SlideShare a Scribd company logo

Windows内核技术介绍

J
jeffz

The document discusses Windows kernel technologies including the Windows architecture, system traps, I/O model, device drivers, and Windows subsystems. It provides an overview of the Windows NT timeline from 1989 to 2009 and describes key components of the Windows architecture like the executive, kernel, and hardware abstraction layer. It also covers topics such as Windows APIs, calling into the kernel, the I/O manager, drivers, and I/O processing.

Technology
1 of 40
Downloaded 91 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
Windows Kernel Technologies 潘爱民 2010-9-11
Outline • Windows Architecture Overview • System Trap • Windows I/O Model & Device Drivers • Windows Subsystem
NT Timeline: first 20 years 2/1989 Design and Coding Begins 7/1993 NT 3.1 9/1994 NT 3.5 5/1995 NT 3.51 7/1996 NT 4.0 12/1999 NT 5.0 Windows 2000 8/2001 NT 5.1 Windows XP 3/2003 NT 5.2 Windows Server 2003 8/2004 NT 5.2 Windows XP SP2 4/2005 NT 5.2 Windows XP 64 Bit Edition (WS03SP1) 10/2006 NT 6.0 Windows Vista (client) 2/2008 NT 6.0 Windows Server 2008 (Vista SP1) 10/2009 NT 6.1 Win7 & Server 2008 R2
Windows Architecture 系统和服 系统和服 应用程序 系统和服 系统和服 系统和服 务进程 Windows 子 务进程 务进程 .NET 务进程 务进程 系统进程 系统 DLL NTDLL.DLL 用户模式 内核模式 执行体(Executive) Windows 子系 内核(或微内核) 设备驱动 统内核模块 硬件抽象层(HAL) 程序
About Windows APIs • Provided by Windows Subsystem DLLs • Three types: ̵ ① No kernel-mode interactions are needed. (e.g. PtInRect, IsRectEmpty, GetCurrentProcess); ̵ ② Call into kernel once or more (e.g. CreateFile, PostMessage and BitBlt); ̵ ③ Communications with the Windows subsystem process (csrss) are needed. (e.g. CreateProcess) 应用程序 ① 系统DLL Csrss进程 ② 用户模式 ③ 内核模式 ntoskrnl win32k
Call into Kernel 应用程序 系统 DLL,如 Kernel32.dll、User32.dll 等 Ntdll.dll 系统服务存根函数 KiXxxSystemCall int 2e/sysenter 用户模式 iretd/sysexit 内核模式 KiServiceExit KiSystemService 服务分发 执行体系统服务
Example System Service: NtCreateFile • The Call stack of creating a file in a user thread f5484c94 808e3375 nt!IopCreateFile f5484cf0 808e50ec nt!IoCreateFile f5484d30 80882a2c nt!NtCreateFile 内核模式 007deed8 7c8211f4 ntdll!KiFastSystemCallRet 用户模式 007deedc 76cf2707 ntdll!ZwCreateFile+0xc 007def54 76cf276b iphlpapi!OpenTCPDriver+0xad 007def64 76cf278f iphlpapi!CheckTcpipState+0x62 007def98 76cf299a iphlpapi!GetIpStatsFromStack+0xd 007df00c 76cf32de iphlpapi!GetInterfaceInfo+0x38 007df028 76cf3230 iphlpapi!GetAdapterNameToIndexInfo+0x1e 007df060 76cf6a6b iphlpapi!GetAdapterInfo+0x18 007df0b4 4e7fdf36 iphlpapi!GetAdapterInfoEx+0x1c 007df504 4e7fe2f9 WINHTTP!CIpConfig::GetAdapterListOnNT5+0x6e 007dfac4 4e7fe938 WINHTTP!CIpConfig::GetAdapterList+0x58 007dfad0 4e7fd3ee WINHTTP!CIpConfig::CIpConfig+0x23 007dfaf0 4e7cd1cc WINHTTP!DetectAutoProxyUrl+0x26 007dfb28 4e7cd9b5 WINHTTP!CAutoProxy::DetectAutoProxyUrl+0xa4 007dfb58 4e7cdafb WINHTTP!CAutoProxy::GetProxyForURL+0x33 007dfb6c 4e7cdcd8 WINHTTP!InProcGetProxyForUrl+0x20
Example Call Stack with .NET 0012f2f4 77d19418 ntdll!KiFastSystemCallRet 用户模式 0012f38c 7b1d8997 user32!NtUserWaitMessage+0xc 0012f3e4 7b1d87e1 System_Windows_Forms_ni+0x208997 0012f414 7b6eddc6 System_Windows_Forms_ni+0x2087e1 .NET Runtime 0012f460 79e71b4c System_Windows_Forms_ni+0x71ddc6 Common Langueage 0012f470 79e821f9 mscorwks!CallDescrWorker+0x33 Runtime 0012f4f0 79e96571 mscorwks!CallDescrWorkerWithHandler+0xa3 0012f634 79e965a4 mscorwks!MethodDesc::CallDescr+0x19c 0012f650 79e965c2 mscorwks!MethodDesc::CallTargetWorker+0x1f 0012f668 79f0788d mscorwks!MethodDescCallSite::Call+0x1a 0012f7cc 79f077ad mscorwks!ClassLoader::RunMain+0x223 0012fa34 79f07cfd mscorwks!Assembly::ExecuteMainMethod+0xa6 0012ff04 79f07ee7 mscorwks!SystemDomain::ExecuteMainMethod+0x456 0012ff54 79f07e17 mscorwks!ExecuteEXE+0x59 0012ff9c 7900b77b mscorwks!_CorExeMain+0x15c 0012ffac 7900b73d mscoree!_CorExeMain+0x2e .NET Runtime 0012ffb8 79004de3 mscoree!ShellShim__CorExeMain+0x29 Execution Engine 0012ffc0 7c817077 mscoree!_CorExeMain_Exported+0x8 0012fff0 00000000 kernel32!BaseProcessStart+0x23
Windows I/O Model • Asychronous, Packet-based, Extensible • Device discovery supports plug-and-play (PnP) ̵ volumes automatically detected and mounted ̵ power management support (ACPI) • Drivers attach to per device driver stacks ̵ Drivers can filter actions of other drivers in each stack • Integrated kernel support ̵ memory manager provides DMA support ̵ HAL provides device access, PnP manages device resources ̵ Cache manager provides file-level caching via MM file-mapping • Multiple I/O completion mechanisms: ̵ synchronous ̵ update user-mode memory status ̵ signal events ̵ callbacks within initiating thread ̵ I/O Completion Port
