170 likes | 401 Views
Adding a new system call to Windows WRK. Practical session #2 バリ ゲローフィ http://www.il.is.s.u-tokyo.ac.jp/~bgerofi/teaching/os2011/slides/os2011-05_pract_2.pdf. Outline. Putting your code into git Adding a new system call Using it from user-space Counting basic kernel events Assignment #1.
E N D
Adding a new system call to Windows WRK Practical session #2 バリ ゲローフィ http://www.il.is.s.u-tokyo.ac.jp/~bgerofi/teaching/os2011/slides/os2011-05_pract_2.pdf Advanced operating systems course, The University of Tokyo
Outline • Putting your code into git • Adding a new system call • Using it from user-space • Counting basic kernel events • Assignment #1
Download (or copy from USB) and install:http://msysgit.googlecode.com/files/Git-1.7.7.1-preview20111027.exe
Installing git • Choose: • “Run git and include Unix tools from the Windows Command prompt” • Choose defaults after..
Putting your code into git 1.) Open a command window 2.) Go to C:\WRK-v1.2 3.) Execute: git init 4.) Edit .git\info\exclude and add four lines: *.[oa] BUILD Win2k3SP1 Image tools 5.) Execute: git add . git commit –m “initial commit”
Adding a new system call • We will edit the following files: (under C:\WRK-v1.2\) • base\ntos\ke\i386\systable.asm • System call table • public\sdk\inc\Ntexapi.h • Interface header (function declaration) • base\ntos\ps\create.c • Actual syscall implementation (function definition)
base\ntos\ke\i386\systable.asm(system call table) • System call table specifies: • syscall_name, has_arguments?, number_of_arguments • Argument table specifies: • total number of bytes of arguments • Go to line 392 and add a new TABLE_ENTRY: TABLE_ENTRY MySysCall 1, 1 (Note: always add entries to the end of the table!) • Increase TABLE_END: TABLE_END 296 • Add new line to ARGTBL (at line nr. 434): ARGTBL_ENTRY 4,0,0,0,0,0,0,0
public\sdk\inc\Ntexapi.h (function declaration) • Go to line 2794 (after the last function) and add new declaration: • Notice the naming convention: in the system call table we called it MySysCall, but the actual declaration has to be NtMySysCall ! NTSYSCALLAPI NTSTATUS NTAPI NtMySysCall ( __in ULONG Arg );
base\ntos\ps\create.c(function definition) • Go to line 26 (in front of the macros) and add new entry: #pragma alloc_text(PAGE, NtMySysCall) • Add definition somewhere in the file: • (Note: it could be in any other source file… ) NTSTATUS NtMySysCall( __in ULONG Arg ) { DbgPrint("MySysCall: %u\n", Arg); return STATUS_SUCCESS; }
Recompile and deploy your new kernel image… 1.) Go to C:\WRK-v1.2\base\ntos 2.) Execute: nmake x86= 3.) Boot up the VM 4.) Copy wrkx86.exe from Z:\WRK-v1.2\base\ntos\BUILD\EXE\ (this is your local computer’s folder) to C:\WINDOWS\system32\ (this is a folder in the VM)
How to see what’s changed? # # modified: base/ntos/ke/i386/systable.asm # modified: base/ntos/ps/create.c # modified: public/sdk/inc/ntexapi.h # • git status: • git diff: +++ b/base/ntos/ke/i386/systable.asm @@ -389,8 +389,9 @@ TABLE_ENTRY WaitForKeyedEvent, 1, 4 TABLE_ENTRY QueryPortInformationProcess, 0, 0 TABLE_ENTRY GetCurrentProcessorNumber, 0, 0 TABLE_ENTRY WaitForMultipleObjects32, 1, 5 +TABLE_ENTRY MySysCall 1, 1 -TABLE_END 295 +TABLE_END 296 ARGTBL_BEGIN ARGTBL_ENTRY 24,32,44,44,64,44,64,68 @@ -430,5 +431,6 @@ ARGTBL_ENTRY 24,8,8,8,0,16,16,4 ARGTBL_ENTRY 4,8,8,20,16,8,8,16 ARGTBL_ENTRY 20,12,4,4,36,36,24,20 ARGTBL_ENTRY 0,16,12,16,16,0,0,20 +ARGTBL_ENTRY 4,0,0,0,0,0,0,0
