Every day we are using Windows system learning, programming, music, playing games, and Windows operations are very skilled, but how much do you know about Windows? The purpose of this series is that you have a more intuitive, clearer, and thorough understanding of the Windows system. Although most of us can't see the source code of Windows, the deepest technology of their memory scheduled algorithms cannot be a peak, but we can do more than you know, you will find these developments on Windows. Will light the road, any Trojan virus arrived in your machine but only be your test product.
Given that the Windows 9x kernel has been eliminated, it is not discussed here. Mainly for Windows2000 (Windows 5.0), especially 2000. To know that XP is Windows 5.1, 2003 is also a version 5.2 version. Then, for this series, Windows OS technology is mentioned, unfunction with Windows 5.x technology.
First, intuitive understanding of Windows
Analyze a software, the easiest way to get a method is to first figure out how it is doing. Let's let everyone have an intuitive understanding of the Windows operating system they are using. On Windows 2000 or Windows XP you use, under WinNT / System32 or Windows / System32 directory (system catalog), find the following files: Hal.dll, Ntoskrnl.exe, NTDLL.DLL, KERNEL32.DLL, GDI32 .Dll, user32.dll. These are the key to the Windows system, as long as you can operate Windows under the graphical interface, these documents are definitely played. It is worth mentioning that the Windows graphical interface system is realized in the kernel (know why Linux's graphical interface is not WINDOWS very well.).
The function of these documents is given as follows:
HAL.DLL: Hardware Abstract Layer, hardware abstraction layer. Windows 2000 is also a software system, just like the project development work we usually engage in projects, the project needs to determine the development goals. One of the developments developed by Windows2000 developed is to be able to transplant on a variety of hardware platforms (Windows2000 support single processors, multiprocessors, compaq systempro), different hardware abstraction layers on different hardware platforms. This file is Hal.dll on the standard PC we usually use (on Compaq SystemPro), the hardware abstraction of the hardware platform to meet the hardware abstraction of different hardware platforms is on the Windows installation disc. It is only copied according to the computer's platform type. Corresponding file). HAL is a loadable kernel mode module (DLL dynamic link library file) that provides a low-level interface for the hardware platform running in the Windows system. It hides hardware-related details, such as I / O interfaces, interrupt controllers, and multiprocessor communication mechanisms such as those related to specific hardware structural confidentiality, and provide a unified hardware interface function to the operating system kernel.
Ntoskrnl.exe: NT OS Kernel, is unquestionable, this is the kernel of the Windows system. It is exactly that the kernel is implemented here, only 1.6 megabytes, with the current LINUX2.4 version of the kernel compile size is similar. This file actually provides two parts of the main function:
First, the system kernel, which provides the basic mechanism of the system (thread scheduling and synchronization, memory allocation, etc. You can see the most complex part of the operating system principle, if you think operations The system course has been too abstract and a little bit of yourself. Try to make this Ntoskrnl.exe to read it, not much, there is more than 3 million rows of information, just find the exact entry point). At the same time, the kernel also provides hardware support. In fact, the call to the upper program such as the driver is embodied. In turn, the hardware abstraction layer is abstracted once, exposes a unified interface to the upper layer, writes the Windows driver or Students who have seen DDK must have a deep impression on the fixed written mode of Windows WDM. The second is the execution program (called Executive). This executor's stuff is really much, I am a little dizzy when I am, but now I'm looking at it. In fact, the executive is a window interacting between developers and Windows. Then, the representation of the execution program exposes the Windows development function, after several packages for developers. Whether the function classification of these functions is a bit more chaotic according to the function classification, it is easy to make Puzzled. According to the developer's perspective, there are such a few categories: Win32 API functions, this is the application development, what we often say, ATL is an object-oriented and packaged for it; DDK API function and IFS KIT functions This is for driving development, DDK is also familiar, but if you browse DDK and enough, you will feel weird for the OS very important part - Document system driver is not available, IFS (Install file system Kit is doing this.
We have said that Windows put graphical interface processing in the kernel state, so we have to mention a relatively special drive: Win32k.sys, you see the beautiful Windows desktop is this file.
Telling here, the aforementioned content is the basic feature of the Windows system in the internal nuclear state, that is, this is running on the CPU Ring0 level (I don't know what is ring, I have to go to Intel's website Download Intel CPU system development,甭 Turn your hand's microcomputer principle textbook, there is nothing above. There is also a lot of drives to run at this level. At the kernel level, the call between the components is different from the user state. It is common to use LPC. This will slowly talk later.