I/O Architecture 用户模式 内核模式 注册表 I/O 管理器 PnP 管理器 电源管理器 WMI 支持 配置管理器 I/O 系统 驱动程序 驱动程序 …… 驱动程序 HAL 硬件控制器 …… 硬件控制器
I/O Manager Objects • Driver objects represent loaded drivers. ̵ NtLoadDriver/NtUnloadDriver ̵ IoCreateDriver • Drivers create device objects to represent devices. ̵ IoCreateDevice • All I/O requests are made to device objects. • File objects represent open instances of device objects.
Object Relationships 驱动程序 1 设备对象 1a 设备对象 1b 设备对象 1c 驱动程序 2 设备对象 2a 设备对象 2b 驱动程序 3 设备对象 3a 文件对象 #2 文件对象 #1
Structure of Windows Drivers I/O 系统 初始化例程 设备驱动程序 I/O 管理器 增加设备 分发例程 PnP 管理器 卸载例程 电源管理器 可选例程 …… WMI
Loading Device Drivers • Drivers can be loaded by, ̵ The boot loader at boot time. ̵ The I/O manager at system initialization. ̵ The service control manager or PnP manager. • Driver details are obtained from the registry. • Driver object is created and DriverEntry for the driver is invoked. • Drivers provide dispatch routines for various I/O operations. (Create, Read, Write, „). • Drivers can optionally provide fast path entry points.
Layering Drivers • Device objects can be attached one on top of another using IoAttachDevice* APIs to create device stacks. • I/O manager sends IRP to the top of the stack. • Drivers store next lower device object in their private data structure. • Stack tear down done using IoDetachDevice and IoDeleteDevice.
Device Stack Example 81682870 DriverObject -> “DriverKbdclass” 设备名为“DeviceKeyboardClass0” AttachedDevice = null StackSize = 6 AttachedTo = 81682a58 81682a58 DriverObject -> “Driveri8042prt” AttachedDevice = 81682870 StackSize = 5 AttachedTo = 817ad030 817ad030 DriverObject -> “DriverACPI” 设备名为“Device0000003b” AttachedDevice = 81682a58 StackSize = 4 AttachedTo = null
Device Deletion and Driver Unload • Drivers delete devices using IoDeleteDevice. • Drivers are unloaded by calling NtUnloadDriver or by PnP. • No further opens/attaches allowed after a device is marked for deletion or unload. • Driver unload function is invoked when all its device objects have no handles/attaches. • Driver is unloaded when the last reference to driver object goes away.
File Objects • Also managed by Windows Object Manager, its type is IoFileObjectType ̵ Applications and drivers “open” devices by name ̵ The name is parsed by the Object Manager • Representation of an open instance of a device object ̵ files on a volume are virtual devices • Created by IoCreateFile function, which is invoked by NtCreateFile ̵ When an open succeeds a file handle is added to the process handle table
I/O Processing • IRP • Issues in I/O processing ̵ Fast I/O ̵ Buffer management ̵ I/O completion • I/O Completion port
I/O Request Packet (IRP) • I/O operations are encapsulated in IRPs. • I/O requests travel down a device stack in an IRP. • Each driver gets a stack location which contains parameters for that I/O request. • IRP has major and minor codes to describe I/O operations. • Major codes include create, read, write, PnP, devioctl, cleanup and close. • Irps are associated with a thread that made the I/O request.
I/O Requests from Applications 系统 DLL 用户模式 内核模式 系统服务 NtCreateFile, NtClose, NtReadFile, NtWriteFile, NtDeviceIoControlFile … I/O 管理器 IoCallDriver 驱动程序 驱动程序 驱动程序 ……
IRP Major Codes #define IRP_MJ_CREATE 0x00 #define IRP_MJ_CREATE_NAMED_PIPE 0x01 #define IRP_MJ_CLOSE 0x02 #define IRP_MJ_READ 0x03 #define IRP_MJ_WRITE 0x04 #define IRP_MJ_QUERY_INFORMATION 0x05 #define IRP_MJ_SET_INFORMATION 0x06 #define IRP_MJ_QUERY_EA 0x07 #define IRP_MJ_SET_EA 0x08 #define IRP_MJ_FLUSH_BUFFERS 0x09 #define IRP_MJ_QUERY_VOLUME_INFORMATION 0x0a #define IRP_MJ_SET_VOLUME_INFORMATION 0x0b #define IRP_MJ_DIRECTORY_CONTROL 0x0c #define IRP_MJ_FILE_SYSTEM_CONTROL 0x0d #define IRP_MJ_DEVICE_CONTROL 0x0e #define IRP_MJ_INTERNAL_DEVICE_CONTROL 0x0f
IRP Major Codes (cont.) #define IRP_MJ_SHUTDOWN 0x10 #define IRP_MJ_LOCK_CONTROL 0x11 #define IRP_MJ_CLEANUP 0x12 #define IRP_MJ_CREATE_MAILSLOT 0x13 #define IRP_MJ_QUERY_SECURITY 0x14 #define IRP_MJ_SET_SECURITY 0x15 #define IRP_MJ_POWER 0x16 #define IRP_MJ_SYSTEM_CONTROL 0x17 #define IRP_MJ_DEVICE_CHANGE 0x18 #define IRP_MJ_QUERY_QUOTA 0x19 #define IRP_MJ_SET_QUOTA 0x1a #define IRP_MJ_PNP 0x1b #define IRP_MJ_PNP_POWER IRP_MJ_PNP // Obsolete.... #define IRP_MJ_MAXIMUM_FUNCTION 0x1b
