Windows Driver Development Study Notes (seven) - synchronous multi-core & core reload

Foreword

First, learn from 滴水编程达人Intermediate courses, 官网：https://bcdaren.com
two, Haidong teacher rocks!

Basics

Concurrency and Synchronization

Concurrency : Refers to execute multiple threads simultaneously

• 单核: Each thread to perform time-sharing, is not the true sense at the same time
• 多核: At some point, will have multiple execution threads

Synchronization : to ensure that each thread can execute concurrently in the environment in order to perform

Example :

DWORD dwVal = 0;	//全局变量

A thread code :

dwVal++;	//只有一行，安全吗

Corresponding assembly code :

mov eax, [0x12345678]
add eax, 1				/*若当一个线程执行完这行代码时，发生了线程切换
						 *另一个线程在它的时间片中执行了这三行代码
						 *此时，0x12345678中存储的是4
						 *当再次发生线程切换，回到原线程，执行第三行代码后
						 *0x12345678钟存储的理应是5
						 *然而由于在第一次发生线程切换时，eax中存储的是4
						 *因此在回到原线程，执行第三行代码后，0x12345678中存储的仍然是4
						 */
mov [0x12345678], eax

Solution : LOCK command

Will
add eax, 1
be changed
LOCK add eax, 1

reference:kernel32.InterlockedIncrement

Analysis InterlockedIncrement

Atomic operation related API

InterlockedIncrement		InterlockedExchangeAdd
InterlockedDecrement		InterlockedFlushSList		
InterlockedExchange			InterlockedPopEntrySList
InterlockedCompareExchange	InterlockedPushEntrySList
...

Thinking : How to implement atomic operations and more lines of code?

关键代码A	//N行代码要求原子操作
关键代码B	//单独加LOCK可以吗？
关键代码C
...

Kernel file

Description : In the same operating system, the single-core mode and multi-core mode kernel file (ntoskrnl.exe) there will be little difference

Multi-core synchronization

Critical section

Description : allow only one thread to enter until you leave

Example 1: Wrong critical region

//实现临界区的方式就是加锁
//锁：全局变量，进去加一，出去减一
DWORD dwFlag = 0;

if( dwFlag == 0)	//进入临界区
{						↑↓
	dwFlag = 1;		//进入临界区
	...
	dwFalg = 0;		//离开临界区
}

Thoughts : The code above where there is a problem?
The answer : When the first thread enters ifin, but not yet performed dwFlag=1, the switch occurs when a thread, the second thread is still able to enter ifthe

Example two: the right critical region

Global variables :

Flag = 0;

Enter the critical section :

Lab：
	mov eax,1
	//多核情况下必须加lock
	lock xadd [Flag],eax
	cmp eax,0
	jz endLab
	dec [Flag]
	//线程等待Sleep..
	jmp Lab
endLab:
	ret

Leaving the critical region :

lock dec [Flag]

Spinlocks

Description :

1. Spin locks only for multicore meaningful
2. Spin locks and critical section, event, mutex , like, is a synchronization mechanism , can make the current thread in a wait state, except that the spin lock without switching threads

Reference : KeAcquire SpinLockAtDpcLevel

Analysis KeAcquireSpinLockAtDpcLevel

Think

1. How HOOK high concurrent kernel function?
   Description :, then the function is implemented in the internal memory byte by byte modify write function like memcpy If long-jump instruction (five bytes) of the hook when, if there is a thread running in a modified process to this line of command, will inevitably lead to errors, even blue screen
   answer :

   1. In the vicinity of the first memory is configured to use a non- long branch (five bytes), then a configuration where a hook to a short jump (write-once two bytes) long jump point position
   2. Use cmpxchg8b instruction may be a write-once up to eight bytes

2. Need to cover multiple lines of instructions (such as 5 push instruction), how to ensure that this time there is no thread is executing these lines of command if the error caused HOOK
   answer :

   1. Still short jump
   2. Try to avoid hook in these areas

3. Use a critical section or if the spin lock can be achieved multi-core HOOK?
   The answer : No, because the use of locks on the premise that other threads are also using the lock, otherwise lock is meaningless

Kernel reload

Description :

1. Many of the kernel function by layers HOOK, heavy-duty copy of the kernel can bypass these HOOK
2. PE core reload and the mapping file method is no different, essentially no difference
3. Reload to reload the kernel is a kernel file ( Ntkrnlpa.exe )

Step :

1. Application memory, press the memory alignment expansion
2. According to repair the global variable relocation table
3. Repair IAT table (fix the import table is not accurate)
4. Cottage system service table
5. 狸猫换太子 (Hook KiFastCallEntry)

Exercise

Description : Achieving overridden by the kernel code is
the answer : a little (to be supplemented)