Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
15 views17 pages

01 KernelExtensions

The document discusses Windows Kernel Internals, focusing on kernel extension mechanisms, communication, and subsystems. It outlines the tools for writing extensions, published kernel interfaces, and the differences between services and kernels. Additionally, it introduces projects for writing kernel extensions and provides an overview of the anatomy of a sample driver.

Uploaded by

lyrikota
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
15 views17 pages

01 KernelExtensions

The document discusses Windows Kernel Internals, focusing on kernel extension mechanisms, communication, and subsystems. It outlines the tools for writing extensions, published kernel interfaces, and the differences between services and kernels. Additionally, it introduces projects for writing kernel extensions and provides an overview of the anatomy of a sample driver.

Uploaded by

lyrikota
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 17

Windows Kernel Internals II

System Extensions
University of Tokyo – July 2004

Dave Probert, Ph.D.


Advanced Operating Systems Group
Windows Core Operating Systems Division
Microsoft Corporation

© Microsoft Corporation 2004 1


Kernel Extension Mechanisms
I/O Extensions Notifications
– File System Filters – Image Loading
– New File Systems – Process Create/Exit
– Device Filter Drivers – Thread Create/Exit
– Device Drivers Export Drivers
Object Manager Random bit editing
– New object types
Registry
– Hook most operations

© Microsoft Corporation 2004 2


Kernel Communication
• IOCTLs
• Handles on new object types
• LPC
• Most usermode-to-usermode mechanisms
– Shared memory
– Kernel synchronization objects
– NamedPipes

© Microsoft Corporation 2004 3


Kernel Extensions
Two main toolkits for writing extensions:
– IFSKit – for file system filters and file systems
– DDK – for all others, including device drivers
Generically called ‘drivers’ and use driver mechanisms
to wire into the system
– DriverEntry routine creates a device object for the
device
– Device object can be named in NT namespace
– Access via I/O ops (open/read/write/ioctl/close)
Service Control Manager loads/unloads drivers as
‘services’
© Microsoft Corporation 2004 4
Published Kernel Interfaces
I/O related
– IO object mgmt, security checks
– HW access, DMA, interrupts, DPCs, timers, worker threads
– IRPs, physical memory (MDLs), cancel support (include CSQs)
– Hardware configuration, plug-and-play, power, bus mgmt
Multithreading support
– Spinlocks, interlocked operations/queues
Kernel facilities
– Memory pool allocation, threads, synchronization, run-time,
object/handle management
Zw related (Kernel-mode version of native Nt APIs)
– Files, sections, registry, set/query file/process/thread info

© Microsoft Corporation 2004 5


Subsystems
NT originally mistaken for a microkernel
– Kernel was never micro, but …
– But OS personalities were defined by servers
Servers are called ‘subsystems’
– Primary subsystems OS/2, Windows, Posix, WoW
– Each subsystem has three main components:
– Subsystem service process (e.g. csrss)
– Subsystem API library (e.g. kernel32, et al)
– Hooks in the CreateProcess code
There are some pseudo-subsystems, e.g. lsass, CLR
© Microsoft Corporation 2004 6
Windows Subsystem
Windows Windows
Appli- Appli-
cations cations

Win95
GUI

Windows
Windows NT sys NT
admin, commands command
& networking Shell

winsock
Win32
APIs

Win32 Subsystem

Windows NT Kernel

Hardware Abstraction Layer

© Microsoft Corporation 2004 7


Posix Subsystem
UNIX
Applications

Workshop Motif
tools: gcc, g++ U
perl, Apache, N
Tcl/Tk, bash, etc. X11 I
X
S
UNIX, XPG, UNIX D
POSIX.2 shells K
commands
& utilities telnetd

BSD
UNIX /POSIX APIs Sockets

POSIX/UNIX Subsystem

NFS
Windows NT Kernel Client Server Gateway

Hardware Abstraction Layer

© Microsoft Corporation 2004 8


Subsystem Inter-operation
UNIX Windows X11 Windows
Applications Appli- R6.3 Appli-
cations server cations

