第1页 / 共1343页
第2页 / 共1343页
第3页 / 共1343页
第4页 / 共1343页
第5页 / 共1343页
第6页 / 共1343页
第7页 / 共1343页
第8页 / 共1343页
Windows Internals, Part 1-7th.pdf
Cover
Copyright
Contents
Introduction
1 Concepts and tools
Windows operating system versions
Windows 10 and future Windows versions
Windows 10 and OneCore
Foundation concepts and terms
Windows API
Services, functions, and routines
Processes
Threads
Jobs
Virtual memory
Kernel mode vs. user mode
Hypervisor
Firmware
Terminal Services and multiple sessions
Objects and handles
Security
Registry
Unicode
Digging into Windows internals
Performance Monitor and Resource Monitor
Kernel debugging
Windows Software Development Kit
Windows Driver Kit
Sysinternals tools
Conclusion
2 System architecture
Requirements and design goals
Operating system model
Architecture overview
Portability
Symmetric multiprocessing
Scalability
Differences between client and server versions
Checked build
Virtualization-based security architecture overview
Key system components
Environment subsystems and subsystem DLLs
Other subsystems
Executive
Kernel
Hardware abstraction layer
Device drivers
System processes
Conclusion
3 Processes and jobs
Creating a process
CreateProcess* functions arguments
Creating Windows modern processes
Creating other kinds of processes
Process internals
Protected processes
Protected Process Light (PPL)
Third-party PPL support
Minimal and Pico processes
Minimal processes
Pico processes
Trustlets (secure processes)
Trustlet structure
Trustlet policy metadata
Trustlet attributes
System built-in Trustlets
Trustlet identity
Isolated user-mode services
Trustlet-accessible system calls
Flow of CreateProcess
Stage 1: Converting and validating parameters and flags
Stage 2: Opening the image to be executed
Stage 3: Creating the Windows executive process object
Stage 4: Creating the initial thread and its stack and context
Stage 5: Performing Windows subsystem–specific initialization
Stage 6: Starting execution of the initial thread
Stage 7: Performing process initialization in the context of the new process
Terminating a process
Image loader
Early process initialization
DLL name resolution and redirection
Loaded module database
Import parsing
Post-import process initialization
SwitchBack
API Sets
Jobs
Job limits
Working with a job
Nested jobs
Windows containers (server silos)
Conclusion
4 Threads
Creating threads
Thread internals
Data structures
Birth of a thread
Examining thread activity
Limitations on protected process threads
Thread scheduling
Overview of Windows scheduling
Priority levels
Thread states
Dispatcher database
Quantum
Priority boosts
Context switching
Scheduling scenarios
Idle threads
Thread suspension
(Deep) freeze
Thread selection
Multiprocessor systems
Thread selection on multiprocessor systems
Processor selection
Heterogeneous scheduling (big.LITTLE)
Group-based scheduling
Dynamic fair share scheduling
CPU rate limits
Dynamic processor addition and replacement
Worker factories (thread pools)
Worker factory creation
Conclusion
5 Memory management
Introduction to the memory manager
Memory manager components
Large and small pages
Examining memory usage
Internal synchronization
Services provided by the memory manager
Page states and memory allocations
Commit charge and commit limit
Locking memory
Allocation granularity
Shared memory and mapped files
Protecting memory
Data Execution Prevention
Copy-on-write
Address Windowing Extensions
Kernel-mode heaps (system memory pools)
Pool sizes
Monitoring pool usage
Look-aside lists
Heap manager
Process heaps
Heap types
The NT heap
Heap synchronization
The low-fragmentation heap
The segment heap
Heap security features
Heap debugging features
Pageheap
Fault-tolerant heap
Virtual address space layouts
x86 address space layouts
x86 system address space layout
x86 session space
System page table entries
ARM address space layout
64-bit address space layout
x64 virtual addressing limitations
Dynamic system virtual address space management
System virtual address space quotas
User address space layout
Address translation
x86 virtual address translation
Translation look-aside buffer
x64 virtual address translation
ARM virtual address translation
Page fault handling
Invalid PTEs
Prototype PTEs
In-paging I/O
Collided page faults
Clustered page faults
Page files
Commit charge and the system commit limit
Commit charge and page file size
Stacks
User stacks
Kernel stacks
DPC stack
Virtual address descriptors
Process VADs
Rotate VADs
NUMA
Section objects
Working sets
Demand paging
Logical prefetcher and ReadyBoot
Placement policy
Working set management
Balance set manager and swapper
System working sets
Memory notification events
Page frame number database
Page list dynamics
Page priority
Modified page writer and mapped page writer