IO Stack Locations in IRPs 原始文件对象 IRP 对象 设备对象 (OriginalFileObject) 文件对象 设备对象 驱动程序 栈单元[0] 一组分发例程 对象 栈单元[1] …… 文件对象 设备对象 驱动程序 一组分发例程 对象 栈单元[n-1] 文件对象 设备对象 驱动程序 一组分发例程 对象
Completing an I/O Request • Servicing an interrupt: ̵ ISR schedules Deferred Procedure Call (DPC); dismisses int. ̵ DPC routine starts next I/O request and completes interrupt servicing ̵ May call completion routine of higher-level driver • I/O completion: ̵ Record the outcome of the operation in an I/O status block ̵ Return data to the calling thread – by queuing a kernel-mode Asynchronous Procedure Call (APC) ̵ APC executes in context of calling thread; copies data; frees IRP; sets calling thread to signaled state ̵ I/O is now considered complete; waiting threads are released
Flow of I/O Processing 调用者线程 IoCallDriver 驱动程序 DPC 分发例程 通知 I/O 插入 DPC 管理器, I/O 请求 是 同步 否 ISR 已完成 I/O 发送 I/O 执行其 命令,并 中断 等待 他任务 传输数据 硬件设备 IoCompleteRequest 在发起者线程中插入 APC 例程 IopCompleteRequest, 或者,直接返回发起者线程 IopCompleteRequest
I/O Processing in a Device Stack I/O 请求 I/O 管理器 IopCompleteRequest APC I/O 管理器 栈顶 驱动程序 1 IoCallDriver 设备对象 (完成例程) IRP IRP CurrentLocation CurrentLocation 驱动程序 1 中间 驱动程序 2 栈顶 设备对象 (分发例程) 设备对象 (完成例程) IRP IRP CurrentLocation CurrentLocation 驱动程序 2 栈底 驱动程序 3 中间 设备对象 (分发例程) 设备对象 (完成例程) IRP IRP CurrentLocation CurrentLocation I/O 管理器 栈底 驱动程序 3 IoCompleteRequest 设备对象 (分发例程) I/O 完成 (a) I/O 请求在设备栈中的传递流程 (b) I/O 请求的完成流程
I/O Completion Port • A kind of executive objects called I/O Completion Port or IoCompletion, its type is IoCompletionObjectType • For balancing the I/O throughput and thread- trashing • The completion port is essential a queue object • A file can be associated with an IoCompletion object, so I/O manager will queue a completion packet to the completion port • The number of active threads which process I/O completion are controlled by the queue object.
How does IOCompletion work NtCreateIoCompletion NtSetInformationFile KeInitializeQueue 线程对象 … 线程对象 I/O 请求 关联 NtRemoveIoCompletion I/O 完成端口 文件对象 CompletionContext 队列 KQUEUE KeRemovetQueue I/O 完成 KeInsertQueue KeInsertQueue IopCompleteRequest NtSetIoCompletion
Windows Subsystem Windows 子系统进程 Windows 应用程序 (csrss.exe) 子系统 DLL NTDLL.DLL 用户模式 内核模式 Win32k.sys (窗口管理、图形接 Windows 内核 口等) 图形设备驱动程序
Windows Subsystem Initialization • DriverEntry in Win32k.sys ̵ KeAddSystemServiceTable ̵ PsEstablishWin32Callouts ̵ MmPageEntireDriver ̵ InitializeGre ̵ Win32UserInitialize ̵ Returns Win32KDriverUnload • Smss Smss 进程 创建“SmApiPort”LPC 端口对象,以接收“创建会话”请求 • Winlogon 加载 Windows 子系统内核模块 win32k.sys 启动 csrss 进程 • Csrss 启动 winlogon 进程 创建窗口站 创建登录桌面和默认桌面 启动 SCM 进程 加载自动-启动的服务和驱动程序 启动 lsass 进程 等待用户按下 Ctrl+Alt+Del
Convert to a GUI thread • What is a GUI thread? ̵ Thread are non-GUI when created ̵ Converted on first call to win32k.sys • Bigger Stack • Win32k.sys notified of creation and destruction • Converts process to GUI • PsConvertToGuiThread ̵ MmCreateKernelStack & KeSwitchKernelStack ̵ KTHREAD->ServiceTable initialized to ntkrnlmp!KeServiceDescriptorTable, replaced with ntkrnlmp!KeServiceDescriptorTableShadow ̵ Call PspW32ProcessCallout 普通线程 GUI线程 ̵ Call PspW32ThreadCallout 内核模式 ntoskrnl win32k
Terminal Services/Multiple Sessions • Multiple Sessions ̵ Console Session ̵ Session 0 in Vista/Win7 ̵ Terminal Sessions ̵ by FUS (Fast User Switching) • For each session ̵ Created by smss (session manager process) ̵ Session space in system space ̵ Its own copies of Win32k.sys, csrss.exe, Winlogon.exe, video driver, print driver, etc.
Session Spaces System Space 0x80000000 Session Space Session Pool (16MB) 0xBC000000 Session View Session Space (20MB) 0xC0000000 SESSION_WS(4MB) Session Image (8MB) 0xFFFFFFFF
Window Management: Window Stations and Desktops 剪贴板 交互式窗口站 键盘 (WinSta0) 鼠标 显示器 登录桌面 交互桌面 屏幕保护桌面 非交互式窗口站 剪贴板 …… …… 不可见桌面
Window Hierarchy 交互式窗口站 默认桌面 顶级窗口列表 子系统会话 (WinSta0) 子窗口 登录桌面 屏幕保护桌面 非交互式窗口站 不可见桌面
Desktop • An surface for output • In a WindowStation • Have a Desktop Heap (assigned from the session view)
Message Path in Win32 RIT 线程 桌面线程 输入(input) GUI 线程 消息队列 鼠标事件 其他 HID 其他线程 寄入(post) 消息队列
References • Mark E. Russinovich and David A. Solomon, Windows Internals (4th/5th Edition), Microsoft Press, 2004/2009. • 潘爱民,Windows内核原理与实现,电子工业出版社, 2010.4 • WRK, Windows Research Kernel(by Microsoft) • Microsoft WDK Documents & Samples
Thanks! Q&A

