Embed Size (px)
Citation preview
Windows 2000 System Windows 2000 System MechanismsMechanisms
Computing Department,Computing Department,
Lancaster University, UKLancaster University, UK
OverviewOverview
• GoalsGoals– Introduce concept of objects and Introduce concept of objects and
handleshandles– Look at trap and interrupt dispatchingLook at trap and interrupt dispatching– Examine software and hardware Examine software and hardware
interrupt processinginterrupt processing
Processes, Objects Processes, Objects and Handlesand Handles
Introduction to Objects (1)Introduction to Objects (1)
• What are objects?What are objects?– Single, run-time instance of a statically defined Single, run-time instance of a statically defined
object typeobject type– Object type comprisesObject type comprises
• System-defined data typeSystem-defined data type• Function that operates on instances of the data typeFunction that operates on instances of the data type• Set of object attributesSet of object attributes
– E.g. process is an instance of the process E.g. process is an instance of the process object type, file is an instance of the file object object type, file is an instance of the file object type, etc.type, etc.
• Objects vs. Data StructuresObjects vs. Data Structures– Internal structure of an object is hidden!Internal structure of an object is hidden!– Must call object service to read/write dataMust call object service to read/write data
Introduction to Objects (2)Introduction to Objects (2)
• Objects help accomplish the following tasks:Objects help accomplish the following tasks:– Providing human-readable names for resourcesProviding human-readable names for resources– Sharing resources/data among processesSharing resources/data among processes– Protecting resources from unauthorised accessProtecting resources from unauthorised access– Reference tracking (to de-allocate unused Reference tracking (to de-allocate unused
objects)objects)• Data that needs to be shared, protected, Data that needs to be shared, protected,
named or visible to user-mode programs is named or visible to user-mode programs is placed in objectsplaced in objects
• HandlesHandles are references to an instance of an are references to an instance of an objectobject
• Object ManagerObject Manager responsible for creating, responsible for creating, deleting, protecting and tracking objectsdeleting, protecting and tracking objects
Objects and Handles (1)Objects and Handles (1)
• Three types of Win32 objects (therefore, Three types of Win32 objects (therefore, handles)handles)– Win32 “kernel objects” (events, mutexes, files, Win32 “kernel objects” (events, mutexes, files,
processes, threads)processes, threads)• Objects managed by “Object Manager”Objects managed by “Object Manager”• Handle values are private to each processHandle values are private to each process
– Win32 “GDI objects” (pens, brushes, fonts)Win32 “GDI objects” (pens, brushes, fonts)• Managed by Win32 subsystemManaged by Win32 subsystem• Handle values are valid system-wideHandle values are valid system-wide
– Win32 “User objects” (windows, menus)Win32 “User objects” (windows, menus)• Objects managed by Win32 subsystemObjects managed by Win32 subsystem• Handle values are valid system-wideHandle values are valid system-wide
Objects and Handles (2)Objects and Handles (2)
• Many Win32 APIs take arguments that are Many Win32 APIs take arguments that are handleshandles to system-defined data structures, to system-defined data structures, or “objects”or “objects”– App calls CreateXxx, which creates an object App calls CreateXxx, which creates an object
and returns a handle to itand returns a handle to it– Apps then uses the handle value in API calls Apps then uses the handle value in API calls
that operate on that objectthat operate on that object• Referencing object by handle is faster (avoids name Referencing object by handle is faster (avoids name
lookup)lookup)
• Processes can also inherit handlesProcesses can also inherit handles• Object handle is an index into a process-Object handle is an index into a process-
specific handle tablespecific handle table
Handles, Pointers and Handles, Pointers and ObjectsObjects
• Handle to a kernel object Handle to a kernel object is an index into the is an index into the processprocess handle table handle table (invalid in other processes)(invalid in other processes)
• Handle table entry Handle table entry contains the system-space contains the system-space address of the data address of the data structurestructure
• Although handle table is Although handle table is per-process, it is actually per-process, it is actually in system address space in system address space (hence protected)(hence protected)
Process A
Process B
Handle Table
Handle Table
handles
index
System Space
HandleCount = 1ReferenceCount = 1
Event Object
Handles and Reference Handles and Reference CountsCounts
Process A
Process B
Handle Table
Handle Table
handles
index
System Space
HandleCount = 2ReferenceCount = 3
Event Object
HandleCount = 1ReferenceCount = 1
Other Structure
Event Object
Duplicate Handle
Handles and SecurityHandles and Security
• Process handle tableProcess handle table– Unique for each processUnique for each process– In system address space, hence cannot be In system address space, hence cannot be
modified from user mode (therefore, trusted)modified from user mode (therefore, trusted)
• Security checks are made when handle Security checks are made when handle table entry is createdtable entry is created– When CreateXxx calledWhen CreateXxx called– Handle table entry indicates the “validated” Handle table entry indicates the “validated”
