Windows进程有私有的内存空间, 但内核态的操作系统和设备驱动代码, 共享单一(a single)虚拟内存空间。虚拟内存的每一页都被标记(tagged )了读写需要的处理器访问模式。系统空间的页只能在内核态访问,用户地址空间在用户态可以访问。只读页(例如包含可执行代码的页)任何模式下都不可改写。
- The four basic types of user-mode processes are described as follows:
Fixed (or hardwired) system support processes, such as the logon process and the session manager,
that are not Windows services. (That is, they are not started by the service control manager - Service processes that host Windows services, such as the Task Scheduler and Spooler services.
Services generally have the requirement that they run independently of user logons. Many Windows
server applications, such as Microsoft SQL Server and Microsoft Exchange Server, also include
components that run as services. - User applications, which can be one of six types: Windows 32-bit, Windows 64-bit, Windows 3.1
16-bit, MS-DOS 16-bit, POSIX 32-bit, or OS/2 32-bit. - Environment subsystem server processes, which implement part of the support for the operating
system environment, or personality presented to the user and programmer. Windows NT originally
shipped with three environment subsystems: Windows, POSIX, and OS/2. OS/2 was dropped as of
Windows 2000. As of Windows XP, only the Windows subsystem is shipped in the base product—an
enhanced POSIX subsystem is available as part of the free Services for Unix product.
Subsystem DLLs to translate a documented function into the appropriate internal (and generally undocumented) Windows system service calls. This translation might or might not involve sending a message to the environment subsystem process that is serving the user application.
The kernel-mode components of Windows include the following:
- The Windows executive contains the base operating system services, such as memory management, process and thread management, security, I/O, networking, and interprocess communication.
The Windows kernel consists of low-level operating system functions, such as thread scheduling, interrupt and exception dispatching, and multiprocessor synchronization. It also provides a set of routines and basic objects that the rest of the executive uses to implement higher-level constructs.
Device drivers include both hardware device drivers that translate user I/O function calls into specific hardware device I/O requests as well as file system and network drivers.
The hardware abstraction layer (HAL) is a layer of code that isolates the kernel, device drivers, and the rest of the Windows executive from platform-specific hardware differences (such as differences between motherboards).
The windowing and graphics system implements the graphical user interface (GUI) functions (better known as the Windows USER and GDI functions), such as dealing with windows, user interface controls, and drawing.
-
Environment Subsystems and Subsystem DLLs
-
windows拥有三个环境子系统:OS/2, POSIX, and Windows。windows必须携带windows子系统否则windows将无法运行(Because it owns the keyboard, mouse, and display, and it is required to be present even on server systems with no interactive users logged in.) 。
-
环境子系统的启动信息存储在HKLM\SYSTEM\Current-ControlSet\Control\Session Manager\SubSystems.
环境子系统向应用程序暴露windows执行体(executive )的系统服务的一个子集,每个子系统提供访问windows服务的不同子集。That means that some things can be done from an application built on one subsystem that can't be done by an application built on another subsystem。
-
一个可执行文件(.exe)只能在一个环境子系统中运行,当可执行文件运行时, the process creation code 检查子系统类型(可执行文件的image header)。此外, 在VC++中可以再Links命令的/SUBSYSTEM限定。
User applications 不直接调用系统服务,而是通过one or more subsystem DLLs。比如,Windows子系统DLLs (such as Kernel32.dll, Advapi32.dll, User32.dll, and Gdi32.dll) 实现了Windows API 函数;POSIX子系统DLL (Psxdll.dll) 实现了POSIX API 函数。
当一个应用程序调用子系统动态链接库中的一个函数时,会发生下面的三种可能之一:
函数完全是在用户模式下的subsystem dll中实现的。换句话说,没有信息被传送到环境子系统, 没有windows 执行体的系统服务被调用。函数在用户态被执行,然后返回。比如:GetCurrentProcessId 函数(对于一个正在运行的进程来说process ID是不会改变的,所以这个ID值可以从一个缓存中取得,从而避免了对内核服务的调用);
-
函数需要一个或者多个windows执行体的服务调用,例如:ReadFile 以及 WriteFile函数调用底层的windows I/O服务(NtReadFile and NtWriteFile,);
函数需要在环境子系统进程中处理一些事情,在这种情况下,通过向环境子系统发送client/server请求来执行一些操作,子系统DLL等待应答。
-
Some functions can be a combination of the second and third items just listed, such as the Windows CreateProcess and CreateThread functions.