More Related Content

PPTX
20170710 100歲的人生戰略導讀
Kou-Chun Hsieh
 
PDF
LinkedIn Présentation Marque Employeur
Kevin Cassidy
 
PDF
guide de la santé mentale.pdf
Jamaity
 
PDF
Guide du pèlerin (hajj et omra) - { French / Français }
Hear O World
 
PDF
Діджиталізація для промислових МСП - програма для керівників
APPAU_Ukraine
 
PPTX
Intelligence artificielle
hadjerdermane
 
PDF
階層的クラスタリング入門の入門
Mas Kot
 
PDF
はじめてのルベーグ積分
Wakamatz
 
20170710 100歲的人生戰略導讀
Kou-Chun Hsieh
 
LinkedIn Présentation Marque Employeur
Kevin Cassidy
 
guide de la santé mentale.pdf
Jamaity
 
Guide du pèlerin (hajj et omra) - { French / Français }
Hear O World
 
Діджиталізація для промислових МСП - програма для керівників
APPAU_Ukraine
 
Intelligence artificielle
hadjerdermane
 
階層的クラスタリング入門の入門
Mas Kot
 
はじめてのルベーグ積分
Wakamatz
 

What's hot (20)

PDF
The 商社 概要とルール
Yuya Takeshima
 
PDF
カーネル法:正定値カーネルの理論
Daiki Tanaka
 
PDF
Deep Learning 勉強会 (Chapter 7-12)
Ohsawa Goodfellow
 
PPTX
強化学習4章
hiroki yamaoka
 
PDF
假說思考法 Bcg顧問這樣想
基欽 劉
 
PDF
[系列活動] 無所不在的自然語言處理—基礎概念、技術與工具介紹
台灣資料科學年會
 
PPTX
Créativité - théorie et pratiques
Francois Guely
 
PDF
Truyện cổ Phật giáo tập II.
Chiến Thắng Bản Thân
 
PPTX
la gestion des carrières
houssine kerchaoui
 
PDF
[DL輪読会]StackGAN: Text to Photo-realistic Image Synthesis with Stacked Generat...
Deep Learning JP
 
PDF
L'évolution des théories d'organisation
Oumaima Karim
 
PPT
知識管理V1.3
linzewei1212
 
PDF
Intro IA.pdf
SoumayaMabrouk2
 
DOC
Typologie des strategies
massonneauanais
 
PDF
Guide employee advocacy (collaborateurs ambassadeurs)
Ludivine DURAND
 
PPT
Les theories des_organisations-2
Saritt'ah Rochdi
 
PDF
Air France : accord télétravail
Nicole Turbé-Suetens
 
PPTX
第52回日本核医学会学術総会腫瘍シンポジウム2012年10月北海道
Masahiro Kikuchi
 
PPT
Quality
Fisher Tsai
 
PPTX
Outlier detection by Ueda's method
POOJA PATIL
 
The 商社 概要とルール
Yuya Takeshima
 
カーネル法:正定値カーネルの理論
Daiki Tanaka
 
Deep Learning 勉強会 (Chapter 7-12)
Ohsawa Goodfellow
 
強化学習4章
hiroki yamaoka
 
假說思考法 Bcg顧問這樣想
基欽 劉
 
[系列活動] 無所不在的自然語言處理—基礎概念、技術與工具介紹
台灣資料科學年會
 
Créativité - théorie et pratiques
Francois Guely
 
Truyện cổ Phật giáo tập II.
Chiến Thắng Bản Thân
 
la gestion des carrières
houssine kerchaoui
 
[DL輪読会]StackGAN: Text to Photo-realistic Image Synthesis with Stacked Generat...
Deep Learning JP
 
L'évolution des théories d'organisation
Oumaima Karim
 
知識管理V1.3
linzewei1212
 
Intro IA.pdf
SoumayaMabrouk2
 
Typologie des strategies
massonneauanais
 
Guide employee advocacy (collaborateurs ambassadeurs)
Ludivine DURAND
 
Les theories des_organisations-2
Saritt'ah Rochdi
 
Air France : accord télétravail
Nicole Turbé-Suetens
 
第52回日本核医学会学術総会腫瘍シンポジウム2012年10月北海道
Masahiro Kikuchi
 
Quality
Fisher Tsai
 
Outlier detection by Ueda's method
POOJA PATIL
 
Ad

Viewers also liked (6)

PDF
Reverse eningeering
Kent Huang
 
PPT
2006 03 15_pe & api hook
용환 노
 
PPTX
Quick & Dirty Tips for x64 hooks
용환 노
 
PPTX
Introduction to windows kernel
Sisimon Soman
 
PPTX
20110415 detour
Seongahn Kim
 
PPT
Windows io manager
Sisimon Soman
 
Reverse eningeering
Kent Huang
 
2006 03 15_pe & api hook
용환 노
 
Quick & Dirty Tips for x64 hooks
용환 노
 
Introduction to windows kernel
Sisimon Soman
 
20110415 detour
Seongahn Kim
 
Windows io manager
Sisimon Soman
 
Ad

Similar to Windows内核技术介绍 (20)

PDF
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
44CON
 
PDF
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
DefCamp
 
PDF
CNIT 126: 10: Kernel Debugging with WinDbg
Sam Bowne
 
PDF
openioc_scan - IOC scanner for memory forensics
Takahiro Haruyama
 
PDF
Ring 0/-2 Rootkits: bypassing defenses -- DEF CON 2018 USA
Alexandre Borges
 
PDF
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Sam Bowne
 
PDF
how-to-bypass-AM-PPL
nitinscribd
 
PDF
One bite and all your dreams will come true: Analyzing and Attacking Apple Ke...
Priyanka Aash
 
PDF
Accelerated .NET Memory Dump Analysis training public slides
Dmitry Vostokov
 
PDF
CNIT 126: 10: Kernel Debugging with WinDbg
Sam Bowne
 
PDF
RING 0/-2 ROOKITS : COMPROMISING DEFENSES
Priyanka Aash
 
PDF
Faults inside System Software
National Cheng Kung University
 
PDF
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NoSuchCon
 
PDF
[2009 CodeEngn Conference 03] koheung - 윈도우 커널 악성코드에 대한 분석 및 방법
Code Engn
 
PDF
Typhoon Managed Execution Toolkit
Dimitry Snezhkov
 
PDF
Android Internals
Opersys inc.
 
