1 / 17

Windows Kernel Internals II System Extensions University of Tokyo – July 2004

Windows Kernel Internals II System Extensions University of Tokyo – July 2004. Dave Probert, Ph.D. Advanced Operating Systems Group Windows Core Operating Systems Division Microsoft Corporation. Kernel Extension Mechanisms. I/O Extensions File System Filters New File Systems

hide
Download Presentation

Windows Kernel Internals II System Extensions University of Tokyo – July 2004

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Windows Kernel Internals IISystem ExtensionsUniversity of Tokyo – July 2004 Dave Probert, Ph.D. Advanced Operating Systems Group Windows Core Operating Systems Division Microsoft Corporation © Microsoft Corporation 2004

  2. Kernel Extension Mechanisms I/O Extensions • File System Filters • New File Systems • Device Filter Drivers • Device Drivers Object Manager • New object types Registry • Hook most operations Notifications • Image Loading • Process Create/Exit • Thread Create/Exit Export Drivers Random bit editing © Microsoft Corporation 2004

  3. Kernel Communication • IOCTLs • Handles on new object types • LPC • Most usermode-to-usermode mechanisms • Shared memory • Kernel synchronization objects • NamedPipes © Microsoft Corporation 2004

  4. Kernel Extensions Two main toolkits for writing extensions: • IFSKit – for file system filters and file systems • DDK – for all others, including device drivers Generically called ‘drivers’ and use driver mechanisms to wire into the system • DriverEntry routine creates a device object for the device • Device object can be named in NT namespace • Access via I/O ops (open/read/write/ioctl/close) Service Control Manager loads/unloads drivers as ‘services’ © Microsoft Corporation 2004

  5. Published Kernel Interfaces I/O related • IO object mgmt, security checks • HW access, DMA, interrupts, DPCs, timers, worker threads • IRPs, physical memory (MDLs), cancel support (include CSQs) • Hardware configuration, plug-and-play, power, bus mgmt Multithreading support • Spinlocks, interlocked operations/queues Kernel facilities • Memory pool allocation, threads, synchronization, run-time, object/handle management Zw related (Kernel-mode version of native Nt APIs) • Files, sections, registry, set/query file/process/thread info © Microsoft Corporation 2004

  6. Subsystems NT originally mistaken for a microkernel • Kernel was never micro, but … • But OS personalities were defined by servers Servers are called ‘subsystems’ • Primary subsystems OS/2, Windows, Posix, WoW • Each subsystem has three main components: • Subsystem service process (e.g. csrss) • Subsystem API library (e.g. kernel32, et al) • Hooks in the CreateProcess code There are some pseudo-subsystems, e.g. lsass, CLR © Microsoft Corporation 2004

  7. Windows Subsystem Windows Appli- cations Windows Appli- cations Win95 GUI Windows NT command Shell Windows NT sys admin, commands & networking winsock Win32 APIs Win32 Subsystem Windows NT Kernel Hardware Abstraction Layer © Microsoft Corporation 2004

  8. Posix Subsystem UNIX Applications Motif Workshop tools: gcc, g++ perl, Apache, Tcl/Tk, bash, etc. UN I X S D K X11 UNIX, XPG, POSIX.2 commands & utilities UNIX shells telnetd BSD Sockets UNIX /POSIX APIs POSIX/UNIX Subsystem NFS Client Server Gateway Windows NT Kernel Hardware Abstraction Layer © Microsoft Corporation 2004

  9. Subsystem Inter-operation UNIX Applications Windows Appli- cations X11 R6.3 server Windows Appli- cations Motif Workshop tools: gcc, g++ perl, Apache, Tcl/Tk, bash, etc. UN I X S D K Win95 GUI X11 Windows NT command Shell UNIX, XPG, POSIX.2 commands & utilities UNIX shells Windows NT sys admin, commands & networking telnetd BSD Sockets winsock Win32 APIs UNIX /POSIX APIs Win32 Subsystem POSIX/UNIX Subsystem NFS Client Server Gateway Windows NT Kernel Hardware Abstraction Layer © Microsoft Corporation 2004

  10. Services vs Kernels Three sites of OS implementation • In app’s container (libraries) • In separate containers (services) • In central, universally shared container (kernel) Shared nature of kernels makes them less flexible • Single sysentry mechanism • Inter-op requires shared abstractions • Access controls limited Services have natural advantages • Filtering and refinement of operations provides finer-grained access control • Easy to provide alternative abstractions © Microsoft Corporation 2004

  11. Example: Refining kernel privilege Creating permanent objects in OB requires privilege Drive letters are permanent objects (symlinks) in the \DosDevices directory Q: So how does the DefineDosDevice API work? A: It uses a privileged services (csrss) to create the symlink csrss is only willing to create symlinks in \DosDevices Subsystems can in general refine privileges for clients and safely share state between clients – just like kernels © Microsoft Corporation 2004

  12. No kernels: Future of OS Design? Operating systems as a collection of libraries and services? + increased flexibility & extensibility + more robust, better failure isolation/recovery, better security - performance of current CPUs optimized for kernels SPACE, Pebble • Fundamental abstractions: Processors, MMUs, trapvectors vs.Processes, VM, IPC © Microsoft Corporation 2004

  13. Back to the present… Windows is extended primarily by adding apps and libraries (e.g. COM components) Primary kernel extensions are for new devices and filtering existing operations Project I explores kernel extensions Project II explores services © Microsoft Corporation 2004

  14. Project I – writing a kernel extension Have the Windows DDK installed for WS03 (aka WNET) Open a new command window set DDK=C:\WINDDK\37901218(for example) Run command: %DDK%\bin\setenv %DDK% chk wnet In the TrivialDriver directory type: build Find trivial.sys and trivialapp.exe and copy to test machine Run trivialapp.exe on the test machine You’ll see a few messages (the driver loaded/unloaded) Do the same with TrivialDriver2 This time it waits, so start/stop taskmgr.exe You will see the names of registry values that were set Use regedit.exe to write some new values in HKCU © Microsoft Corporation 2004

  15. Project I - 2 Read through Registry Callbacks.doc Compare TrivialDriver and TrivialDriver2 Read in the DDK documentation about the API PsSetCreateProcessNotifyRoutine Have the SDK documentation handy Modify the TrivialDriver2 driver to list the process ids of processes as they are created and exit Then modify the app to use to print out the name of the exe for each process created (see the PSAPI functions) This is a hit-or-miss procedure, what would be required for it to be reliable? © Microsoft Corporation 2004

  16. Anatomy of Trivial.sys Driver DriverEntry is called when driver is loaded Creates Device object and symlink Initializes a few dispatch entry points TrivialCreateClose is called for create/close IRPs Since driver not stacked, only opened by name Routine does nothing but process IRP correctly TrivialCleanup is also an effective no-op TrivialUnload deletes the symlink, IOMgr deletes devobj TrivialDriver2 adds read and ioctl functions, and then Arranges for registry callbacks Maintains a buffer which can be read out © Microsoft Corporation 2004

  17. Discussion © Microsoft Corporation 2004

More Related