Workshop Motif
tools: gcc, g++ U
perl, Apache, N Win95
Tcl/Tk, bash, etc. X11 I GUI
X
S Windows
UNIX, XPG, UNIX D Windows NT sys NT
POSIX.2 shells K admin, commands command
commands & networking Shell
& utilities telnetd

BSD winsock
UNIX /POSIX APIs Sockets Win32
APIs

POSIX/UNIX Subsystem Win32 Subsystem

NFS
Windows NT Kernel Client Server Gateway

Hardware Abstraction Layer

© Microsoft Corporation 2004 9


Services vs Kernels
Three sites of OS implementation
– In app’s container (libraries)
– In separate containers (services)
– In central, universally shared container (kernel)
Shared nature of kernels makes them less flexible
– Single sysentry mechanism
– Inter-op requires shared abstractions
– Access controls limited
Services have natural advantages
– Filtering and refinement of operations provides finer-
grained access control
– Easy to provide alternative abstractions
© Microsoft Corporation 2004 10
Example: Refining kernel privilege
Creating permanent objects in OB requires privilege
Drive letters are permanent objects (symlinks) in the
¥DosDevices directory
Q: So how does the DefineDosDevice API work?
A: It uses a privileged services (csrss) to create the symlink
csrss is only willing to create symlinks in ¥DosDevices

Subsystems can in general refine privileges for clients and


safely share state between clients – just like kernels

© Microsoft Corporation 2004 11


No kernels: Future of OS Design?
Operating systems as a collection of libraries and
services?
+ increased flexibility & extensibility
+ more robust, better failure isolation/recovery, better
security
- performance of current CPUs optimized for kernels
SPACE, Pebble
– Fundamental abstractions:
Processors, MMUs, trapvectors
vs. Processes, VM, IPC
© Microsoft Corporation 2004 12
Back to the present…
Windows is extended primarily by adding
apps and libraries (e.g. COM components)
Primary kernel extensions are for new
devices and filtering existing operations

Project I explores kernel extensions


Project II explores services

© Microsoft Corporation 2004 13


Project I – writing a kernel extension
Have the Windows DDK installed for WS03 (aka WNET)
Open a new command window
set DDK=C:¥WINDDK¥37901218 (for example)
Run command: %DDK%¥bin¥setenv %DDK% chk wnet
In the TrivialDriver directory type: build
Find trivial.sys and trivialapp.exe and copy to test machine
Run trivialapp.exe on the test machine
You’ll see a few messages (the driver loaded/unloaded)
Do the same with TrivialDriver2
This time it waits, so start/stop taskmgr.exe
You will see the names of registry values that were set
Use regedit.exe to write some new values in HKCU
© Microsoft Corporation 2004 14
Project I - 2
Read through Registry Callbacks.doc
Compare TrivialDriver and TrivialDriver2
Read in the DDK documentation about the API
PsSetCreateProcessNotifyRoutine
Have the SDK documentation handy
Modify the TrivialDriver2 driver to list the process ids of
processes as they are created and exit
Then modify the app to use to print out the name of the exe
for each process created (see the PSAPI functions)
This is a hit-or-miss procedure, what would be required for
it to be reliable?

© Microsoft Corporation 2004 15


Anatomy of Trivial.sys Driver
DriverEntry is called when driver is loaded
Creates Device object and symlink
Initializes a few dispatch entry points
TrivialCreateClose is called for create/close IRPs
Since driver not stacked, only opened by name
Routine does nothing but process IRP correctly
TrivialCleanup is also an effective no-op
TrivialUnload deletes the symlink, IOMgr deletes devobj
TrivialDriver2 adds read and ioctl functions, and then
Arranges for registry callbacks
Maintains a buffer which can be read out
© Microsoft Corporation 2004 16
Discussion

© Microsoft Corporation 2004 17

You might also like