PDF
Finding Xori: Malware Analysis Triage with Automated Disassembly
Priyanka Aash
 
PDF
Formbook - In-depth malware analysis (Botconf 2018)
Rémi Jullian
 
PDF
Android Boot Time Optimization
Kan-Ru Chen
 
PPT
Windows kernel
Sisimon Soman
 
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
44CON
 
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
DefCamp
 
CNIT 126: 10: Kernel Debugging with WinDbg
Sam Bowne
 
openioc_scan - IOC scanner for memory forensics
Takahiro Haruyama
 
Ring 0/-2 Rootkits: bypassing defenses -- DEF CON 2018 USA
Alexandre Borges
 
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Sam Bowne
 
how-to-bypass-AM-PPL
nitinscribd
 
One bite and all your dreams will come true: Analyzing and Attacking Apple Ke...
Priyanka Aash
 
Accelerated .NET Memory Dump Analysis training public slides
Dmitry Vostokov
 
CNIT 126: 10: Kernel Debugging with WinDbg
Sam Bowne
 
RING 0/-2 ROOKITS : COMPROMISING DEFENSES
Priyanka Aash
 
Faults inside System Software
National Cheng Kung University
 
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NoSuchCon
 
[2009 CodeEngn Conference 03] koheung - 윈도우 커널 악성코드에 대한 분석 및 방법
Code Engn
 
Typhoon Managed Execution Toolkit
Dimitry Snezhkov
 
Android Internals
Opersys inc.
 
Finding Xori: Malware Analysis Triage with Automated Disassembly
Priyanka Aash
 
Formbook - In-depth malware analysis (Botconf 2018)
Rémi Jullian
 
Android Boot Time Optimization
Kan-Ru Chen
 
Windows kernel
Sisimon Soman
 

More from jeffz (20)

PDF
Wind.js无障碍调试与排错
jeffz
 
PDF
JavaScript现代化排错实践
jeffz
 
PDF
Jscex:案例、阻碍、体会、展望
jeffz
 
PDF
Jscex:案例、经验、阻碍、展望
jeffz
 
PDF
The Evolution of Async Programming (GZ TechParty C#)
jeffz
 
PDF
深入浅出Jscex
jeffz
 
PDF
Mono for .NET Developers
jeffz
 
PDF
Javascript Uncommon Programming
jeffz
 
PDF
Jscex: Write Sexy JavaScript (中文)
jeffz
 
PDF
Jscex: Write Sexy JavaScript
jeffz
 
PDF
单点登录解决方案的架构与实现
jeffz
 
PDF
Documentation Insight技术架构与开发历程
jeffz
 
PDF
Windows Phone应用开发心得
jeffz
 
PDF
分布式版本管理
jeffz
 
PDF
使用.NET构建轻量级分布式框架
jeffz
 
PDF
针对iPad平台的高性能网站架构
jeffz
 
PDF
企业开发领域的语言特性
jeffz
 
PDF
The Evolution of Async-Programming on .NET Platform (TUP, Full)
jeffz
 
PDF
The Evolution of Async-Programming on .NET Platform (.Net China, C#)
jeffz
 
PDF
The Evolution of Async-Programming (SD 2.0, JavaScript)
jeffz
 
Wind.js无障碍调试与排错
jeffz
 
JavaScript现代化排错实践
jeffz
 
Jscex:案例、阻碍、体会、展望
jeffz
 
Jscex:案例、经验、阻碍、展望
jeffz
 
The Evolution of Async Programming (GZ TechParty C#)
jeffz
 
深入浅出Jscex
jeffz
 
Mono for .NET Developers
jeffz
 
Javascript Uncommon Programming
jeffz
 
Jscex: Write Sexy JavaScript (中文)
jeffz
 
Jscex: Write Sexy JavaScript
jeffz
 
单点登录解决方案的架构与实现
jeffz
 
Documentation Insight技术架构与开发历程
jeffz
 
Windows Phone应用开发心得
jeffz
 
分布式版本管理
jeffz
 
使用.NET构建轻量级分布式框架
jeffz
 
针对iPad平台的高性能网站架构
jeffz
 
企业开发领域的语言特性
jeffz
 
The Evolution of Async-Programming on .NET Platform (TUP, Full)
jeffz
 
The Evolution of Async-Programming on .NET Platform (.Net China, C#)
jeffz
 
The Evolution of Async-Programming (SD 2.0, JavaScript)
jeffz
 

Recently uploaded (20)

PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
Getting Started with Data Integration: FME Form 101
Safe Software
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PPTX
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PPTX
Machine Learning_overview_presentation.pptx
kondavamsidharreddy2
 
PDF
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
A Presentation on Artificial Intelligence
memembruh336
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Getting Started with Data Integration: FME Form 101
Safe Software
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
Approach and Philosophy of On baking technology
30anthuong17
 
