
• The exception is Windows USER and GDI
functions, in which the system service dispatch
instructions are implemented directly in
User32.dll and Gdi32.dll—there is no Ntdll.dll
involved.
Service Descriptor Tables
Chapter 3
Windows System Mechanisms
Object Manager
• Windows object manager
• Object manager creates, managers, and
delete Windows executive object and
abstract data types that are use to
represent operating system resources such
as processes, threads, and the various
synchronization objects.
Object manager GOAL(1/2)
• Provide a common, uniform mechanism for
using system resources
• Isolate object protection to one location in
the operating system so that C2 security
compliance can be achieved
• Establish an object-naming scheme that
can readily incorporate existing objects,
such as the devices, files, and directories of
a file system, or other independent
collections of objects
Object manager GOAL(2/2)
• Support the requirements of various
operating system environments
a process to inherit resources from a parent
process
create case-sensitive filenames
• Establish uniform rules for object retention
(for keeping an object available until all
processes have finished using it)
Kinds of objects
• Executive object
objects implemented by various
components of the executive (the process
manager, memory manager, I/O subsystem)
• Kernel object
implemented by the Windows kernel
Not visible to user-mode
Created and used only within executive
Provide fundamental
capabilities(e.g.synchronization)
Executive object
• The executive objects and object services
are primitives that the environment
subsystems use to construct their own
versions of objects and other resources.
• Executive objects are created
▫ By an environment subsystem on behalf of a
user application
▫ By various components of the operating
system as part of their normal operation.
▫ E.g. create a file
Executive object
• A thread can synchronize with executive object
job, process, thread, file, event, semaphore, mutex, and timer
objects.
• Other executive objects don't support synchronize
Object structure
Object header attributes
• All objects of the same type share the same object
body format
• The object manager provides a small set of generic
services that operate on the attributes stored in an
object's header and can be used on objects of any
type
• Although these generic object services are supported
for all object types, each object has its own create,
open, and query services
Object services
Type objects
• Object headers contain data that is common to all
objects but that can take on different values for each
instance of an object
▫ each object has a unique name and can have a unique
security descriptor
• you can select from a set of access rights specific to a
type of object when you open a handle to objects of
that type, The executive supplies
▫ terminate and suspend access for thread objects
▫ read, write, append, and delete access for file objects
• To conserve memory, the
object manager stores
these static, object-typespecific attributes once
when creating a new object
type
• a type object also links
together all objects of the
same type ,allowing the
object manager to find and
enumerate them, if
necessary.
• Type objects can't be manipulated from user
mode because the object manager supplies
no services for them.
Object Methods
Object Methods
Method
When method is called
Open
When an object handle is opened
Close
When an object handle is closed
Delete
Before the object manager deletes an object
Query
When a thread requests the name of an object, such as a file,
that exists in a secondary object namespace
Parse
When the object manager is searching for an object name that
exists in a secondary object namespace
Security
When a process reads or changes the protection of an object,
such as a file, that exists in a secondary object namespace
Object Handles and
the Process Handle Table
• When a process creates or opens an object by
name, it receives a handle that represents
its access to the object.
• All user-mode processes must own a handle
to an object before their threads can use the
object.
• Executive components and device drivers can
access objects directly because they are
running in kernel mode.
Object Handles and
the Process Handle Table
• An object handle is an index into a processspecific handle table, pointed to by the executive
process (EPROCESS) block
• A process's handle table contains pointers to all
the objects that the process has opened a handle
to.
Object Handles and
the Process Handle Table
• The first handle index is 4, the second 8, and
so on.
• Handle tables are implemented as a 3-level
scheme, similar to the way that the x86
memory management unit implements
virtual-to-physical address translation
Object Handles and
the Process Handle Table
• Windows 2000 process handle table architecture
Object Handles and
the Process Handle Table
• P: indicates whether the caller is allowed to close this handle
• I: indicates whether processes created by this process will get a copy of this
handle in their handle tables
• A: indicates whether closing the object should generate an audit message.
▫ This flag isn't exposed to Windows—the object manager uses it internally.
Object Handles and
the Process Handle Table
• System components and device drivers often need
to open handles to objects that user-mode
applications shouldn't have access to.
• This is done by creating handles in the kernel
handle table
▫ referenced internally with the name
ObpKernelHandleTable
• The handles in this table are accessible only from
kernel mode and in any process context.
Object Security
• In the executive, when a process creates an
object or opens a handle to an existing object,
the process must specify a set of desired
access rights
▫ that is, what it wants to do with the object
Object Security
• It can request either a set of standard access
rights (such as read, write, and execute) that
apply to all object types or specific access rights
that vary depending on the object type.
Object Security
• When a process opens a handle to an object, the object
manager calls the security reference monitor, sending
it the process's set of desired access rights.
• The security reference monitor checks whether the
object's security descriptor permits the type of access
the process is requesting.
• If it does, the reference monitor returns a set of
granted access rights that the process is allowed,
and the object manager stores them in the object
handle it creates.
I will present…
• Microsoft Windows Internals – Microsoft Windows
Server 2003, Windows XP, and Windows 2000, 4th ed.
• Chapter 3: System Mechanisms
Object Structure
1.
2.
3.
4.
5.
Object Retention
Resource Accounting
Object Names
Session Namespace, and
Two Experiments
• Page 141 ~ 149
Outline
•
•
•
•
•
•
Object Retention
Resource Accounting
Object Names
Experiment: Looking at the Base Named Objects
Session Namespace
Experiment: Viewing Namespace Instancing
Object Retention
• 2 types of objects
▫ Temporary – remain while in use
▫ Permanent – remain until explicitly freed
• Object retention
▫ retains “temporary” objects only when they’re in use
▫ 2 phases
1. Name retention
2. Object deletion
•
DDK Documentation OSR(MSDN ver.)
Object Retention
Object Retention
Process A
Handles
Index
Handle table
System space
Event object
HandleCount= 2
10
ReferenceCount= 3
10
2
DuplicateHandle
Process B
Event object
HandleCount= 10
ReferenceCount= 10
Other structure
Object Retention
Object Retention
Object Retention
• Programmers need not be concerned that one
process might delete an object before the other
process has finished using it.
• How about “permanent” object?
Object retention
• An object is permanent if it was created with the
OBJ_PERMANENT object attribute flag specified.
• A permanent object is created with a reference count of
one.
• Use the following steps to delete a permanent object that
you created:
1.
2.
3.
4.
Call ObDereferenceObject.
Call the appropriate ZwOpenXxx or ZwCreateXxx routine to
get a handle for the object, if necessary.
Call ZwMakeTemporaryObject with the handle obtained in
step 2.
Call ZwClose with the handle obtained in step 2.
Outline
•
•
•
•
•
•
Object Retention
Resource Accounting
Object Names
Experiment: Looking at the Base Named Objects
Session Namespace
Experiment: Viewing Namespace Instancing
Resource Accounting
• Like object retention, resource accounting is
closely related to the use of object handles.
• Quota system?
▫ complicated
• Resource accounting
▫ Quota charges : record how much memory will be
subtracted from pool quota when opening a
handle to an object.
Resource Accounting
No limit
Different from the text book
Outline
•
•
•
•
•
•
Object Retention
Resource Accounting
Object Names
Experiment: Looking at the Base Named Objects
Session Namespace
Experiment: Viewing Namespace Instancing
Object Names
• Object manager requires the following
information to help track objects
▫ A way to distinguish one object from another
▫ A method for finding and retrieving a particular
object
• Allow processes to share objects
• Look up timing
▫ When a process creates a named object
▫ When a process opens a handle to a named object
Object Names
• Case-sensitive or case-insensitive?
• Unique name : won’t collide with others
• Global, but can not across a network
▫ Parse method
• Object directories (object directory object)
▫ Like file system directories
• Symbolic links (symbolic link object)
▫ A:, B:, C:  floppy, hard disk
Object Names
Must have these 2 directories
Object Names
Directories and links
are objects, too
Object Names
“GLOBAL??” has symbolic links
point to disk partitions
Outline
•
•
•
•
•
•
Object Retention
Resource Accounting
Object Names
Experiment: Looking at the Base Named Objects
Session Namespace
Experiment: Viewing Namespace Instancing
Experiment: Looking at the Base
Named Objects
Outline
•
•
•
•
•
•
Object Retention
Resource Accounting
Object Names
Experiment: Looking at the Base Named Objects
Session Namespace
Experiment: Viewing Namespace Instancing
Session Namespace
• How many user would log on to the system
interactively? (review Chapter 1.)
• A user logged on to the console session
▫ First instance of namespace  global namespace
• Additional sessions
▫ Session-private view  local namespace
▫ \DosDevices , \Windows , and
\BaseNamedObjects
Outline
•
•
•
•
•
•
Object Retention
Resource Accounting
Object Names
Experiment: Looking at the Base Named Objects
Session Namespace
Experiment: Viewing Namespace Instancing
Experiment: Viewing Namespace
Instancing
There is a link to
Global in Session
Experiment: Viewing Namespace
Instancing
Experiment: Viewing Namespace
Instancing
Experiment: Viewing Namespace
Instancing
Related Resource
• Windows, NT Object Manager (download wmv,
160MB, about 40min)
▫ Adrian Marinescu
• DDK Documentation OSR(MSDN ver.)