Windows内核和系统中的进程 [英] Windows processes in kernel vs system
问题描述
我有几个与内核和用户模式下的Windows进程有关的问题.
I have a few questions related to Windows processes in kernel and usermode.
如果我有一个hello world应用程序,并且有一个hello world驱动程序公开了一个新的系统调用foo(),那么我对进入内核模式后可以做什么和不能做什么感到好奇.
If I have a hello world application, and a hello world driver that exposes a new system call, foo(), I am curious about what I can and can't do once I am in kernel mode.
对于初学者来说,当我编写新的hello world应用程序时,会得到一个新的过程,这意味着我拥有自己的用户模式VM空间(让它保持简单,32位窗口).因此,我拥有拥有"的2GB空间,我可以戳一戳,直到心满意足为止.但是,我受制于流程.我不能(让共享记忆还没有带进去)触摸其他人的记忆.
For starters, when I write my new hello world app, I am given a new process, which means I have my own user mode VM space (lets keep it simple, 32 bit windows). So I have 2GB of space that I "own", I can poke and peek until my hearts content. However, I am bound by my process. I can't (lets not bring shared memory into this yet) touch anyone elses memory.
如果我编写了这个hello world驱动程序,并从用户应用程序中调用它,那么我(驱动程序代码)现在处于内核模式.
If, I write this hello world driver, and call it from my user app, I (the driver code) is now in kernel mode.
首先的澄清/问题: 我仍然处于与用户模式应用程序相同的过程中,对吗?还有相同的PID吗?
First clarification/questions: I am STILL in the same process as the user mode app, correct? Still have the same PID?
内存问题: 内存以VM的形式呈现给我的进程,也就是说,即使我有1GB的RAM,我仍然可以访问4GB的内存(2GB的用户/2GB的内核-不在意服务器上开关的细节或细节,这里只是一个一般假设) ). 作为用户进程,我不能窥视任何内核模式的内存地址,但是我可以对用户空间做任何我想做的事情,对吗?
Memory Questions: Memory is presented to my process as VM, that is even if I have 1GB of RAM, I can still access 4GB of memory (2GB user / 2GB of kernel - not minding details of switches on servers, or specifics, just a general assumption here). As a user process, I cannot peek at any kernel mode memory address, but I can do whatever I want to the user space, correct?
如果我从驱动程序代码中调用hello world驱动程序,是否仍具有相同的用户模式内存视图?但是现在我也可以在内核模式下访问任何内存了吗?
If I call into my hello world driver, from the driver code, do I still have the same view of the usermode memory? But now I also have access to any memory in kernel mode?
此内核模式内存是否已共享(不同于用户模式,这是我自己的进程副本)?也就是说,编写驱动程序更像是为OS的单个进程编写线程化的应用程序(计划之外?)
Is this kernel mode memory SHARED (unlike User mode, which is my own processes copy)? That is, writing a driver is more like writing a threaded application for a single process that is the OS (scheduling aside?)
下一个问题.作为驱动程序,我可以更改正在运行的进程吗?说,我知道另一个应用程序(例如,一个用户模式Web服务器),并为该进程加载VM,更改它的指令指针,堆栈,甚至将不同的代码加载到该进程中,然后再切换回我自己的应用程序? (我不想在这里做任何邪恶的事情,我只是很好奇 处于内核模式意味着什么)?
Next question. As a driver, could I change the process that I am running. Say, I knew another app (say, a usermode webserver), and load the VM for that process, change it's instruction pointer, stack, or even load different code into the process, and then switch back to my own app? (I am not trying to do anything nefarious here, I am just curious what it really means to be in kernel mode)?
此外,一旦进入内核模式,是否可以阻止操作系统抢占我?我认为(在Windows中)您可以设置IRQL级别来执行此操作,但是即使在阅读所罗门书(在Windows内...)之后,我也无法完全理解这一点.我将问另一个与IRQL/DPC直接相关的问题,但是,到目前为止,我很想知道内核驱动程序是否有能力将IRQL设置为高"并接管系统.
Also, once in kernel mode, can I prevent the OS from preempting me? I think (in Windows) you can set your IRQL level to do this, but I don't fully understand this, even after reading Solomons book (Inside Windows...). I will ask another question, directly related to IRQL/DPCs but, for now, I would love to know if a kernel driver has the power to set an IRQL to High and take over the system.
还有更多,但是回答这些问题会有所帮助.
More to come, but answers to these questions would help.
推荐答案
A good primer for this topic would be found at: http://www.codinghorror.com/blog/archives/001029.html
正如Jeff指出的用户模式存储空间:
As Jeff points out for the user mode memory space:
在用户模式下,正在执行的代码无法直接访问硬件或参考内存.在用户模式下运行的代码必须委派给系统API才能访问硬件或内存.由于这种隔离提供了保护,因此当机在用户模式下始终可以恢复.计算机上运行的大多数代码都将在用户模式下执行."
"In User mode, the executing code has no ability to directly access hardware or reference memory. Code running in user mode must delegate to system APIs to access hardware or memory. Due to the protection afforded by this sort of isolation, crashes in user mode are always recoverable. Most of the code running on your computer will execute in user mode."
因此,您的应用将无法访问内核模式内存,实际上,您与驱动程序的通信可能是通过IOCTL(即IRP)进行的.
So your app will have no access to the Kernel Mode memory, infact your communication with the driver is probably through IOCTLs (i.e. IRPs).
但是,内核可以访问所有内容,包括用户模式进程的映射.这是出于安全和稳定性原因,街道用户模式无法映射到内核模式的一种方式.即使通过内核模式驱动程序也可以映射到用户模式内存中,我建议不要这样做.
The kernel however has access to everything, including to mappings for your user mode processes. This is a one way street, user mode cannot map into kernel mode for security and stability reasons. Even through kernel mode drivers can map into user mode memory I would advise against it.
至少这就是WDF之前的样子.我不确定用户模式驱动程序的内存映射功能.
At least that's the way it was back before WDF. I am not sure of the capabilities of memory mapping with user mode drivers.
另请参阅: 查看全文
