OS Internals ABCs

Published 16 February 07 03:26 PM | hanbarakat 

I started to dig deeper into windows internals. In the past couple of months I started to learn more about kernel, kernel debugging, symbols, memory management and many other windows internals components. I also took a couple of courses one of them was the Windows Internals lectures by David Solomon and Mark Russinovich authors of Windows Internals book. OS is a very interesting field to read about. Most of my information are taken from Windows Internals, 4th edition (Microsoft Press, David Solomon and Mark Russinovich) and my basic knowledge and searching the internet about operating systems in general.

The OS is the software that manages all the computer resources. These resources include managing hardware, memory, running programs, multitasking and scheduling tasks, managing storage, and handling communication.

One thing I read before is that kernel is the heart of the OS. Kernel is the core of an OS which manages the machine's hardware resources (including the processor and the memory), and provides and controls the way any other software component can access these resources. The kernel runs with a higher privilege (kernel mode) than other programs (which called user mode programs). The power and robustness of an OS's kernel play a major role in shaping overall system design and reliability.

So as a critical part of the OS that controls all devices and hardware on your computer, the kernel must be protected from being accessed or modified by a user application. User applications code runs in user mode, whereas OS code runs in kernel mode. User and kernel modes are two processor access modes, where a kernel mode refers to a mode of execution privilege that grants access to system memory and all CPU instructions. Windows protection environment prevents anything running in user mode from directly accessing hardware.

Although each Windows process has its own private memory space (where no other process can access/modify this memory space unless allowed to by the process who owns this private memory space), the kernel-mode operating system code (and by that I mean all the OS resources, system memory and CPU instructions) and the device driver code share one memory space. In other words, once in kernel mode, OS and device driver code has complete access to system memory space and can access objects.

Before we continue let's just define what's a driver is. A device driver is an executable, literally drives the hardware device to behave in a specific way (provided by the OS) and returns any results from the device about that behavior. So, the device driver allows the OS to communicate with a particular piece of hardware.

Back to kernel mode, because the bulk of windows OS runs in kernel mode, it's vital that components running in kernel mode must be carefully designed, implemented and tested; once in kernel mode you have access to all OS data. Any mistake in a driver running in kernel mode (for example trying to access or modify OS resources) will cause the OS to crash at once causing the blue screen with the name of the driver and reason of the violation. This simply means that the blue screen crash done by the windows doesn't mean that Windows is crappy; it's Windows last way of defending itself and defending the user from a misbehaved application trying to access or modify vital information. This vulnerability was one of the reasons behind driver-signing mechanism introduced in windows, which warns the user if an attempt to add an unauthorized (unsigned) driver.

Windows Architecture Layout 

Note this is kind of simplified version of the Windows architecture and it does not show all components.

The types of user-mode processes are:

  • Service processes that host windows services, such as Task Scheduler and Spooler services. Services generally run independently of user logins.
  • User applications.
  • Environment subsystem server processes, which implement part of the support for the operating system environment, or personality presented to the user and programmer.

Under Windows, user applications don't call the native Windows operating system services directly; rather, they go through one or more subsystem dynamic-link libraries (DLLs). The role of the subsystem DLLs is to translate a documented function into the appropriate internal (and generally undocumented) Windows system service calls. This translation might or might not involve sending a message to the environment subsystem process that is serving the user application.

The kernel-mode components of Windows include the following:

  • The Windows executive contains the base operating system services, such as memory management, process and thread management, security, I/O, networking, and inter-process communication.
  • The Windows kernel consists of low-level operating system functions, such as thread scheduling, interrupt and exception dispatching.
  • Device drivers.
  • The hardware abstraction layer (HAL) is a layer of code that isolates the kernel, device drivers, and the rest of the Windows executive from platform-specific hardware differences (such as differences between motherboards).
  • The windowing and graphics system.
Filed under:

Comment Notification

If you would like to receive an email when updates are made to this post, please register here

Subscribe to this post's comments using RSS

Comments

# Mona said on February 16, 2007 6:58 PM:

This is a very interesting article hany, Keep writing

It would be very nice if u have a good reference for Memory management part, or maybe talking about it in more details in next posts:)

# Ali Abdin said on February 17, 2007 12:24 AM:

It's funny you should ask about that Mona...I was just in Hany's office today and he was reading (and trying to understand!) memory management in the OS.