Machine Learning_overview_presentation.pptx
kondavamsidharreddy2
 
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 

Windows内核技术介绍

  • 1. Windows Kernel Technologies 潘爱民 2010-9-11
  • 2. Outline • Windows Architecture Overview • System Trap • Windows I/O Model & Device Drivers • Windows Subsystem
  • 3. NT Timeline: first 20 years 2/1989 Design and Coding Begins 7/1993 NT 3.1 9/1994 NT 3.5 5/1995 NT 3.51 7/1996 NT 4.0 12/1999 NT 5.0 Windows 2000 8/2001 NT 5.1 Windows XP 3/2003 NT 5.2 Windows Server 2003 8/2004 NT 5.2 Windows XP SP2 4/2005 NT 5.2 Windows XP 64 Bit Edition (WS03SP1) 10/2006 NT 6.0 Windows Vista (client) 2/2008 NT 6.0 Windows Server 2008 (Vista SP1) 10/2009 NT 6.1 Win7 & Server 2008 R2
  • 4. Windows Architecture 系统和服 系统和服 应用程序 系统和服 系统和服 系统和服 务进程 Windows 子 务进程 务进程 .NET 务进程 务进程 系统进程 系统 DLL NTDLL.DLL 用户模式 内核模式 执行体(Executive) Windows 子系 内核(或微内核) 设备驱动 统内核模块 硬件抽象层(HAL) 程序
  • 5. About Windows APIs • Provided by Windows Subsystem DLLs • Three types: ̵ ① No kernel-mode interactions are needed. (e.g. PtInRect, IsRectEmpty, GetCurrentProcess); ̵ ② Call into kernel once or more (e.g. CreateFile, PostMessage and BitBlt); ̵ ③ Communications with the Windows subsystem process (csrss) are needed. (e.g. CreateProcess) 应用程序 ① 系统DLL Csrss进程 ② 用户模式 ③ 内核模式 ntoskrnl win32k
  • 6. Call into Kernel 应用程序 系统 DLL,如 Kernel32.dll、User32.dll 等 Ntdll.dll 系统服务存根函数 KiXxxSystemCall int 2e/sysenter 用户模式 iretd/sysexit 内核模式 KiServiceExit KiSystemService 服务分发 执行体系统服务
  • 7. Example System Service: NtCreateFile • The Call stack of creating a file in a user thread f5484c94 808e3375 nt!IopCreateFile f5484cf0 808e50ec nt!IoCreateFile f5484d30 80882a2c nt!NtCreateFile 内核模式 007deed8 7c8211f4 ntdll!KiFastSystemCallRet 用户模式 007deedc 76cf2707 ntdll!ZwCreateFile+0xc 007def54 76cf276b iphlpapi!OpenTCPDriver+0xad 007def64 76cf278f iphlpapi!CheckTcpipState+0x62 007def98 76cf299a iphlpapi!GetIpStatsFromStack+0xd 007df00c 76cf32de iphlpapi!GetInterfaceInfo+0x38 007df028 76cf3230 iphlpapi!GetAdapterNameToIndexInfo+0x1e 007df060 76cf6a6b iphlpapi!GetAdapterInfo+0x18 007df0b4 4e7fdf36 iphlpapi!GetAdapterInfoEx+0x1c 007df504 4e7fe2f9 WINHTTP!CIpConfig::GetAdapterListOnNT5+0x6e 007dfac4 4e7fe938 WINHTTP!CIpConfig::GetAdapterList+0x58 007dfad0 4e7fd3ee WINHTTP!CIpConfig::CIpConfig+0x23 007dfaf0 4e7cd1cc WINHTTP!DetectAutoProxyUrl+0x26 007dfb28 4e7cd9b5 WINHTTP!CAutoProxy::DetectAutoProxyUrl+0xa4 007dfb58 4e7cdafb WINHTTP!CAutoProxy::GetProxyForURL+0x33 007dfb6c 4e7cdcd8 WINHTTP!InProcGetProxyForUrl+0x20
  • 8. Example Call Stack with .NET 0012f2f4 77d19418 ntdll!KiFastSystemCallRet 用户模式 0012f38c 7b1d8997 user32!NtUserWaitMessage+0xc 0012f3e4 7b1d87e1 System_Windows_Forms_ni+0x208997 0012f414 7b6eddc6 System_Windows_Forms_ni+0x2087e1 .NET Runtime 0012f460 79e71b4c System_Windows_Forms_ni+0x71ddc6 Common Langueage 0012f470 79e821f9 mscorwks!CallDescrWorker+0x33 Runtime 0012f4f0 79e96571 mscorwks!CallDescrWorkerWithHandler+0xa3 0012f634 79e965a4 mscorwks!MethodDesc::CallDescr+0x19c 0012f650 79e965c2 mscorwks!MethodDesc::CallTargetWorker+0x1f 0012f668 79f0788d mscorwks!MethodDescCallSite::Call+0x1a 0012f7cc 79f077ad mscorwks!ClassLoader::RunMain+0x223 0012fa34 79f07cfd mscorwks!Assembly::ExecuteMainMethod+0xa6 0012ff04 79f07ee7 mscorwks!SystemDomain::ExecuteMainMethod+0x456 0012ff54 79f07e17 mscorwks!ExecuteEXE+0x59 0012ff9c 7900b77b mscorwks!_CorExeMain+0x15c 0012ffac 7900b73d mscoree!_CorExeMain+0x2e .NET Runtime 0012ffb8 79004de3 mscoree!ShellShim__CorExeMain+0x29 Execution Engine 0012ffc0 7c817077 mscoree!_CorExeMain_Exported+0x8 0012fff0 00000000 kernel32!BaseProcessStart+0x23
  • 9. Windows I/O Model • Asychronous, Packet-based, Extensible • Device discovery supports plug-and-play (PnP) ̵ volumes automatically detected and mounted ̵ power management support (ACPI) • Drivers attach to per device driver stacks ̵ Drivers can filter actions of other drivers in each stack • Integrated kernel support ̵ memory manager provides DMA support ̵ HAL provides device access, PnP manages device resources ̵ Cache manager provides file-level caching via MM file-mapping • Multiple I/O completion mechanisms: ̵ synchronous ̵ update user-mode memory status ̵ signal events ̵ callbacks within initiating thread ̵ I/O Completion Port
  • 10. I/O Architecture 用户模式 内核模式 注册表 I/O 管理器 PnP 管理器 电源管理器 WMI 支持 配置管理器 I/O 系统 驱动程序 驱动程序 …… 驱动程序 HAL 硬件控制器 …… 硬件控制器
