1 / 22

Leture1 concepts and tools

Leture1 concepts and tools. 2005 Spring 陈香兰. Foundation Concepts and Terms. Win32 API Services, Functions, and Routines Processes, Threads, and Jobs Virtual memory Kernel Mode vs. User Mode Objects & handles …. Win32 API. REF2 and REF3

xanto
Download Presentation

Leture1 concepts and tools

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Leture1 concepts and tools 2005 Spring 陈香兰

  2. Foundation Concepts and Terms • Win32 API • Services, Functions, and Routines • Processes, Threads, and Jobs • Virtual memory • Kernel Mode vs. User Mode • Objects & handles • … Understanding the Inside of Windows2000

  3. Win32 API • REF2 and REF3 • We will explain the internal behavior and implementation of key Win32 API functions • functions that cover areas such as processes, threads, memory management, security, I/O, windowing, and graphics • History: Win3.x Understanding the Inside of Windows2000

  4. Services, Functions, and Routines [1,2,3 ] • Win32 API functions • CreatProcess, CreatFile, GetMessage, … • System services (or executive system services) • Native functions in the 2KOS that are callable from user mode • Similar to: system call (int 0x80, int 0x2e) • NtCreateProcess, NtWriteFile Understanding the Inside of Windows2000

  5. Example: NtWriteFile: mov eax, 0x0E ; build 2195 system service ; number for NtWriteFile mov ebx, esp ; point to parameters int 0x2E ; execute system service trap ret 0x2C ; pop parameter of stack and ; return to caller Understanding the Inside of Windows2000

  6. Services, Functions, and Routines [1,2,3] • Kernel support functions (or routines) • Subroutines inside the kernel-mode • ExAllocatePool (for device driver to allocate memory from the 2K system heaps ) • Win32 services • Processes started by the Windows 2000 service control manager Understanding the Inside of Windows2000

  7. Services, Functions, and Routines [1,2,3] • DLL (dynamic-link library) • A set of callable subroutines linked together as a binary file that can be dynamically loaded by applications that use the subroutines • Example: Msvcrt.dll (C运行时库), Kernel32.dll (Win32 API子系统库之一) • Advantages: sharable Understanding the Inside of Windows2000

  8. Understanding the Inside of Windows2000

  9. Processes, Threads, and Jobs [1,2,3,4] • Program VS. Process • A process include ??? Understanding the Inside of Windows2000

  10. Processes, Threads, and Jobs [1,2,3,4] • A 2K Process • A private Virtual address space • An executable program • A list of open handles to various system resources, such as semaphores, communication ports, and files, that are accessible to all threads in the process • A security context • Process id • At least one thread of execution Understanding the Inside of Windows2000

  11. Processes, Threads, and Jobs [1,2,3,4] • A process and its resources Understanding the Inside of Windows2000

  12. Processes, Threads, and Jobs [1,2,3,4] • Thread: the entity within a process that Windows 2000 schedules for execution • Hardware Context • Two stacks • Thread-local-storage • Thread id • … • Threads of the same process share its resources • Shared memory section Context of a thread Understanding the Inside of Windows2000

  13. Virtual memory [1,2,3,4] • Linear 32bit address space = 4GB Understanding the Inside of Windows2000

  14. Virtual memory [1,2,3,4] Understanding the Inside of Windows2000

  15. Virtual memory [1,2,3,4] • Mapping to physical memory Understanding the Inside of Windows2000

  16. Virtual memory [1,2,3,4] • What if physical memory > virtual memory • AWE for 32bit virtual address space • <=64GB • The long-term solution: 64bit Understanding the Inside of Windows2000

  17. Kernel Mode vs. User Mode • 2K uses two processor access modes • Kernel mode and user mode • I386 supports 4 modes • 0Kernel mode • 3User mode • User mode  Kernel mode • Demo Understanding the Inside of Windows2000

  18. Objects & handles • An object is a single, run-time instance of a statically defined object type • An object type comprises a system-defined data type, functions that operate on instances of the data type, and a set of object attributes. • Object attribute, Object methods • Example: process, thread, file, event • Handles: references to an instance of an object Understanding the Inside of Windows2000

  19. Others • Security • supports C2-level security as defined by the U.S. Department of Defense Trusted Computer System Evaluation Criteria (DoD 5200.28-STD, December 1985) • Registry • A system database • the information required to boot and configure the system, systemwide software settings, the security database, and per-user configuration settings Understanding the Inside of Windows2000

  20. Unicode (16bit) • Two versions of Win32 function: unicode(16bit) and ANSI(8bit) Understanding the Inside of Windows2000

  21. Tools for Viewing Windows 2K Internals • Page 11-16 Understanding the Inside of Windows2000

  22. Thank you! Understanding the Inside of Windows2000

More Related