This is an old revision of this page, as edited by M4t3uz (talk | contribs) at 04:25, 29 April 2014 (fixed internal links). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.
Revision as of 04:25, 29 April 2014 by M4t3uz (talk | contribs) (fixed internal links)(diff) ← Previous revision | Latest revision (diff) | Newer revision → (diff)This article or section is in a state of significant expansion or restructuring. You are welcome to assist in its construction by editing it as well. If this article or section has not been edited in several days, please remove this template. If you are the editor who added this template and you are actively editing, please be sure to replace this template with {{in use}} during the active editing session. Click on the link for template parameters to use.
This article was last edited by M4t3uz (talk | contribs) 10 years ago. (Update timer) |
ntoskrnl.exe (Short for Windows NT Operating System Kernel, and ntkrnlpa.exe on systems with Physical Address Extension support) is the kernel image for the family of Microsoft Windows NT operating systems. It provides the kernel and executive layers of the Windows NT kernel space, and is responsible for various system services such as hardware virtualization, process and memory management, etc., thus making it a fundamental part of the system. It contains the cache manager, the executive, the kernel, the security reference monitor, the memory manager, and the scheduler, among other things.
Undestanding the kernel is important for reverse engineering malware, penetration testing, defensive programming, system management and driver creation.
Overview
This system binary is not a native application (in that it is not linked against ntdll.dll
), instead containing a standard 'start' entry point, a function that calls the arch-independent kernel initialization function.
/* * NTOS kernel entry point */ void __attribute__((stdcall)) KiSystemStartup(IN PLOADER_PARAMETER_BLOCK LoaderBlock) { /* perform arch independent initialization */ KiInitializeKernel(); }
While ntoskrnl.exe is not linked against ntdll.dll, it is linked against bootvid.dll, hal.dll and kdcom.dll. Because it requires a static copy of C Runtime objects it depends on, the executable is usually about 2MB in size.
Kernel image filenames
MP or UP files are selected at install time, and PAE or non-PAE files are selected by boot.ini or BCD option. The kernel image is chosen according to the processor's features.
Filename | SMP | PAE |
---|---|---|
NTOSKRNL.EXE | No | No |
NTKRNLMP.EXE | Yes | No |
NTKRNLPA.EXE | No | Yes |
NTKRPAMP.EXE | Yes | Yes |
Coding style
Typical Windows coding uses Hungarian notation for variable names. The kernel API also uses prefixes for functions.
The table below is not an exhaustive listing of all prefixes. There are other undocumented prefixes.
Prefix | Meaning |
---|---|
Cc | cache controller |
Csr | Csr are client-server functions that are used to communicate with the Win32 subsystem process, csrss.exe (csrss stands for client/server runtime sub-system). |
Dbg | Dbg are debugging aid functions such as a software break point. |
Ex | Windows Executive |
FsRtl | file system runtime |
Io | I/O manager |
Ke | core kernel routines |
Ki | Ki are upcalls from kernel-mode for things like APC dispatching. |
Ks | kernel streaming |
Ldr | Ldr are loader functions for PE file handling and starting of new processes. |
Lpc | Local Procedure Call |
Lsa | Local Security Authority |
Mm | memory management |
Nls | Nls for Native Language Support (similar to code pages). |
Ob | Object Manager |
Pfx | Pfx for prefix handling. |
Po | power management |
Ps | Process management |
Rtl | Rtl is the second largest group of ntdll calls. These comprise the (extended) C Run-Time Library, which includes many utility functions that can be used by native applications, yet don't directly involve kernel support. |
Se | security |
Zw | Nt or Zw are system calls declared in ntdll.dll and ntoskrnl.exe. When called from ntdll.dll in user mode, these groups are almost exactly the same; they trap into kernel mode and call the equivalent function in ntoskrnl.exe via the SSDT. When calling the functions directly in ntoskrnl.exe (only possible in kernel mode), the Zw variants ensure kernel mode, whereas the Nt variants do not. The Zw prefix does not stand for anything. |
Initialization
When the kernel receives control, it gets a pointer to a structure as parameter. This structure is passed by the boot loader and contain information about the hardware, the path to the registry file, kernel parameters containing boot preferences or options that change the behaviour of the kernel, path of the files loaded by the bootloader (SYSTEM
registry hive, nls for character encoding conversion and vga font). The definition of this structure can be retrieved by using the kernel debugger or downloading it from the Microsoft symbol database.
In the x86 architecture, the kernel receives the system already in protected mode, with the GDT, IDT and TSS ready. But since it does not know the address of each one, it has to load them one by one to fill the PCR structure.
The main entry point of ntoskrnl.exe performs some system dependent initialization then calls a system independent initialization then enters an idle loop.
Interrupt Handling
This article is about NT implementation of interrupt handlers. For other uses, see Interrupt handling.Modern operating systems use interrupts instead of I/O port polling to wait for information from devices.
In the x86 architecture, interrupts are handled by using the Interrupt Vector Table (IVT). When a device triggers an interrupt, or interrupt request (IRQ), the interrupt flag (IF) in the flags register is set and the processor's hardware looks for a interrupt handler on the table. Interrupt handlers usually save the state of all or some registers before handling it and restore the registers when done.
The interrupt table contains handlers both for IRQs and soft interrupts. The location of the soft interrupt handler is 0x2e.
It points to the KiSystemService
.
Memory manager
This article is about NT implementation of a memory manager. For other uses, see memory management.The kernel of Microsoft Windows divides the memory in two segments using paging. The lower part, starting at zero, is used by user-land programs and the upper part is used by the kernel.
Arch | MmHighestUserAddress | MmSystemRangeStart |
---|---|---|
x86 | 0x7fffffff | 0x80000000 |
ARM | 0x7fffffff | 0x80000000 |
x86-64 | 0x000007ff‘ffffffff | 0xffff0800‘00000000 |
In the x86 architecture, the memory manager (mm) of an operating system separates each address space using paging. The entire physical memory (RAM) address range is broken into many small (usualy 4 KiB) blocks. The properties of each block is stored in the page directory that is managed directly by the processor's hardware. The base address of this table is stored in the control register #3 (CR3) and paging.
Object Manager
Main article: Object Manager (Windows)The Object Manager (OM) is the virtual filesystem (VFS) used by the NTOS kernel that is similar to the proc
and sys
filesystems. It is exposed to the user-land programs but it is not used by the default shell directly neither is shown to the user, except when using special tools such as the Winobj by Sysinternals.
The root of OM is not a disk filesystem nor a ramdrive. It contains node that corresponds to the mounted filesystem. The name of these nodes are of the form PartitionXX. It stores volatile data. Data that should be nonvolatile is stored in the registry.
Explorer does not use them directly but use some symlinks that point to the actual NT nodes. The name of each of these nodes is a DOS partition letter. They were created for campatibility with old MS-DOS-based Windows releases.
These nodes are not created by the kernel but by the filesystem driver. The filesystem driver must comply with the IFS API. It uses the IoCreateDevice and IoCreateSymbolicLink api calls to do it.
Registry hives
Main article: Windows RegistryA registry hive, or simply a registry, is a filesystem optimized for small files. Although sometimes referred as a database it does not include feature characteristic to databases such as indexing. It is loaded as early in the bootloader. Additional registry hives are mounted during system boot and login.
Drivers
This article is about NT specific drivers. For other uses, see device driver.The list of drives to be loaded from the disk are retrieved from the Services
key in the SYSTEM
registry hive. That key stores device drivers, kernel processes and user processes. They are all collectively called "services" and are all stored mixed on the same place.
During initialization or upon driver load request, the kernel transverses that tree looking for services tagged as kernel services.
See also
References
- Russinovich, M: Systems Internals Tips and Trivia, SysInternals Information
- ^ Practical Reverse Engineering Using X86, X64, Arm, Windows Kernel, and Reversing Tools. John Wiley & Sons Inc. 2014. ISBN 978-1118787311.
- ^ Raymond Chen (2009). "The Old New Thing : What does the "Zw" prefix mean?". Microsoft Corporation. Retrieved 2009-06-13.
- Microsoft Corporation (2009). "I/O Manager Routines". Microsoft Corporation. Retrieved 2009-06-13.
- Microsoft Corporation (2009). "Cache Manager Routines". Microsoft Corporation. Retrieved 2009-06-13.
- Microsoft Corporation (2009). "Power Manager Routines". Microsoft Corporation. Retrieved 2009-06-13.
- Microsoft Corporation (2009). "Core Kernel Library Support Routines". Microsoft Corporation. Retrieved 2009-06-13.
- Microsoft Corporation (2009). "File System Runtime Library Routines". Microsoft Corporation. Retrieved 2009-06-13.
- The NT Insider (August 27, 2003). "Nt vs. Zw - Clearing Confusion On The Native API". OSR Online. 10 (4). OSR Open Systems Resources. Retrieved 2013-09-16.
- windows internals
- http://www.nirsoft.net/kernel_struct/vista/LOADER_PARAMETER_BLOCK.html
- "IoCreateDevice routine". MSDN. Microsoft Corporation. Retrieved 28 April 2014.
- "IoCreateSymbolicLink routine". MSDN. Microsoft Corporation. Retrieved 28 April 2014.
- Tanenbaum, Andrew S. (2008). Modern operating systems (3rd ed. ed.). Upper Saddle River, N.J.: Pearson Prentice Hall. p. 829. ISBN 978-0136006633.
{{cite book}}
:|edition=
has extra text (help)
Further reading
- Tanenbaum, Andrew. Modern Operating Systems (3rd Edition). 978-0136006633
- Practical reverse engineering. 978-1118787311
External links
- Inside the Windows Vista Kernel (TechNet Magazine)
- struct LOADER_PARAMETER_BLOCK
- Driver Development Part 1: Introduction to Drivers
This Microsoft Windows article is a stub. You can help Misplaced Pages by expanding it. |