计算机系信息处理实验室 Leture1 concepts and tools 2005 Spring 陈香兰.

计算机系信息处理实验室 Leture1 concepts and tools 2005 Spring 陈香兰

计算机系信息处理实验室 xlanchen@2005-2-25Understanding the Inside of Windows2000 2 Foundation Concepts and Terms Win32 API Services, Functions, and Routines Processes, Threads, and Jobs Virtual memory Kernel Mode vs. User Mode Objects & handles …

计算机系信息处理实验室 xlanchen@2005-2-25Understanding the Inside of Windows2000 3 Win32 API REF2 and REF3 We will explain the internal behavior and implementation of key Win32 API functions functions that cover areas such as processes, threads, memory management, security, I/O, windowing, and graphics History: Win3.x

计算机系信息处理实验室 xlanchen@2005-2-25Understanding the Inside of Windows2000 4 Services, Functions, and Routines [1,2,3 ] Win32 API functions CreatProcess, CreatFile, GetMessage, … System services (or executive system services) Native functions in the 2KOS that are callable from user mode Similar to: system call (int 0x80, int 0x2e) NtCreateProcess, NtWriteFile

计算机系信息处理实验室 xlanchen@2005-2-25Understanding the Inside of Windows2000 5 Example: NtWriteFile: mov eax, 0x0E ; build 2195 system service ; number for NtWriteFile mov ebx, esp ; point to parameters int 0x2E ; execute system service trap ret 0x2C; pop parameter of stack and ; return to caller

计算机系信息处理实验室 xlanchen@2005-2-25Understanding the Inside of Windows2000 6 Services, Functions, and Routines [ 1, 2,3 ] Kernel support functions (or routines) Subroutines inside the kernel-mode ExAllocatePool (for device driver to allocate memory from the 2K system heaps ) Win32 services Processes started by the Windows 2000 service control manager

计算机系信息处理实验室 xlanchen@2005-2-25Understanding the Inside of Windows2000 7 Services, Functions, and Routines [ 1,2, 3] DLL (dynamic-link library) A set of callable subroutines linked together as a binary file that can be dynamically loaded by applications that use the subroutines Example: Msvcrt.dll (C 运行时库 ), Kernel32.dll (Win32 API 子系统库之一 ) Advantages: sharable

计算机系信息处理实验室 xlanchen@2005-2-25Understanding the Inside of Windows2000 8

计算机系信息处理实验室 xlanchen@2005-2-25Understanding the Inside of Windows2000 9 Processes, Threads, and Jobs [1, 2,3,4 ] Program VS. Process A process include ???

计算机系信息处理实验室 xlanchen@2005-2-25Understanding the Inside of Windows2000 10 Processes, Threads, and Jobs [ 1, 2,3,4 ] A 2K Process A private Virtual address space An executable program A list of open handles to various system resources, such as semaphores, communication ports, and files, that are accessible to all threads in the process A security context Process id At least one thread of execution

计算机系信息处理实验室 xlanchen@2005-2-25Understanding the Inside of Windows2000 11 Processes, Threads, and Jobs [ 1,2, 3,4 ] A process and its resources

计算机系信息处理实验室 xlanchen@2005-2-25Understanding the Inside of Windows2000 12 Processes, Threads, and Jobs [ 1,2,3, 4] Thread: the entity within a process that Windows 2000 schedules for execution Hardware Context Two stacks Thread-local-storage Thread id … Threads of the same process share its resources Shared memory section Context of a thread

计算机系信息处理实验室 xlanchen@2005-2-25Understanding the Inside of Windows2000 13 Virtual memory [1,2,3,4 ] Linear 32bit address space = 4GB

计算机系信息处理实验室 xlanchen@2005-2-25Understanding the Inside of Windows2000 14 Virtual memory [ 1, 2,3,4 ]

计算机系信息处理实验室 xlanchen@2005-2-25Understanding the Inside of Windows2000 15 Virtual memory [ 1,2, 3,4 ] Mapping to physical memory

计算机系信息处理实验室 xlanchen@2005-2-25Understanding the Inside of Windows2000 16 Virtual memory [ 1,2,3, 4] What if physical memory > virtual memory AWE for 32bit virtual address space <=64GB The long-term solution: 64bit

计算机系信息处理实验室 xlanchen@2005-2-25Understanding the Inside of Windows2000 17 Kernel Mode vs. User Mode 2K uses two processor access modes Kernel mode and user mode I386 supports 4 modes 0  Kernel mode 3  User mode User mode  Kernel mode Demo

计算机系信息处理实验室 xlanchen@2005-2-25Understanding the Inside of Windows2000 18 Objects & handles An object is a single, run-time instance of a statically defined object type An object type comprises a system-defined data type, functions that operate on instances of the data type, and a set of object attributes. Object attribute, Object methods Example: process, thread, file, event Handles: references to an instance of an object

计算机系信息处理实验室 xlanchen@2005-2-25Understanding the Inside of Windows2000 19 Others Security supports C2-level security as defined by the U.S. Department of Defense Trusted Computer System Evaluation Criteria (DoD 5200.28-STD, December 1985) Registry A system database the information required to boot and configure the system, systemwide software settings, the security database, and per-user configuration settings

计算机系信息处理实验室 xlanchen@2005-2-25Understanding the Inside of Windows2000 20 Unicode (16bit) Two versions of Win32 function: unicode(16bit) and ANSI(8bit)

计算机系信息处理实验室 xlanchen@2005-2-25Understanding the Inside of Windows2000 21 Tools for Viewing Windows 2K Internals Page 11-16

计算机系信息处理实验室 xlanchen@2005-2-25Understanding the Inside of Windows2000 22 Thank you!

计算机系信息处理实验室 Leture1 concepts and tools 2005 Spring 陈香兰.

Similar presentations

Presentation on theme: "计算机系信息处理实验室 Leture1 concepts and tools 2005 Spring 陈香兰."— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

计算机系 信息处理实验室 Leture1 concepts and tools 2005 Spring 陈香兰.

Similar presentations

Presentation on theme: "计算机系 信息处理实验室 Leture1 concepts and tools 2005 Spring 陈香兰."— Presentation transcript:

Similar presentations

About project

Feedback

计算机系信息处理实验室 Leture1 concepts and tools 2005 Spring 陈香兰.

Presentation on theme: "计算机系信息处理实验室 Leture1 concepts and tools 2005 Spring 陈香兰."— Presentation transcript: