Home > OS >  Analyze the Windows server invocation mechanism
Analyze the Windows server invocation mechanism

Time:10-06

Analyze the Windows service invocation mechanism

Create time: 2004-05-06
Original articles attributes:
Submit articles: Brief (brief_at_safechina.net)

Analyze the Windows service invocation mechanism

Author: Brief,
E-mail: Brief#fz5fz.org
Homepage: http://www.fz5fz.org & amp; & http://www.safechina.net
Date: 07-18-2003


A & gt; The preface is

Windows Service Call is a key in the Windows interface, often called the System Call, Sysem Service Call or System Service Dispatching and so on, in this we can Call it a Windows System Service invocation, it provides the operating System environment the function of the switch from user mode to kernel mode, while the discussion of a Windows System Service Call abroad, but seldom see more detailed information in Chinese, I hope this article can for like the author interested in Windows at the bottom and is just contact friends provide some help, articles in the process of a kernel level monitoring/hide T - ProcMon tool as an example to discuss in detail a Windows System Service Call the relevant technical details, should pay attention to the technology discussed in this paper applies only to the operating System based on Windows NT kernel, and Windows 2000, for example,

2 & gt; Windows 2000 system architecture

Microsoft Windows 2000 is one of the main web server operating system, so it and before you familiar with Windows 9 x has the very big difference, but to discuss a personal desktop operating system by the business strategy is not much value, so we will mainly introduce some details about the NT system internal structure, Windows 2000 in the process of its own goals, it is necessary to explain some of its features,

1. The expansibility (Extensibility)
Windows 2000 operating system is a system for the future, so it is very pay attention to its extensibility, because there may be many reasons such as market in the future we have to add or delete the current operating system, some of the components of this goal, we must require the operating system has strong scalability, in order to meet the diverse needs of expansion/delete, Windows 2000 provides an important design thought is Subsystem (Subsystem), we will need some extensions for the operating system functions as a Subsystem in the added to Windows 2000, like OS/2, POSIX, etc, of course, a feature is that we can be modified by adding the hook for the system service call system in all kinds of behavior, it provides us a chance to get to know a system internal and extend the system functions,

2. The Reliability and robustness, Reliability and Robust)
A system is the most basic requirement is that the stability of it, can't do without a stable environment any satisfactory products, in order to meet the requirements, Windows 2000 is presented based on the object of access control permissions, most modern microprocessor support two modes: User mode (User/Normal) and Kernel mode (Kernel/ring), the operating system components and key component of the system is in Kernel mode, and the general User mode application can only access private address space and execution of privilege levels of instruction, if the User to invoke some Kernel component function, have to be done by system service call,

3. The Compatibility (Compatibility)
Intel and Microsoft can do it today is a very important factor in their support for the past exists system compatible, it is very critical, no one is willing to three days two head replacement system, and few people have the economic strength, of course, Windows 2000 in order to achieve the compatible with other systems, such as Dos, a 16 bit Windows, etc., and the environment subsystem, and must be present in the Windows 2000 is Win32 environment subsystem, and it is the foundation of other subsystems, and other subsystems are on the surface of the interface, and is actually called the Win32 provided interfaces, and Win32 finally is also associated with the kernel by system service invocation, while the operating system offers various environment subsystem different dynamic link libraries, and the API function names tend to be different, but the function of the final is done by the same system service call into the kernel,

4. Easy Maintainability (Maintainability)
As a large project, the maintenance of Windows 2000 has also become a big project, and such a huge project is not a good maintainability is unable to grow, to that end, Windows 2000 using the idea of layered, and this is also a kind of operating system architecture model, among them, the system service call system's kernel mode code and user code separate subsystem using system service call for the user to provide application programming interface (API), and system service call call down executive body to realize various functions,

As we mentioned in the above the operating system of two modes, that is based on the processor, arguably, general processor can provide from Ring0 to Ring3 mode of four processors, but they must provide at least two kinds, that is Ring0 and Ring3, and some special processor instruction only in kernel mode, and some of the address space must be in kernel mode can be accessed, Windows 2000 using the characteristics of the operating system and other key components are protected, only in kernel mode can access, and the general user program can only be executed in user mode, so you can avoid some of the user program to the destruction of the operating system code, namely everybody see Windows 2000 significantly more stable than Windows 9 x, the main reasons for the below we gives a system structure diagram of the Windows 2000:

