Академический Документы
Профессиональный Документы
Культура Документы
101
Presented by
Japneet Singh
Agenda
Kernel mode and user mode
Memory view
Execution view
Basics of kernel programming
Demo
Useful information
Discussion only Wintel x86
Minimal discussion of concepts enough for
writing a basic kernel program
User mode and Kernel mode
System architecture
MEMORY
I/O
CPU
I/O
I/O
No separation of KM and UM
MEMORY
I/O
CPU
I/O Process P1
Kernel
Driver D1
Process P2
Driver
D2
I/O
Problems
Accidental/malicious modification of one
address space by another
Accidental/malicious modification of device
memory/registers by a process
Separation of KM and UM
MEMORY
I/O
CPU Driver D1
I/O
Kernel
Driver
D2
Process P1 Process P2
Privileged
instructions
I/O
Non-Privileged
instructions
KM only privileged operations
Access to I/O devices
Modifying Kernel mode memory
Modifying critical CPU registers
Thread Switching / Scheduling
Enabling / disabling interrupts
Protection rings
ReadFile
Call NtReadFile() Kernel32.dll
Return to caller
NtReadFile
Int 2E Ntdll.dll
Return to caller
User mode
NtReadFile Ntoskrnl.exe
Invoke driver
Whether to wait depends Wait or return
on overlapped flag to caller
Process P1
P2 view of Virtual memory
Process P2
P1s Page Table
Driver D1 Driver D2
P2s Page Table
Driver D1 Driver D2
Physical Memory view
Process P1 Windows kernel
Process P2 Pagefile
Driver D1 Driver D2
Execution view of User mode and
Kernel mode
Boot time
System boots in Ring 0
Boot loader loads Windows Kernel and
transfers control
Windows kernel sets up Ring 3 and transfers
control
Run time
I/O
Driver D1
I/O
Kernel
Driver
D2
Process P1
Process P2
I/O
Basics of Windows kernel
programming
1 I/O request passes Environment
through subsystem DLL
subsystem or
DLL 7 Complete IRP and return
NtWriteFile(file_handle,, success or error status
2
char_buffer)
User mode
Kernel mode
Services
I/O manager
3 Create IRP and send IRP
6 Handle interrupt and
it to device driver
return success or
IRP error status
Device
driver
4 Tranfer data
specified in IRP
5 Perform I/O and interrupt
Coexist with other DLLs Coexist with other drivers and Kernel