0x1 SDK and DDK
SDK (Platform Software Development Kit) is the literal translation of the Chinese Platform Software Development Kit, which contains the API documentation (application program interface) corresponding operating system platform used.
DDK (Device Driver Kit) driver development kit, this kit contains the name implies driving the development of the operating system corresponding to a series of development tools.
When we started to develop an operating system program, we must first know what type of development program. Is a program or service user and device drivers linked choose a different development kit.
0x2 services, functions and routines
Windows API functions that have been publicly documented call a subroutine (function), such as CreateProcess (), CreateFile () and other
native system service (or the executable system service ) refers to the operating system is not publicly documented, can be user the underlying service call mode. For example, NtCreateProcess is an internal system service, Windows CreateProcess function call of the service to create a new process. (We all know that Windows is closed source commercial software, many of which none of the function call relations within the public, so we want to understand these native service requires its own debugging through the debugger or reverse)
kernel support function refers only to those in the kernel subroutine call at (Ring0 authority level) mode. For example ExAllocatePool is a kernel routine (function), device drivers call the routines may apply to the Windows system memory.
Windows Service refers to the process started by the Windows Service Control Manager (My last article was about commissioning services for debugging solution to this process)
DLL (dynamic link library) is consistent with the executable file format under Windows platforms (Windows PE structures) of a set of callable routine (function). It can not be run separately in Windows, but you can load the EXE program into a corresponding program memory in the process of call, we can simply be understood as providing ready-made functions for the application binary file (of course it is consistent with the structure of PE, is "enforceable file")
0x3 processes, threads, and jobs
Process that white piece of data structures to provide data for the executable program (needs to read from the file conforms to the executable file format first came out to memory, and then resolved into in-memory process), which records all the necessary programs running information, such as code instructions and data. It is equivalent to a container, the container is light there can not run, so it requires a special function to use this data structure, the function is called a thread . Each process must have one thread, which is the provision of the operating system, or application out of memory not wasted.
Thread is a process of internal entities, but also Windows performs scheduling entity at the time of this process. If there is no thread, the process can not run the program.
Thread includes the following basic components:
1) group represents the contents of a processor status register of CPU
2) two stacks, one for performing the current thread using the kernel mode, the other user using the mode with the shelf
3) thread local storage private storage area region (TLS, thread-local storage), the various subsystems, and runtime DLL will be used in the region.
4) is known as a unique identifier for the thread ID
5) sometimes have their thread-byte safe environment, if the multi-threaded server applications to imitate their customers a secure environment, it can often take advantage of the security environment thread.
The first two we clearly know what we always mention the content of the thread environment block records, use TSS data structure recorded in the TR register. Recording information in various registers. TSS also to use thread switching between tasks, because we are threaded task switching register contents when used are different, need to have appropriate data structure record it. (There is no privilege level switch is not switched so that the stack)
shred ThreadThread so that an application can schedule his own "thread" of the implementation process, it does not rely on Windows built-in thread scheduling, the kernel is not visible, located in Kernel32.dll. Fibers for use, the first to use ConvertThreadToFiberthe function. This function is currently running thread into a shred. The resulting change in shreds by CreateFiberfunction, you can create a new shred (every shred all has his own set can shred). However, the thread is different is that fiber may not be executed automatically, you must manually call the SwitchToFiberfunction to choose a shred in order to make it run. The new shred run until it quits, or until it calls SwitchToFiber, select another fiber to run again. That the white thread becomes the scheduling method that artificially controlled sequence, as if creating a thread directly, using a system of internal scheduling algorithm, our application developers do not want to control which thread precedence.
Threads and processes with all the threads within a process is a process shared space. However, a thread in the process can not directly access to another process space, unless you set the shared memory area or the first process is entitled to open a second process , which can use the memory function and injection ReadProcessMemory WriteProcessMemory such as cross-process.
Each process also has a security identification and a list of open handles, which handles point such as files, shared memory area, or, as mutex, semaphore synchronization object.
Each process has a safe environment, is stored in a called access token objects. The access token contains the security identity and credentials of the process. By default, the thread does not own the access token, but they can also contain one access token. Therefore, a separate thread to mimic the secure environment of another process - including the processes running on remote Windows systems - without affecting other threads in the current process.
Virtual address descriptor (VAD, virtual address descriptor) refers to data structures, which use these memory management data structure to a process virtual address recorded with it.