Process support system, service process, application, environment subsystem
Application programming interfaces (apis)
Based on the NTDLL. DLL local system services (user mode)
-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
System service call (kernel mode)
The executive body
System kernel and device driver
Hardware abstraction layer

Three & gt; Windows 2000 Native system service (Native API)

Windows 2000 native system service is also known as the native application programming interface, it is by the Executive body (Executive) as the user mode and kernel mode program provides a set of system services, it contains two types of functions: Windows placeholder service scheduling program execution system service system; Subsystem, subsystem DLL and other native image using internal support functions,

Native system service from user mode calls is by NTDLL. DLL, on the surface, the Win32 function provides the programmer with many interface to realize the function that we want to, but the Win32 functions are only native application programming interface (API) of a wrapper, they will be packed native API, called the native system services to realize the function of user expectations, that is to say NTDLL. DLL just system call interface in user mode of a shell, the native Windows system about user mode service related information, please see I used to write an article "detection Windows2K/XP/2003 native information system",

Let's talk about from the kernel mode service call system, at this moment, it is not by NTDLL. DLL export system service call function interfaces, but by ntoskrnl. Exe, it provides two types of functions: ZwXxx and NtXxx, here we have not much said, you should notice that in the above Windows 2000 system in the architecture of system is introduced in this paper we service invocation, executive body and kernel are exist in ntoskrnl. Exe (for NTKRNLMP in multiprocessor. Exe), and is a layered,

Four & gt; Windows 2000 system service invocation mechanism

Windows 2000 Trap scheduling (Trap Dispatching mechanism includes: Interrupt (Interrupt), delay Procedure Call (Deferred Procedure Call), Asynchronous Procedure Call (Asynchronous Procedure Call), abnormal scheduling (Exception Dispatching) and system service Call, in the Windows 2000 Intel x86 systems, processor execution int 0 x2e instruction to activate Windows service Call; In the Windows XP system of Intel x86 processor is by performing sysenter instruction system in system service call program; In AMD Windows XP USES the syscall instruction to achieve the same function, we temporarily use Windows 2000 as an example to demonstrate the x86, we first give a model of a system service invocation:

Mov eax, ServiceId
Lea edx, ParameterTable
Int eh 2
Ret ParamTableBytes

, ServiceId passed clearly illustrates the System Service call System, the kernel USES the identifier to find System Service dispatch Table (System Service Dispath Table) in the corresponding Service information System, each item in the System Service dispatch Table contains a pointer to the System Service program, we Hook is to modify the pointer to point to our custom Service address, ParameterTable is passed parameters, System Service invoker KiSystemService must strictly check pass each parameter, and its parameters from the thread stack is copied to the System at the core of the stack for use, due to the int instruction can lead to trap, so in the Windows 2000 Interrupt Descriptor Table (IDT=Interrupt Descriptor Table) 0 x2e point to the items in the System Service invoker, finally return ParamTableBytes is information about the number of parameters,

Now we have to see that the system service call is an interface, it provides to forward the request of the user mode to Windows 2000 kernel function, and trigger processor mode switch, on the user's point of view, system call interface is a Windows kernel component functions realize external interface, the system call interface defines Windows kernel provides a large number of services,

Five & gt; Windows 2000 system service call type

By default in Windows 2000 exist two system services dispatch table, they correspond to the two different types of system services, the two system services dispatch table, respectively is: KeServiceDescriptorTable and KeServiceDescriptorTableShadow,

Windows 2000 executable program service corresponding to the NTDLL. DLL provides us with the system of service invocation, subsystem by calling the NTDLL. DLL functions in the interface to realize they need to function, system services dispatch table KeServiceDescriptorTable defines in ntoskrln. Exe implemented system services, usually in kernel32. DLL/advapi32 interfaces are provided by the DLL function call the system services dispatch table,

Also exists in the Windows 2000 operating system are in Win32k. Sys implemented in relevant Win32USER and GDI functions and service call they belong to another kind of system, and the matching system services dispatch table for KeServiceDescriptorTableShadow, it provides the service, the USER and kernel mode to realize the GDI functions KeAddSystemServiceTable allow Win32. Sys and other device drivers to add system service table, in addition to Win32k. Sys service table, using KeAddSystemServiceTable add service table will be copied into the KeServiceDescriptorTable and KeServiceDescriptorTableShadow at the same time,

nullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnull
  • Related