Before proceeding the following, you must first explain a point: Windows's functionality is much more powerful than what we usually see. Usually we speak Win32, in fact this is only a subsystem of Windows, and Windows has additional two subsystems: POSIX and OS / 2. As so much, it seems that the program on Linux can run on Windows. It is not that simple, it also needs the transplant library and recompile connection, and finally rely on the implementation of the Win32 subsystem to complete its function, it is not large, basically It is quilt by the users, and we are also only Win32 subsystems. Point a little: Different subsystems have special subsystem support environments, and the POSIX subsystem is POSIX.EXE. The Win32 subsystem is CSRSS.exe (full name is Client / Server Run-Time Subsystem). So, there is always a process of csrss.exe on your machine to run, don't boring, it is a Trojan how you don't do it.
Below is the content of the user level. In order to facilitate understanding, the layered introduction of the kernel level begins with the bottom (hard to soft), in the user level, we started from top to bottom, which is more intuitive. We first raise an example of an application (although the user-level program is much more than the application so much), from IE. If you installed the VC and install the Depends tool in the way, use it to open IE (or any Windows executable), you will find the IE main program (IExplore.exe) call kernel32.dll, and kernel32 .Dll call NTDLL.DLL again, and the IE main program also calls user32.dll, user32.dll also has a call to GDI32.DLL, KERNEL32.DLL, NTDLL.DLL, and cyclic calls during the period.
To call the Win32 API function, these functions are provided by the Win32 API function, and the "kernel32.dll is actually the specific function, just makes a simple address pointer conversion, put the function The entry point jumps to NTDLL.DLL, and corresponds to the corresponding local API (Native API) function, NTDLL.DLL does not do specific processing, and converts user-level function call into kernel mode through system function calls into kernel mode. The real system function call, returns the application process after execution of the kernel. Perhaps someone should ask Windows to do two packages through Kernel32.dll and NTDLL.DLL to perform programming interfaces that execute programs Executive exposed, in fact, this is also the difference between Win32 API and Native API. Win32 API is also known as an archived API, which is for users to use, must maintain consistency and compatibility, and cannot modify the function naming, and the increase in new functions must keep the old function, otherwise use the old version of Win32 API Developing (intuitive is what we use Win32 SDK or MFC development) may run an error on the new version of the system. The Native API is a function that may need to be modified when the system is updated, such as the function name, the type of function parameters, etc., it is possible to change with the system upgrade, so it is left to MS own, Of course, you cannot use it directly to users. But this is not to say that we can't use the native API as developers. If you locate the functions in Ntdll.dll and call, as long as this function is not modified by MS, you can affirm this call is successful, your program runs There is no problem. There is also an Advapi32.dll similar to kernel32.dll, providing some relatively advanced application programming functions.
GDI32.DLL and USER32.DLL provide archived Win32 graphic programming interfaces, which are also called by NTDLL.DLL to complete the call to the system drawing function (implemented in Win32k.sys).
Kernel32.dll, advapi32.dll, user32.dll and gdi32.dll are collectively referred to as Win32 subsystem DLL. Win32 subsystem DLL will "translate archived WIN32 API" translation "to the corresponding to the local API function call, NTDLL.DLL translate the local API" Translate "NTOSKRNL.EXE and WIN32K.sys Calmoni mode system service call to complete the user Implementation of level functional requirements.
After the application is spent, look at other programs of the user level. Environmental Subsystem (Win32 Subsystem, POSIX Subsystem, OS / 2 Subsystem), this previous mentioned; service process, that is, the pile of staps you can see in the service manager, including Services.exe This relatively special service program, svchost.exe, etc., slowly talk later; then the system support process, such as SMSS.exe, Winlogon.exe, lsass.exe (native security) Permissions subsystems), etc. These are specialized, and there will be a topic study. The process mentioned here is some of the necessary processes that the Windows system is running normally, that is, they are safe, everyone does not have to have suspicion (of course, there is a vulnerability that is exception). Most user-level applications are executed to call kernel32.dll, and then call NTDLL.DLL, and the system support process and other programs are directly called NTDLL.dll. The basic architecture of Windows is roughly, the following is the system architecture diagram of Windows 2000, which can be used as a reference when reading the above text.
Every day we are using Windows system learning, programming, music, playing games, and Windows operations are very skilled, but how much do you know about Windows? The purpose of this series is that you have a more intuitive, clearer, and thorough understanding of the Windows system. Although most of us can't see the source code of Windows, the deepest technology of their memory scheduled algorithms cannot be a peak, but we can do more than you know, you will find these developments on Windows. Will light the road, any Trojan virus arrived in your machine but only be your test product.
Given that the Windows 9x kernel has been eliminated, it is not discussed here. Mainly for Windows2000 (Windows 5.0), especially 2000. To know that XP is Windows 5.1, 2003 is also a version 5.2 version. Then, for this series, Windows OS technology is mentioned, unfunction with Windows 5.x technology.