Windows on the process model to do a development, called the work (job). The main function of the job object is to produce a set of processes as a whole is to manage and maintain. Job object allows control over specific properties, also allows for a process or all processes associated with the job to be limiting. Job object also for all processes associated with the job to record the basic audit information, including information used to process associated with the job had been terminated but the.
Virtual memory is to find the directory entry page directory table by 10 high as the index of the virtual address (table of contents page recorded in the control register CR3), pp head records the information about the physical address of the page table by the page table intermediate physical and virtual addresses of 10 (middle of the virtual address 10 as the index) to find the physical address of the page table entry page, a page table entry recorded the address information and attribute the corresponding page, and then get out of this physical address and the lower 12 bits are added is the real physical address of the virtual address. (PS: "Operating System Restore truth" in Chapter 5 for a detailed explanation, interested friends can look at.)
Kernel mode and user mode
Kernel mode is the use of a computer to provide privilege level implementation, the computer provides a total of four privilege level 0, 1, but the Windows operating system only took two privilege levels, that is, we often say that the user mode (Ring3 ) and a kernel mode (Ring0), Ring3 user mode can access only the code and data, Ring0 arbitrary code and data can be accessed. User mode only using the "door" approach (task switching, call gate, interrupt gate, trap doors) in order to enhance their privilege level, which can only enhance access to specific routines (functions), and can not access the kernel data. But the key group to run in kernel mode, Windows system memory read and write to them not to protect the operating system and driver code can freely access the system memory space, you can bypass Windows security mechanisms direct access to the object. This is why some APT malicious programs to find ways the reason you want to check in kernel space. Windows in order to prevent a malicious third-party drivers for kernel space to destroy the introduction of the signature drive.
Driver signature when an unauthorized (unsigned) driver attempts to join the system, Windows will warn the user. Moreover mechanism, called Driver Verifier (Driver Verifier) can help device driver writers to find errors in the program (buffer overflow or memory leaks).
User application issues a system service call and they will switch from user mode to kernel mode. (Be sure to use a "door", who let the software functionality rely on hardware to achieve it)
0x4-related tools
We would also like to know the relationship between processes and processes, each has its own unique ID. If a process has created a new process, then the process of creation and the process is created that parent-child relationship. Although father and son, but two unrelated processes, and that is the parent of "life and death" has nothing to do with the child, that is the end of the parent process the child process will not be closed. Each child process also records the corresponding parent process ID, but the ID just started to record the role of parent child process ID of the parent process has allowed pointing destroyed.
As shown by cmd command line and then create a cmd window
to view the relationship between parent and child with Process Explorer.
Enter cmd in the second mspaint, then open a drawing process
next close second cmd window (cmd window input exit), observed that the child did not use closed
Next, open the Task Manager, found in the application view the first cmd, right-click the end process tree
the following warning, click on yes
find a cmd window is closed first, but mspaint still running. Because mspaint is the grandson of the process, and the middle of the process has been suspended, it has no link between the parent and the grandson of the process.
Use Task Manager to view process information
Task Manager provides a fast process list, you can show the processes currently running on the system. Each process is by the name of its image file naming. Windows and other objects, there can not be given to the process of global name. We click on Select Columns option in the View.
Select the information you want to display
and select process options we can see the details of all processes
can only be displayed in the display window of the application tab, there are two lower (by default the interactive window station is currently visible in the top-level window on the desktop all Object Desktop - Object Desktop can create more with CreateDesktop function). The status bar displays the window owning thread is in the Windows message waiting state.
Use Process Manager to view the process details of
the process provided by the official Windows viewer the most detailed processes associated tool is the Process Exploer, we can go to Microsoft's official download it.
Double-click the download can be a good run, you can click View Settings view displays the contents of
my set is the top half of the display process list, displayed in the lower half of the selected process has an open handle. When the mouse over the name of the process will show a description, company name and full path of the image file. In this representation contains pink tool service process, its progress is displayed in blue.
Kernel mode and user mode,
open the Control Panel, click Administrative Tools item.
Select properties
Click the Add button
to select performance objects to the "Processor", click "% Privileged Time" counter
and then hold down the Ctrl key and select the "% User Time" counter, click the Add button to
return to the interface quickly move the mouse, see the "% Privileged time "performance counter line began to rise, indicating that the mouse and the graphical part of the window interrupts the system spent a lot of time (and in two parts, including more than to spend time user mode, the graphics device driver is running in kernel mode)