The new syscall’s “git diff” +#pragma alloc_text(PAGE, NtMySysCall) #pragma alloc_text(PAGE, NtCreateThread) #pragma alloc_text(PAGE, PsCreateSystemThread) #pragma alloc_text(PAGE, PspCreateThread) @@ -2469,3 +2470,15 @@ Return Value: return; +NTSTATUS +NtMySysCall( + __in ULONG Arg + ) +{ + DbgPrint("MySysCall: %u\n", Arg); + + return STATUS_SUCCESS; +} + + + diff --git a/public/sdk/inc/ntexapi.h b/public/sdk/inc/ntexapi.h index a35102f..c0fd4da 100644 --- a/public/sdk/inc/ntexapi.h +++ b/public/sdk/inc/ntexapi.h @@ -2791,6 +2791,12 @@ NtQueryInformationAtom( __out_opt PULONG ReturnLength ); +NTSYSCALLAPI +NTSTATUS +NTAPI +NtMySysCall( + __in ULONG Arg + ); #ifdef __cplusplus } diff --git a/base/ntos/ke/i386/systable.asm b/base/ntos/ke/i386/systable.asm index f71105a..83c1def 100644 --- a/base/ntos/ke/i386/systable.asm +++ b/base/ntos/ke/i386/systable.asm @@ -389,8 +389,9 @@ TABLE_ENTRY WaitForKeyedEvent, 1, 4 TABLE_ENTRY QueryPortInformationProcess, 0, 0 TABLE_ENTRY GetCurrentProcessorNumber, 0, 0 TABLE_ENTRY WaitForMultipleObjects32, 1, 5 +TABLE_ENTRY MySysCall 1,1 -TABLE_END 295 +TABLE_END 296 ARGTBL_BEGIN ARGTBL_ENTRY 24,32,44,44,64,44,64,68 @@ -430,5 +431,6 @@ ARGTBL_ENTRY 24,8,8,8,0,16,16,4 ARGTBL_ENTRY 4,8,8,20,16,8,8,16 ARGTBL_ENTRY 20,12,4,4,36,36,24,20 ARGTBL_ENTRY 0,16,12,16,16,0,0,20 +ARGTBL_ENTRY 4,0,0,0,0,0,0,0 ARGTBL_END diff --git a/base/ntos/ps/create.c b/base/ntos/ps/create.c index 519706b..48dfc4a 100644 --- a/base/ntos/ps/create.c +++ b/base/ntos/ps/create.c @@ -23,6 +23,7 @@ PspUnhandledExceptionInSystemThread( IN PEXCEPTION_POINTERS ExceptionPointers );
Commit your changes and see the change log • git add . • git commit –m “my first system call” • git log: commit 99e1e01a8f5b438bba9f87f8103f49c64aec145d Author: unknown <bgerofi@.(none)> Date: Mon Nov 9 16:37:24 2009 +0900 my first system call commit 0fcf64351ee944554137756c28cdd615093e7f17 Author: unknown <bgerofi@.(none)> Date: Mon Nov 9 12:16:54 2009 +0900 initial commit
Calling the new syscall from user-space (1/2) • Boot up the VM with your new kernel image • Start up MS Visual Studio • File -> New Project -> Win32 Console Project • 128H = 296, the number of the system call we have just added! • eax: syscall number, edx: first argument’s address • Int 2Eh; - trap into kernel #include <windows.h> LONG __stdcall MySysCall(IN ULONG Arg) { char *Param = (char*)&Arg; __asm { mov eax, 128H; mov edx, Param; int 2Eh; } }
Calling the new syscall from user-space (2/2) • In main() call MySysCall: • Check the debugger window and see what’s displayed: int _tmain(int argc, _TCHAR* argv[]) { MySysCall(5); return 0; } Built by: 3800.WRKP1.2(daveprobert) Kernel base = 0x80800000 PsLoadedModuleList = 0x808a1438 System Uptime: not available NetWorkProviderInfoFailed: c0000034 Web\networkprovider MySysCall: 5
Let’s count some basic kernel events and let the syscall display it • You can choose what you count (some ideas) • Context switches (KiSwapContext) • Page faults (MiDispatchFault) • Process creations (PspCreateProcess) • Hardware interrupts (PerfInfoLogInterrupt) • etc… • Hints: • We will need a global variable in the kernel • Increment it when the event occurs • Print the value in the system call!
Assignment #1 • Purpose: • Get familiar a bit with the kernel code • Understand thread-state transitions through real execution scenarios • Add a system call for specifying a process or thread ID • (You can see these IDs in Process Explorer that is provided in your VM) • Track thread state changes in the kernel code • Print out transitions in the debug window