access rights to the objectaccess rights to the object• Read, Write, DeleteRead, Write, Delete
Looking at Open HandlesLooking at Open Handles
• HandleEx available from www.sysinternals.comHandleEx available from www.sysinternals.com
Object ManagerObject Manager
• Executive component for managing system-Executive component for managing system-defined “objects”defined “objects”– Objects are data structures with optional namesObjects are data structures with optional names– Object manager implements user-mode handles Object manager implements user-mode handles
and process handle tableand process handle table• Object manager functionality:Object manager functionality:
– Provides uniform naming, sharing and protection Provides uniform naming, sharing and protection schemescheme• Simplifies C2 security – centralises object protectionSimplifies C2 security – centralises object protection
– Maintains counts of handles/references to each Maintains counts of handles/references to each objectobject• Object cannot be freed until all handles/references are Object cannot be freed until all handles/references are
gonegone
WinObjWinObj
• WinObj available from www.sysinternals.comWinObj available from www.sysinternals.com
Kernel Mode Kernel Mode Programming Programming EnvironmentEnvironment
Invoking Kernel-Mode Invoking Kernel-Mode RoutinesRoutines• Code is run in kernel mode for one of three Code is run in kernel mode for one of three
reasons:reasons:– Requests from user modeRequests from user mode
• Via system service dispatch mechanismVia system service dispatch mechanism
– Interrupts from external devicesInterrupts from external devices• Interrupts are handled in kernel modeInterrupts are handled in kernel mode• Win 2000 interrupt dispatcher invokes interrupt Win 2000 interrupt dispatcher invokes interrupt
service routine (ISR)service routine (ISR)
– Dedicated kernel-mode threadsDedicated kernel-mode threads• Some threads in the system stay in kernel mode at Some threads in the system stay in kernel mode at
all times (mostly in the “System” process)all times (mostly in the “System” process)
Trap DispatchingTrap Dispatching
• Interrupts and exceptions divert the Interrupts and exceptions divert the processor to code outside normal flow of processor to code outside normal flow of controlcontrol
• Can be detected by hardware Can be detected by hardware oror software software• TrapTrap
– Mechanism for catching an executing threadMechanism for catching an executing thread– Transferring control to a fixed location in the OSTransferring control to a fixed location in the OS
• Windows 2000Windows 2000– Processor transfers control to a Processor transfers control to a trap handler trap handler
“front-end”“front-end”• Then transfers control to other functions to field the trapThen transfers control to other functions to field the trap• E.g device interrupt – transfers control to ISR provided by E.g device interrupt – transfers control to ISR provided by
device driverdevice driver
Trap Dispatching (2)Trap Dispatching (2)
Interrupt service routines
System Services
Exception Handlers
Virtual memory
manger’s pager
Interrupt
Hardware/Software Exceptions
System service call
Virtual Address Exceptions
Exception Dispatcher
Trap Handlers
Interrupts and ExceptionsInterrupts and Exceptions
• InterruptInterrupt– Asynchronous (can occur at any time)Asynchronous (can occur at any time)– Generated by I/O devices, processor clocks, timers etc.Generated by I/O devices, processor clocks, timers etc.
• ExceptionException– SynchronousSynchronous– Results from execution of a particular instructionResults from execution of a particular instruction– ExamplesExamples
• Memory Access Violation, Divide By ZeroMemory Access Violation, Divide By Zero
• Both can be generated by Hardware & SoftwareBoth can be generated by Hardware & Software– Exceptions: Bus Error, Divide-by-ZeroExceptions: Bus Error, Divide-by-Zero– Interrupts: I/O Device, Software Interrupts (DPCs)Interrupts: I/O Device, Software Interrupts (DPCs)
• When interrupt/exception generatedWhen interrupt/exception generated– Processor records enough state to return to the current Processor records enough state to return to the current
point and continue execution laterpoint and continue execution later
Interrupt Dispatching (1)Interrupt Dispatching (1)
• Interrupts allow OS to maximise CPU usageInterrupts allow OS to maximise CPU usage– Thread starting I/O transfer to/from deviceThread starting I/O transfer to/from device
• Can continue useful work whilst the device completes Can continue useful work whilst the device completes the transferthe transfer
• Device interrupts processor when it needs serviceDevice interrupts processor when it needs service
• Mice, Printers, Keyboards, Disk Drives are Mice, Printers, Keyboards, Disk Drives are all typically interrupt drivenall typically interrupt driven
• Device drivers supports ISRs to service Device drivers supports ISRs to service device interruptsdevice interrupts
• Kernel provides interrupt handling for other Kernel provides interrupt handling for other typestypes
Interrupt Dispatching (2)Interrupt Dispatching (2)
Tell device to stop interrupting
Interrogate device state, start next operation on device
Request a DPC
Return to caller
Disable Interrupts
Record machine state to allow resume
Mask equal- and lower-IRQL interrupts
Find and call appropriate ISR
Dismiss interrupt
Restore machine state (include mode and enabled interrupts)
Disable Interrupts
Record machine state to allow resume
Mask equal- and lower-IRQL interrupts
Find and call appropriate ISR
Dismiss interrupt
Restore machine state (include mode and enabled interrupts)
Interrupt Dispatch Routine
Interrupt Service Routine
Kernel mode
Interrupt !