PFN data structures
Page file reservation
Physical memory limits
Windows client memory limits
Memory compression
Compression illustration
Compression architecture
Memory partitions
Memory combining
The search phase
The classification phase
The page combining phase
From private to shared PTE
Combined pages release
Memory enclaves
Programmatic interface
Memory enclave initializations
Enclave construction
Loading data into an enclave
Initializing an enclave
Proactive memory management (SuperFetch)
Components
Tracing and logging
Scenarios
Page priority and rebalancing
Robust performance
ReadyBoost
ReadyDrive
Process reflection
Conclusion
6 I/O system
I/O system components
The I/O manager
Typical I/O processing
Interrupt Request Levels and Deferred Procedure Calls
Interrupt Request Levels
Deferred Procedure Calls
Device drivers
Types of device drivers
Structure of a driver
Driver objects and device objects
Opening devices
I/O processing
Types of I/O
I/O request packets
I/O request to a single-layered hardware-based driver
I/O requests to layered drivers
Thread-agnostic I/O
I/O cancellation
I/O completion ports
I/O prioritization
Container notifications
Driver Verifier
I/O-related verification options
Memory-related verification options
The Plug and Play manager
Level of Plug and Play support
Device enumeration
Device stacks
Driver support for Plug and Play
Plug-and-play driver installation
General driver loading and installation
Driver loading
Driver installation
The Windows Driver Foundation
Kernel-Mode Driver Framework
User-Mode Driver Framework
The power manager
Connected Standby and Modern Standby
Power manager operation
Driver power operation
Driver and application control of device power
Power management framework
Power availability requests
Conclusion
7 Security
Security ratings
Trusted Computer System Evaluation Criteria
The Common Criteria
Security system components
Virtualization-based security
Credential Guard
Device Guard
Protecting objects
Access checks
Security identifiers
Virtual service accounts
Security descriptors and access control
Dynamic Access Control
The AuthZ API
Conditional ACEs
Account rights and privileges
Account rights
Privileges
Super privileges
Access tokens of processes and threads
Security auditing
Object access auditing
Global audit policy
Advanced Audit Policy settings
AppContainers
Overview of UWP apps
The AppContainer
Logon
Winlogon initialization
User logon steps
Assured authentication
Windows Biometric Framework
Windows Hello
User Account Control and virtualization
File system and registry virtualization
Elevation
Exploit mitigations
Process-mitigation policies
Control Flow Integrity
Security assertions
Application Identification
AppLocker
Software Restriction Policies
Kernel Patch Protection
PatchGuard
HyperGuard
Conclusion
Index
无标题
Windows Internals Seventh Edition
Part 1
System architecture, processes, threads, memory
management, and more
Pavel Yosifovich, Alex Ionescu, Mark E. Russinovich, and David A. Solomon
PUBLISHED BY
Microsoft Press
A division of Microsoft Corporation
One Microsoft Way
Redmond, Washington 98052-6399
Copyright © 2017 by Pavel Yosifovich, Alex Ionescu, Mark E. Russinovich and
David A. Solomon
All rights reserved. No part of the contents of this book may be reproduced or
transmitted in any form or by any means without the written permission of the
publisher.
Library of Congress Control Number: 2014951935
ISBN: 978-0-7356-8418-8
Printed and bound in the United States of America.
First Printing
Microsoft Press books are available through booksellers and distributors worldwide.
If you need support related to this book, email Microsoft Press Support at
mspinput@microsoft.com. Please tell us what you think of this book at
https://aka.ms/tellpress.
This book is provided “as-is” and expresses the author’s views and opinions. The
views, opinions and information expressed in this book, including URL and other
Internet website references, may change without notice.
Some examples depicted herein are provided for illustration only and are fictitious.
No real association or connection is intended or should be inferred.
Microsoft and the trademarks listed at https://www.microsoft.com on the
“Trademarks” webpage are trademarks of the Microsoft group of companies. All other
marks are property of their respective owners.
Acquisitions Editor: Devon Musgrave
Editorial Production: Polymath Publishing
Technical Reviewer: Christophe Nasarre
Layout Services: Shawn Morningstar
Indexing Services: Kelly Talbot Editing Services
Proofreading Services: Corina Lebegioara
Cover: Twist Creative • Seattle
To my family–my wife Idit and our children Danielle, Amit, and Yoav– thank
you for your patience and encouragement during this demanding work.