尽管windows设计支持多个独立的环境子系统,但在实际应用中,让每一个子系统都实现处理窗口和显示I/O将导致系统函数的大量复制,最终对系统规模和性能会有负面影响。因为windows subsystem是windows的主要子系统,所以windows的设计者们把这些功能放置在这里(windows subsystem),其他子系统通过调用windows subsystem来实现相应功能;
-
Ntdll.dll
Ntdll.dll is a special system support library primarily for the use of subsystem DLLs. 它包含两种类型的函数:
- system service dispatch stubs to Windows executive system services. 从用户态调用Windows执行体的系统服务的接口,多数你可以通过API调用,但一些是被操作系统使用的。
- Internal support functions used by subsystems, subsystem DLLs, and other native images.
For each of these functions, Ntdll contains an entry point with the same name. The code inside the function contains
the architecture-specific instruction that causes a transition into kernel mode to invoke the system service dispatcher
, which after verifying some parameters, calls the actual kernel-mode system service that contains the real code inside Ntoskrnl.exe.
Ntdll also contains many support functions, such as the image loader (functions that start with Ldr), the heap manager, and Windows subsystem process communication functions (functions that start with Csr), as well as general run-time ibrary routines (functions that start with Rtl). It also contains the user-mode asynchronous procedure call (APC) dispatcher and exception dispatcher.
Chapter 3. System Mechanisms
Trap Dispatching
The term trap refers to a processor's mechanism for capturing an executing thread when an exception or an interrupt occurs and transferring control to a fixed location in the operating system. In Windows, the processor transfers control to a trap handler, a function specific to a particular interrupt or exception.
The kernel distinguishes between interrupts and exceptions in the following way. An interrupt is an asynchronous
event (one that can occur at any time) that is unrelated to what the processor is executing. Interrupts are generated
primarily by I/O devices, processor clocks, or timers, and they can be enabled (turned on) or disabled (turned off). An
exception, in contrast, is a synchronous condition that results from the execution of a particular instruction. Running a
program a second time with the same data under the same conditions can reproduce exceptions. Examples of
exceptions include memory access violations, certain debugger instructions, and divide-by-zero errors. The kernel
also regards system service calls as exceptions (although technically they're system traps).
When a hardware exception or interrupt is generated, the processor records enough machine state on the kernel
stack of the thread that's interrupted so that it can return to that point in the control flow and continue execution as if
nothing had happened. If the thread was executing in user mode, Windows switches to the thread's kernel-mode
stack. Windows then creates a trap frame on the kernel stack of the interrupted thread into which it stores the
execution state of the thread. The trap frame is a subset of a thread's complete context, and you can view its definition
by typing dt nt!_ktrap_frame in the kernel debugger. (Thread context is described inC hapter 6.) The kernel handles
software interrupts either as part of hardware interrupt handling or synchronously when a thread invokes kernel
functions related to the software interrupt.
Hardware-generated interrupts typically originate from I/O devices that must notify the processor when they need
service. Interrupt-driven devices allow the operating system to get the maximum use out of the processor by
overlapping central processing with I/O operations. A thread starts an I/O transfer to or from a device and then can
execute other useful work while the device completes the transfer. When the device is finished, it interrupts the
processor for service. Pointing devices, printers, keyboards, disk drives, and network cards are generally interrupt
driven.
System software can also generate interrupts. For example, the kernel can issue a software interrupt to initiate thread
dispatching and to asynchronously break into the execution of a thread.
8836
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