User/kernel mode code
Interrupt Precedence via Interrupt Precedence via IRQLsIRQLs• Windows 2000 has its own interrupt priority schemeWindows 2000 has its own interrupt priority scheme
– IRQL = Interrupt Request Level (0 to 31)IRQL = Interrupt Request Level (0 to 31)• Different interrupt sources have different IRQLs (not equal to Different interrupt sources have different IRQLs (not equal to
IRQs!)IRQs!)• Interrupts serviced in priority orderInterrupts serviced in priority order
– High priority interrupt pre-empts lower-priority interruptHigh priority interrupt pre-empts lower-priority interrupt• Servicing an interrupt raises processor IRQL to that interrupt’s Servicing an interrupt raises processor IRQL to that interrupt’s
IRQLIRQL– Masks off subsequent interrupts at equal/lower IRQLsMasks off subsequent interrupts at equal/lower IRQLs
HighPower Fail
Inter-processor InterruptClock
Dispatch/DPC
Device n
Device 1
APCPassive
...
31302928
012
Hardware Interrupts
Software Interrupts
Normal Thread Execution
Software InterruptsSoftware Interrupts
• Windows 2000 can also generate interrupts itself!Windows 2000 can also generate interrupts itself!• Whilst code is running at elevated IRQL, nothing Whilst code is running at elevated IRQL, nothing
else can execute on the same CPU at that or any else can execute on the same CPU at that or any lower IRQLlower IRQL– Potentially can make the system less responsive to Potentially can make the system less responsive to
time-critical eventstime-critical events– Windows 2000 avoids this situation by executing as Windows 2000 avoids this situation by executing as
much code as it can at the lowest possible IRQLmuch code as it can at the lowest possible IRQL• Deferred Procedure Calls (DPCs)Deferred Procedure Calls (DPCs)
– Used to defer processing from higher (device) Used to defer processing from higher (device) interrupt level to a lower (dispatch) levelinterrupt level to a lower (dispatch) level
– DPC used to schedule non-immediate code, e.g.DPC used to schedule non-immediate code, e.g.• I/O drivers queue DPCs to complete I/OI/O drivers queue DPCs to complete I/O
– DPCs are serviced once IRQL reaches dispatch levelDPCs are serviced once IRQL reaches dispatch level
Hardware Interrupt Processing Hardware Interrupt Processing (x86)(x86)• Device raises interrupt on interrupt controllerDevice raises interrupt on interrupt controller• Interrupt controller in turn interrupts CPU on Interrupt controller in turn interrupts CPU on
single linesingle line• CPU queries interrupt controller for IRQ (interrupt CPU queries interrupt controller for IRQ (interrupt
request)request)• Assume current IRQL is < (IRQ mapped to Assume current IRQL is < (IRQ mapped to
appropriate IRQL)appropriate IRQL)• Trap Handler calledTrap Handler called• Trap Handler saves context (including current Trap Handler saves context (including current
IRQL), disables interrupts, enters interrupt IRQL), disables interrupts, enters interrupt dispatcherdispatcher
Hardware Interrupt Processing Hardware Interrupt Processing (x86)(x86)• Interrupt Dispatcher raises current IRQL to new Interrupt Dispatcher raises current IRQL to new
IRQL and enables interrupts IRQL and enables interrupts • IRQ mapped to interrupt number in Interrupt IRQ mapped to interrupt number in Interrupt
Dispatch Table (IDT)Dispatch Table (IDT)– Interrupt Dispatch (IDT) used to transfer control to the Interrupt Dispatch (IDT) used to transfer control to the
appropriate interrupt dispatch routineappropriate interrupt dispatch routine– IDT lists pointers to kernel routines for each interruptIDT lists pointers to kernel routines for each interrupt
• Appropriate interrupt routine calledAppropriate interrupt routine called• On exit from interrupt routine, IRQL is returned to On exit from interrupt routine, IRQL is returned to
the original value prior to the interrupt and the original value prior to the interrupt and context is reloadedcontext is reloaded