Pavel Yosifovich
To my parents, who guided and inspired me to follow my dreams, and to my
family, who stood by me all those countless nights.
Alex Ionescu
To our parents, who guided and inspired us to follow our dreams.
Mark E. Russinovich and David A. Solomon
Contents
Introduction
Chapter 1 Concepts and tools
Windows operating system versions
Windows 10 and future Windows versions
Windows 10 and OneCore
Foundation concepts and terms
Windows API
Services, functions, and routines
Processes
Threads
Jobs
Virtual memory
Kernel mode vs. user mode
Hypervisor
Firmware
Terminal Services and multiple sessions
Objects and handles
Security
Registry
Unicode
Digging into Windows internals
Performance Monitor and Resource Monitor
Kernel debugging
Windows Software Development Kit
Windows Driver Kit
Sysinternals tools
Conclusion
Chapter 2 System architecture
Requirements and design goals
Operating system model
Architecture overview
Portability
Symmetric multiprocessing
Scalability
Differences between client and server versions
Checked build
Virtualization-based security architecture overview
Key system components
Environment subsystems and subsystem DLLs
Other subsystems
Executive
Kernel
Hardware abstraction layer
Device drivers
System processes
Conclusion
Chapter 3 Processes and jobs
Creating a process
CreateProcess* functions arguments
Creating Windows modern processes
Creating other kinds of processes
Process internals
Protected processes
Protected Process Light (PPL)
Third-party PPL support
Minimal and Pico processes
Minimal processes
Pico processes
Trustlets (secure processes)
Trustlet structure
Trustlet policy metadata
Trustlet attributes
System built-in Trustlets
Trustlet identity
Isolated user-mode services
Trustlet-accessible system calls
Flow of CreateProcess
Stage 1: Converting and validating parameters and flags
Stage 2: Opening the image to be executed
Stage 3: Creating the Windows executive process object
Stage 4: Creating the initial thread and its stack and context
Stage 5: Performing Windows subsystem–specific initialization
Stage 6: Starting execution of the initial thread
Stage 7: Performing process initialization in the context of the new process
Terminating a process
Image loader
Early process initialization
DLL name resolution and redirection
Loaded module database
Import parsing
Post-import process initialization
SwitchBack
API Sets
Jobs
Job limits
Working with a job
Nested jobs
Windows containers (server silos)
Conclusion
Chapter 4 Threads
Creating threads
Thread internals
Data structures
Birth of a thread
Examining thread activity
Limitations on protected process threads
Thread scheduling
Overview of Windows scheduling
Priority levels
Thread states
Dispatcher database
Quantum
Priority boosts
Context switching
Scheduling scenarios
Idle threads
Thread suspension
(Deep) freeze
Thread selection
Multiprocessor systems
Thread selection on multiprocessor systems
Processor selection
Heterogeneous scheduling (big.LITTLE)
Group-based scheduling
Dynamic fair share scheduling
CPU rate limits
Dynamic processor addition and replacement
Worker factories (thread pools)
Worker factory creation
Conclusion
Chapter 5 Memory management
Introduction to the memory manager
Memory manager components
Large and small pages
Examining memory usage
Internal synchronization
Services provided by the memory manager
Page states and memory allocations
Commit charge and commit limit
相关推荐
2023年江西萍乡中考道德与法治真题及答案.doc
2012年重庆南川中考生物真题及答案.doc
2013年江西师范大学地理学综合及文艺理论基础考研真题.doc
2020年四川甘孜小升初语文真题及答案I卷.doc
2020年注册岩土工程师专业基础考试真题及答案.doc
2023-2024学年福建省厦门市九年级上学期数学月考试题及答案.doc
2021-2022学年辽宁省沈阳市大东区九年级上学期语文期末试题及答案.doc
2022-2023学年北京东城区初三第一学期物理期末试卷及答案.doc
2018上半年江西教师资格初中地理学科知识与教学能力真题及答案.doc
2012年河北国家公务员申论考试真题及答案-省级.doc
2020-2021学年江苏省扬州市江都区邵樊片九年级上学期数学第一次质量检测试题及答案.doc
2022下半年黑龙江教师资格证中学综合素质真题及答案.doc
