????Kernel
????Kernel???????????????????????????????????????????
????Kernel???????????????????????????????Щ??????????ж?????????
????Kernel??????WDK??????????????Щ??????????Ke[XXXX]
????kernel??executive???????????kernel?????????κξ??????????????????????
????kernel?????????????????????????
????kernel objects
????kernel????object????????????????д?????????
??????executive?????objects?????????object??????????????overhead????????????executive object????????????kernel objects.
????kernel objects???????
????1. Control Objects
????APC objects?? DPC objects?? Interrupt objects
????2. Dispatcher Objects
????kernel thread?? mutex?? event?? kernel event pair?? semaphore?? timer?? waitable timer
????Kernel Processor Control Region??KPCR??
??????????????processor???????????????????????????????
???????磺
????Interrupt Dispatcher Table(IDT)
????Task-State Segment(TSS)
????Global Descriptor Table(GDT)
??????32λWindows???????У?fs:[0]??????????KPCR??
??????x64 Windows???????У? gs:[0]??????????KPCR??
??????IA64 Windows???????У? 0xE0000000FFFF0000??????????KPCR??
??????KPCR????????????????KPRCB??Kernel Processor Control Block??
???????汣????????????????????????Processor?????????????Nonpaged pool??paged pool??lookaside list??????KPRCB?С?
????HAL
????Device Driver
????System Processes
??????????
????1. Idle Processes
????Idle ?? System????????????????????????????????????????????????????????
????Idle Process??0??????
????2. Interrupts and DPCs
???????????????????????ж????????????????????????
??????????????????????CPU??????????????????CPU????????????????????????????????г?????
????3. System Process and System Threads
????4??????
??????????????????????е??????????????????????????????????????????????????
???????????????????PsCreateSystemThread??????System Thread???????????Thread Context??????2????System Thread??????
????ISR??DPC????System Thread??
????4. Session Manager (Smss.exe)
???????????????ε??????????????smss.exe???????????????????????????
????Session Manager???к??????????????????delayed rename/delete file operation??
????Session Manager????Subsystem server processes??csrss.exe????csrss.exe???????????system processes??
????????Session 0??smss.exe????wininit.exe????????????smss.exe??????session???????Winlogon.exe?????
????5. Winlogon?? LogonUI?? LSASS??Userinit
????SAS??Control + Alt + Delete???? Secure Attention Sequence?????????????????????????Winlogon??????????????????????????????????????????
????Winlogon????????????????£?????LogonUI?????????????????檔
????LSASS???????????????????????????lsass???????access token??????UAC????£???????й??????????????????????????????access token?????????????????????????????????access token??
????6. Service Control Manager ??SCM??
????services??????????????????????Linux??Daemon Process?????
????service???????????logon user?????κλ?????
????services???????????????????????????????????????API??SCM???????????
????services??????????????????????lsass.exe?????????????dll????????????svchost.exe??????????