In the x86 architecture, interrupts are handled through the Interrupt Dispatch Table (IDT). Modern operating systems use interrupts instead of I/O port polling to wait for information from devices. The main entry point of ntoskrnl.exe performs some system dependent initialization then calls a system independent initialization then enters an idle loop. But since it does not know the address of each one, it has to load them one by one to fill the PCR structure. In the x86 architecture, the kernel receives the system already in protected mode, with the GDT, IDT and TSS ready. The definition of this structure can be retrieved by using the kernel debugger or downloading it from the Microsoft symbol database. The pointer's destination contains information about the hardware, the path to the Windows Registry file, kernel parameters containing boot preferences or options that change the behavior of the kernel, path of the files loaded by the bootloader ( SYSTEM Registry hive, nls for character encoding conversion, and vga font). When the kernel receives control, it gets a struct-type pointer from bootloader. When calling the functions directly in ntoskrnl.exe (only possible in kernel mode), the Zw variants ensure kernel mode, whereas the Nt variants do not. When called from ntdll.dll in user mode, these groups are almost exactly the same they trap into kernel mode and call the equivalent function in ntoskrnl.exe via the SSDT. Nt or Zw are system calls declared in ntdll.dll and ntoskrnl.exe. Internal base code for the Security Managerĭriver Verifier routines not exported for call outside the driver verifier Security Manager, access token for the Win32 API Runtime library private (for internal use only) Runtime library, i.e., many utility functions that can be used by native applications, yet don't directly involve kernel support ![]() Process and thread management (task management) Internal base code for the Object Manager Nls for Native Language Support (similar to code pages). Memory management routines not exported for call outside the memory manager (i = internal) ![]() Local Procedure Call, an internal, undocumented, interprocess or user/kernel message passing mechanism Internal base code for the PE Loader, usually just PE relocate implementation. Internal functions for acquiring spinlock and semaphore implementations Internal and stub functions that generate a trap frame and call Kx-prefixed functions Interrupt handling, semaphores, spinlocks, multithreading and context switching functions Internal and base code for the I/O Manager Windows executive private (routines intended for the internal use of Windows Executive) Windows executive, an "outer layer" of Ntoskrnl.exe These functions contain the core code and implements important checks, such as for vulnerabilities, missing arguments and exception handling.Ĭonfiguration Manager, the kernel mode side of Windows Registryįunctions used to communicate with the Win32 subsystem process, csrss.exe (csrss stands for client/server runtime sub-system)ĭebugging aid functions, such as a software break point Since not all functions are being exported by the kernel, function prefixes ending in i or p (such as Mi, Obp, Iop) are internal and not supposed to be accessed by the user. Routines in ntoskrnl use prefixes on their names to indicate in which component of ntoskrnl they are defined. Starting with Windows Vista, Microsoft began unifying the kernel images as multi-core CPUs took to the market and PAE became mandatory. On a multiprocessor system, Setup installs ntkrnlmp.exe and ntkrpamp.exe but renames them to ntoskrnl.exe and ntkrnlpa.exe respectively. Windows setup decides whether the system is uniprocessor or multiprocessor, then, installs both the PAE and non-PAE variants of the kernel image for the decided kind. In Windows XP and earlier, the Windows installation source ships four kernel image files to support uniprocessor systems, symmetric multiprocessor (SMP) systems, CPUs with PAE, and CPUs without PAE. Because it requires a static copy of the C Runtime objects, the executable is usually about 10 MB in size. ![]() Instead, ntoskrnl.exe containing a standard " start" entry point that calls the architecture-independent kernel initialization function. In other words, it is not linked against ntdll.dll. X86 versions of ntoskrnl.exe depend on bootvid.dll, hal.dll and kdcom.dll (圆4 variants of ntoskrnl.exe have these dlls embed into the kernel to increase performance). ( April 2014) ( Learn how and when to remove this template message) Unsourced material may be challenged and removed. Please help improve this article by adding citations to reliable sources in this section. ![]() This section needs additional citations for verification.
0 Comments
Leave a Reply. |