Upload
mildred-henry
View
332
Download
7
Embed Size (px)
Citation preview
计算机系•信息处理实验室
Lecture 4 System Mechanisms (2)
xlanchen@03/18/2005
xlanchen@03/18/2005 Understanding the Inside of Windows2000
2计算机系信息处理实验室
Contents
Trap dispatching
The executive object manager
Synchronization
System worker threads
Local procedure calls (LPCs)
xlanchen@03/18/2005 Understanding the Inside of Windows2000
3计算机系信息处理实验室
Object manager
EXPERIMENT
Exploring the Object Manager
xlanchen@03/18/2005 Understanding the Inside of Windows2000
4计算机系信息处理实验室
Uniform approach towards:
Object protection (C2 security)
Charging
Object naming
Object retention and garbage collection
Object access (via handles)
Standard object attributes
Standard object methods
xlanchen@03/18/2005 Understanding the Inside of Windows2000
5计算机系信息处理实验室
Executive Objects Process
Memory Section
Event
Timer
Object directory
Queues
Thread
File
Semaphore
Symbolic link
Port
(registry) key
xlanchen@03/18/2005 Understanding the Inside of Windows2000
6计算机系信息处理实验室
Executive objects that contain kernel objects
xlanchen@03/18/2005 Understanding the Inside of Windows2000
7计算机系信息处理实验室
Object Structure
xlanchen@03/18/2005 Understanding the Inside of Windows2000
8计算机系信息处理实验室
Object properties
OM deletes object when:
#open handles drops to zero
#knl refs drops to zero
Obj names
Support identification, finding, sharing
Hierarchic (per machine) name space
Symbolic links, e.g. “C:”
xlanchen@03/18/2005 Understanding the Inside of Windows2000
9计算机系信息处理实验室
Type Objects
Process objects and the process type object
xlanchen@03/18/2005 Understanding the Inside of Windows2000
10计算机系信息处理实验室
EXPERIMENT
Viewing the Type Objects
xlanchen@03/18/2005 Understanding the Inside of Windows2000
11计算机系信息处理实验室
Type Object Attributes
Type name
Pool type
Default quota
Access types
Generic access rights mapping
Synchronization
Methods
xlanchen@03/18/2005 Understanding the Inside of Windows2000
12计算机系信息处理实验室
Object Methods
Open--When an object handle is opened
Close--When an object handle is closed
Delete--Before the object manager deletes an object
Query--name When a thread requests the name of an object, such as a file, that exists in a secondary object domain
Parse--When the object manager is searching for an object name that exists in a secondary object domain
Security--When a process reads or changes the protection of an object, such as a file, that exists in a secondary object domain
xlanchen@03/18/2005 Understanding the Inside of Windows2000
13计算机系信息处理实验室
Object Handles & Process Handle Table
xlanchen@03/18/2005 Understanding the Inside of Windows2000
14计算机系信息处理实验室
EXPERIMENT
Viewing Open Handles with Nthandle
xlanchen@03/18/2005 Understanding the Inside of Windows2000
15计算机系信息处理实验室
Structure of a handle table entry
xlanchen@03/18/2005 Understanding the Inside of Windows2000
16计算机系信息处理实验室
EXPERIMENT Viewing the Handle Table with the Kernel Debugger
xlanchen@03/18/2005 Understanding the Inside of Windows2000
17计算机系信息处理实验室
Handles and reference counts
xlanchen@03/18/2005 Understanding the Inside of Windows2000
18计算机系信息处理实验室
Synchronization
Mutual exclusion
one, and only one, thread can access a particular resource at a time
Critical sections
xlanchen@03/18/2005 Understanding the Inside of Windows2000
19计算机系信息处理实验室
Kernel Synchronization
Kernel critical sections
For single-processor
Simple operating systems: disable all interrupts
2K: raising the processor's IRQL
For a multiprocessor
spinlock
xlanchen@03/18/2005 Understanding the Inside of Windows2000
20计算机系信息处理实验室
Using a spinlock
xlanchen@03/18/2005 Understanding the Inside of Windows2000
21计算机系信息处理实验室
Executive Synchronization
Dispatcher objects
WaitForSingleObject
WaitForMultipleObjects
A thread in a Win32 application can synchronize with a Win32 process, thread, event, semaphore, mutex, waitable timer, I/O completion port, or file object
Executive resources
available only to kernel-mode code
aren't accessible from the Win32 API
xlanchen@03/18/2005 Understanding the Inside of Windows2000
22计算机系信息处理实验室
Waiting on a dispatcher object
A thread can synchronize with a dispatcher object by waiting on the object's handle
xlanchen@03/18/2005 Understanding the Inside of Windows2000
23计算机系信息处理实验室
Selected kernel dispatcher objects
xlanchen@03/18/2005 Understanding the Inside of Windows2000
24计算机系信息处理实验室
xlanchen@03/18/2005 Understanding the Inside of Windows2000
25计算机系信息处理实验室
Wait data structures
xlanchen@03/18/2005 Understanding the Inside of Windows2000
26计算机系信息处理实验室
EXPERIMENT
Looking at Wait Queues
xlanchen@03/18/2005 Understanding the Inside of Windows2000
27计算机系信息处理实验室
System worker threads
Three types
Delayed worker threads
Critical worker threads
hypercritical worker threads
xlanchen@03/18/2005 Understanding the Inside of Windows2000
28计算机系信息处理实验室
EXPERIMENT Listing System Worker Threads
xlanchen@03/18/2005 Understanding the Inside of Windows2000
29计算机系信息处理实验室
Windows 2000 Global Flags
NtGlobalFlag
Initialize
Gflags.exe
allows you to view and change the system global flags
xlanchen@03/18/2005 Understanding the Inside of Windows2000
30计算机系信息处理实验室
Local procedure calls (LPCs)
An interprocess communication facility
For high-speed message passing
An internal mechanism available only to Windows 2000 operating system components
xlanchen@03/18/2005 Understanding the Inside of Windows2000
31计算机系信息处理实验室
EXPERIMENT
Viewing LPC Port Objects
xlanchen@03/18/2005 Understanding the Inside of Windows2000
32计算机系信息处理实验室
xlanchen@03/18/2005 Understanding the Inside of Windows2000
33计算机系信息处理实验室
xlanchen@03/18/2005 Understanding the Inside of Windows2000
34计算机系信息处理实验室
“ Internal” IPC between address spaces, e.g.
Transport for local RPC
Calls to Win32 subsystem
Variants:
n <= 256 bytes done inband
n > 256 bytes via shmem section
n > shmem section – addr-to-addr copy
Typically client-server
Client connects to servers well-known LPC port
Server opens new port and tells client its address
xlanchen@03/18/2005 Understanding the Inside of Windows2000
35计算机系信息处理实验室
LPC端口的使用