Let's just say it is really really complicated, and I would think it would take several blog posts to even attempt to explain the details :)

I would expect Hany to write about it sometime in the future though :)

# hanbarakat said on February 17, 2007 12:50 AM:

Mona - Thx a lot for motivating me... I'm really glad you found the article interesting... I'll try always to update the blog. Since I'm in the Windows team most of my articles will evolve around Windows components, including of course memory management ( :-) as soon as I understand it!).

Ali - Thx for stopping by! :-)

# Mohamed Meshref said on February 17, 2007 5:51 AM:

The windows internal book is very interesting, I started to look into it myself and found it very good:)

I have got another book also called "Build your own 32 bits operating system", it has more in depth information about operating system in general and what are the decisions you're going to take while you're designing an OS

# Mohamed Meshref said on February 17, 2007 5:55 AM:

By the way, what's the debugger you're using for debugging kernel?

I used softice long time ago and I found it really easy and helpful in debugging kernel and device drivers

# Mohamed Meshref said on February 17, 2007 6:06 AM:

Ohh sorry I remembered now, it's WinDbg, right?

But I've a question here, can you use the full capabilites of the WinDbg on the same computer you're debugging or you must use interlinked computers? as in Softice I can do it on the same machine with the full capabilites

I think this is the better place to reach you before I forget the question by the morning :)

# hanbarakat said on February 17, 2007 2:45 PM:

There are 2 debuggers that I use. The Kd (Console program) and Windbg (GUI program). Both have identical command set and both are part of the Debugging Tools for Windows. You can debug the kernel using 3 ways:

1. Connecting host machine to a target machine by null modem, IEEE 1394 (Firewire) or USB 2.0 (Vista and later).

2. Open Crash Dump. (Which u can always use instead of local debugging, Once the PC crash you'll find the crash dump in the Windows\Minidumps\ Folder.

3. Local Kernel Debugging. XP and later supports attaching debugger to kernel on a live system. Windbg full capabilites can be used, It's just like debugging a target machine, But be aware that this is a Read/Write connection, which means that tou can edit the kernel memory on the live system!

# Ali Abdin said on February 17, 2007 2:55 PM:

Hmm, I think there are some limitations on 'local' debugging. I believe Mark Russianovich is the one that created the tool to do Live Debugging on localhost - but I could be wrong...

The problem with live debugging is that it utilizes a breakpoint on the live system - so if you are broken into the debugger - how will you debug?? I think the code to allow live debugging must be very interesting :)

# Mohamed Meshref said on February 17, 2007 5:31 PM:

I used SoftIce for live debugging, and it was really easy and straightforward,

# Mohamed Meshref said on February 17, 2007 5:40 PM:

I forgot to add this :)

In SoftIce I am not sure from this, but I think it works in a level lower than the kernel or at least as an advanced device driver, as when you install it, it asks you for several settings, and then it restarts the machine, you can start it even in the boot for the machine.

And I get your point, once you are on an active breakpoint in the kernel, how you are going to execute commands since the kernel is stopped now?

What I think that SoftIce maintains full control in this case, it may have its own kernel, or it may run the kernel for the same OS in a virtual mode in which theoretically you're like running in two connected machine, but with shared memory, in which instructions are redirected into the virtual one, because if I remember well, I remember that sometimes when I have an active breakpoint in the kernel, some of the operating system tasks are still active and working in front of my eyes even if the kernel is in this state.

I am not sure, but the only this I am sure that SoftIce is the best kernel-level debugger in the whole planet and the most easy one too, because it took me only 30 minutes to be totally aware how to use in the most powerful fashion

# ... said on March 3, 2007 3:50 AM:

Very nice site! Good work.

# 小向美奈子 said on June 13, 2009 9:07 AM:

話題の小向美奈子ストリップを隠し撮り!入念なボディチェックをすり抜けて超小型カメラで撮影した神動画がアップ中!期間限定配信の衝撃的映像を見逃すな

Leave a Comment

(required) 
(optional)
(required) 

  
Enter Code Here: Required

Search

This Blog

Syndication

This blog is governed by the site terms of use. These postings are provided "AS IS" with no warranties, and confers no rights.
Page view tracker