Windows Internals covering windows server 2008 and windows vista- P5

Windows Internals covering windows server 2008 and windows vista- P5: In this chapter, we’ll introduce the key Microsoft Windows operating system concepts andterms we’ll be using throughout this book, such as the Windows API, processes, threads, virtualmemory, kernel mode and user mode, objects, handles, security, and the registry.
Nội dung trích xuất từ tài liệu:
Windows Internals covering windows server 2008 and windows vista- P5 Because there are certain operations that drivers should not perform when special kernel APCs are disabled, it makes sense to call KeGetCurrentIrql to check whether the IRQL is APC level or not, which is the only way special kernel APCs could have been disabled. However, because the memory manager makes use of guarded mutexes instead, this check fails because guarded mutexes do not raise IRQL. Drivers should therefore call KeAreAllApcsDisabled for this purpose. This function checks whether special kernel APCs are disabled and/or whether the IRQL is APC level—the sure-fire way to detect both guarded mutexes and fast mutexes. Executive Resources Executive resources are a synchronization mechanism that supports shared and exclusive access, and, like fast mutexes, they require that normal kernel-mode APC delivery be disabled before they are acquired. They are also built on dispatcher objects that are only used when there is contention. Executive resources are used throughout the system, especially in filesystem drivers. Threads waiting to acquire a resource for shared access wait for a semaphore associated with the resource, and threads waiting to acquire a resource for exclusive access wait for an event. A semaphore with unlimited count is used for shared waiters because they can all be woken and granted access to the resource when an exclusive holder releases the resource simply by signaling the semaphore. When a thread waits for exclusive access of a resource that is currently owned, it waits on a synchronization event object because only one of the waiters will wake when the event is signaled. Because of the flexibility that shared and exclusive access offers, there are a number of functions for acquiring resources: ExAcquireResourceSharedLite, ExAcquireResourceExclusive- Lite, ExAcquireSharedStarveExclusive, ExAcquireWaitForExclusive, and ExTryToAcquire- ResourceExclusiveLite. These functions are documented in the WDK. EXPERIMENT: Listing Acquired executive resources The kernel debugger !locks command searches paged pool for executive resource objects and dumps their state. By default, the command lists only executive resources that are currently owned, but the –d option will list all executive resources. Here is partial output of the command: 1. lkd> !locks 2. **** DUMP OF ALL RESOURCE OBJECTS **** 3. KD: Scanning for held locks. 4. Resource @ 0x89929320 Exclusively owned 5. Contention Count = 3911396 6. Threads: 8952d030-01< *> 7. KD: Scanning for held locks....................................... 8. Resource @ 0x89da1a68 Shared 1 owning threads 9. Threads: 8a4cb533-01< *> *** Actual Thread 8a4cb530 Note that the contention count, which is extracted from the resource structure, records the number of times threads have tried to acquire the resource and had to wait because it was already owned. You can examine the details of a specific resource object, including the thread that owns the resource and any threads that are waiting for the resource, by specifying the–v switch and the address of the resource: 190Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 1. lkd> !locks -v 0x89929320 2. Resource @ 0x89929320 Exclusively owned 3. Contention Count = 3913573 4. Threads: 8952d030-01< *> 5. THREAD 8952d030 Cid 0acc.050c Teb: 7ffdf000 Win32Thread: fe82c4c0 RUNNING on 6. processor 0 7. Not impersonating 8. DeviceMap 9aa0bdb8 9. Owning Process 89e1ead8 Image: windbg.exe 10. Wait Start TickCount 24620588 Ticks: 12 (0:00:00:00.187) 11. Context Switch Count 772193 12. UserTime 00:00:02.293 13. KernelTime 00:00:09.828 14. Win32 Start Address windbg (0x006e63b8) 15. Stack Init a7eba000 Current a7eb9c10 Base a7eba000 Limit a7eb7000 Call 0 16. Priority 10 BasePriority 8 PriorityDecrement 0 IoPriority 2 Pa ...