  • 11. I/O Manager Objects • Driver objects represent loaded drivers. ̵ NtLoadDriver/NtUnloadDriver ̵ IoCreateDriver • Drivers create device objects to represent devices. ̵ IoCreateDevice • All I/O requests are made to device objects. • File objects represent open instances of device objects.
  • 12. Object Relationships 驱动程序 1 设备对象 1a 设备对象 1b 设备对象 1c 驱动程序 2 设备对象 2a 设备对象 2b 驱动程序 3 设备对象 3a 文件对象 #2 文件对象 #1
  • 13. Structure of Windows Drivers I/O 系统 初始化例程 设备驱动程序 I/O 管理器 增加设备 分发例程 PnP 管理器 卸载例程 电源管理器 可选例程 …… WMI
  • 14. Loading Device Drivers • Drivers can be loaded by, ̵ The boot loader at boot time. ̵ The I/O manager at system initialization. ̵ The service control manager or PnP manager. • Driver details are obtained from the registry. • Driver object is created and DriverEntry for the driver is invoked. • Drivers provide dispatch routines for various I/O operations. (Create, Read, Write, „). • Drivers can optionally provide fast path entry points.
  • 15. Layering Drivers • Device objects can be attached one on top of another using IoAttachDevice* APIs to create device stacks. • I/O manager sends IRP to the top of the stack. • Drivers store next lower device object in their private data structure. • Stack tear down done using IoDetachDevice and IoDeleteDevice.
  • 16. Device Stack Example 81682870 DriverObject -> “DriverKbdclass” 设备名为“DeviceKeyboardClass0” AttachedDevice = null StackSize = 6 AttachedTo = 81682a58 81682a58 DriverObject -> “Driveri8042prt” AttachedDevice = 81682870 StackSize = 5 AttachedTo = 817ad030 817ad030 DriverObject -> “DriverACPI” 设备名为“Device0000003b” AttachedDevice = 81682a58 StackSize = 4 AttachedTo = null
  • 17. Device Deletion and Driver Unload • Drivers delete devices using IoDeleteDevice. • Drivers are unloaded by calling NtUnloadDriver or by PnP. • No further opens/attaches allowed after a device is marked for deletion or unload. • Driver unload function is invoked when all its device objects have no handles/attaches. • Driver is unloaded when the last reference to driver object goes away.
  • 18. File Objects • Also managed by Windows Object Manager, its type is IoFileObjectType ̵ Applications and drivers “open” devices by name ̵ The name is parsed by the Object Manager • Representation of an open instance of a device object ̵ files on a volume are virtual devices • Created by IoCreateFile function, which is invoked by NtCreateFile ̵ When an open succeeds a file handle is added to the process handle table
  • 19. I/O Processing • IRP • Issues in I/O processing ̵ Fast I/O ̵ Buffer management ̵ I/O completion • I/O Completion port
  • 20. I/O Request Packet (IRP) • I/O operations are encapsulated in IRPs. • I/O requests travel down a device stack in an IRP. • Each driver gets a stack location which contains parameters for that I/O request. • IRP has major and minor codes to describe I/O operations. • Major codes include create, read, write, PnP, devioctl, cleanup and close. • Irps are associated with a thread that made the I/O request.
  • 21. I/O Requests from Applications 系统 DLL 用户模式 内核模式 系统服务 NtCreateFile, NtClose, NtReadFile, NtWriteFile, NtDeviceIoControlFile … I/O 管理器 IoCallDriver 驱动程序 驱动程序 驱动程序 ……
  • 22. IRP Major Codes #define IRP_MJ_CREATE 0x00 #define IRP_MJ_CREATE_NAMED_PIPE 0x01 #define IRP_MJ_CLOSE 0x02 #define IRP_MJ_READ 0x03 #define IRP_MJ_WRITE 0x04 #define IRP_MJ_QUERY_INFORMATION 0x05 #define IRP_MJ_SET_INFORMATION 0x06 #define IRP_MJ_QUERY_EA 0x07 #define IRP_MJ_SET_EA 0x08 #define IRP_MJ_FLUSH_BUFFERS 0x09 #define IRP_MJ_QUERY_VOLUME_INFORMATION 0x0a #define IRP_MJ_SET_VOLUME_INFORMATION 0x0b #define IRP_MJ_DIRECTORY_CONTROL 0x0c #define IRP_MJ_FILE_SYSTEM_CONTROL 0x0d #define IRP_MJ_DEVICE_CONTROL 0x0e #define IRP_MJ_INTERNAL_DEVICE_CONTROL 0x0f
  • 23. IRP Major Codes (cont.) #define IRP_MJ_SHUTDOWN 0x10 #define IRP_MJ_LOCK_CONTROL 0x11 #define IRP_MJ_CLEANUP 0x12 #define IRP_MJ_CREATE_MAILSLOT 0x13 #define IRP_MJ_QUERY_SECURITY 0x14 #define IRP_MJ_SET_SECURITY 0x15 #define IRP_MJ_POWER 0x16 #define IRP_MJ_SYSTEM_CONTROL 0x17 #define IRP_MJ_DEVICE_CHANGE 0x18 #define IRP_MJ_QUERY_QUOTA 0x19 #define IRP_MJ_SET_QUOTA 0x1a #define IRP_MJ_PNP 0x1b #define IRP_MJ_PNP_POWER IRP_MJ_PNP // Obsolete.... #define IRP_MJ_MAXIMUM_FUNCTION 0x1b
  • 24. IO Stack Locations in IRPs 原始文件对象 IRP 对象 设备对象 (OriginalFileObject) 文件对象 设备对象 驱动程序 栈单元[0] 一组分发例程 对象 栈单元[1] …… 文件对象 设备对象 驱动程序 一组分发例程 对象 栈单元[n-1] 文件对象 设备对象 驱动程序 一组分发例程 对象
  • 25. Completing an I/O Request • Servicing an interrupt: ̵ ISR schedules Deferred Procedure Call (DPC); dismisses int. ̵ DPC routine starts next I/O request and completes interrupt servicing ̵ May call completion routine of higher-level driver • I/O completion: ̵ Record the outcome of the operation in an I/O status block ̵ Return data to the calling thread – by queuing a kernel-mode Asynchronous Procedure Call (APC) ̵ APC executes in context of calling thread; copies data; frees IRP; sets calling thread to signaled state ̵ I/O is now considered complete; waiting threads are released
  • 26. Flow of I/O Processing 调用者线程 IoCallDriver 驱动程序 DPC 分发例程 通知 I/O 插入 DPC 管理器, I/O 请求 是 同步 否 ISR 已完成 I/O 发送 I/O 执行其 命令,并 中断 等待 他任务 传输数据 硬件设备 IoCompleteRequest 在发起者线程中插入 APC 例程 IopCompleteRequest, 或者,直接返回发起者线程 IopCompleteRequest
  • 27. I/O Processing in a Device Stack I/O 请求 I/O 管理器 IopCompleteRequest APC I/O 管理器 栈顶 驱动程序 1 IoCallDriver 设备对象 (完成例程) IRP IRP CurrentLocation CurrentLocation 驱动程序 1 中间 驱动程序 2 栈顶 设备对象 (分发例程) 设备对象 (完成例程) IRP IRP CurrentLocation CurrentLocation 驱动程序 2 栈底 驱动程序 3 中间 设备对象 (分发例程) 设备对象 (完成例程) IRP IRP CurrentLocation CurrentLocation I/O 管理器 栈底 驱动程序 3 IoCompleteRequest 设备对象 (分发例程) I/O 完成 (a) I/O 请求在设备栈中的传递流程 (b) I/O 请求的完成流程
  • 28. I/O Completion Port • A kind of executive objects called I/O Completion Port or IoCompletion, its type is IoCompletionObjectType • For balancing the I/O throughput and thread- trashing • The completion port is essential a queue object • A file can be associated with an IoCompletion object, so I/O manager will queue a completion packet to the completion port • The number of active threads which process I/O completion are controlled by the queue object.
  • 29. How does IOCompletion work NtCreateIoCompletion NtSetInformationFile KeInitializeQueue 线程对象 … 线程对象 I/O 请求 关联 NtRemoveIoCompletion I/O 完成端口 文件对象 CompletionContext 队列 KQUEUE KeRemovetQueue I/O 完成 KeInsertQueue KeInsertQueue IopCompleteRequest NtSetIoCompletion
  • 30. Windows Subsystem Windows 子系统进程 Windows 应用程序 (csrss.exe) 子系统 DLL NTDLL.DLL 用户模式 内核模式 Win32k.sys (窗口管理、图形接 Windows 内核 口等) 图形设备驱动程序
  • 31. Windows Subsystem Initialization • DriverEntry in Win32k.sys ̵ KeAddSystemServiceTable ̵ PsEstablishWin32Callouts ̵ MmPageEntireDriver ̵ InitializeGre ̵ Win32UserInitialize ̵ Returns Win32KDriverUnload • Smss Smss 进程 创建“SmApiPort”LPC 端口对象,以接收“创建会话”请求 • Winlogon 加载 Windows 子系统内核模块 win32k.sys 启动 csrss 进程 • Csrss 启动 winlogon 进程 创建窗口站 创建登录桌面和默认桌面 启动 SCM 进程 加载自动-启动的服务和驱动程序 启动 lsass 进程 等待用户按下 Ctrl+Alt+Del
  • 32. Convert to a GUI thread • What is a GUI thread? ̵ Thread are non-GUI when created ̵ Converted on first call to win32k.sys • Bigger Stack • Win32k.sys notified of creation and destruction • Converts process to GUI • PsConvertToGuiThread ̵ MmCreateKernelStack & KeSwitchKernelStack ̵ KTHREAD->ServiceTable initialized to ntkrnlmp!KeServiceDescriptorTable, replaced with ntkrnlmp!KeServiceDescriptorTableShadow ̵ Call PspW32ProcessCallout 普通线程 GUI线程 ̵ Call PspW32ThreadCallout 内核模式 ntoskrnl win32k
  • 33. Terminal Services/Multiple Sessions • Multiple Sessions ̵ Console Session ̵ Session 0 in Vista/Win7 ̵ Terminal Sessions ̵ by FUS (Fast User Switching) • For each session ̵ Created by smss (session manager process) ̵ Session space in system space ̵ Its own copies of Win32k.sys, csrss.exe, Winlogon.exe, video driver, print driver, etc.
  • 34. Session Spaces System Space 0x80000000 Session Space Session Pool (16MB) 0xBC000000 Session View Session Space (20MB) 0xC0000000 SESSION_WS(4MB) Session Image (8MB) 0xFFFFFFFF
  • 35. Window Management: Window Stations and Desktops 剪贴板 交互式窗口站 键盘 (WinSta0) 鼠标 显示器 登录桌面 交互桌面 屏幕保护桌面 非交互式窗口站 剪贴板 …… …… 不可见桌面
  • 36. Window Hierarchy 交互式窗口站 默认桌面 顶级窗口列表 子系统会话 (WinSta0) 子窗口 登录桌面 屏幕保护桌面 非交互式窗口站 不可见桌面
  • 37. Desktop • An surface for output • In a WindowStation • Have a Desktop Heap (assigned from the session view)
  • 38. Message Path in Win32 RIT 线程 桌面线程 输入(input) GUI 线程 消息队列 鼠标事件 其他 HID 其他线程 寄入(post) 消息队列
  • 39. References • Mark E. Russinovich and David A. Solomon, Windows Internals (4th/5th Edition), Microsoft Press, 2004/2009. • 潘爱民,Windows内核原理与实现,电子工业出版社, 2010.4 • WRK, Windows Research Kernel(by Microsoft) • Microsoft WDK Documents & Samples