|Moderated by: administrator||
|Windows 7 – Kernel API Refactoring|| Rate Topic
|Posted: Thu Mar 31st, 2016 11:44 am||
|After the general population arrival of Microsoft Windows 7, I saw numerous individuals were interested about and demonstrated awesome enthusiasm for "MinWin", yet the majority of them were not ready to comprehend or clarify it accurately and they regularly confounded "MinWin" with "Server Core". So what does precisely the expression "MinWin" mean?
Ad: Mcafee Activate at http://www.mcafee.com/activate
One of Microsoft objectives for Windows Server 2008, "Server Core" (some time ago known as "Server Foundation") is a variation with a sub-set of the whole Windows working framework that contains enough segments to run different basic server parts, for example, AD, DNS, DHCP Server and IIS. Then again, the "MinWin" is a little, independent working framework that has no conditions on larger amount segments, and is most surely understood for being moderate, independent arrangement of Windows segments was dispatched as a major aspect of Windows 7.
One Microsoft Windows designer portrays "MinWin" as "refactoring code along structural layering lines". Really from Windows Vista (a percentage of the componentization and refactoring work was at that point transported with Windows Vista) which is seemingly the primary "MinWin" based working framework, each part of the working framework was doled out a "layer number" that speaks to its reliance position in respect to different segments, with more lower-numbered segments being all the more nearer to the center of the working framework, and "code refactoring" should be finished by the center engineering group to determine the reliance issues where low-level segments were dependent on abnormal state segments. Next how about we take a gander at how this "layering" and "code refactoring" are actualized in Windows 7 by utilizing an illustration.
From the screenshot above (kernel32.dll opened in reliance walker utility), we can see that Windows 7 presents an arrangement of new DLL documents which trade some understood Win32 APIs, the recently presented DLLs incorporate kernelbase.dll (Windows NT BASE API Client DLL) and 34 concealed ApiSet Stub DLLs (recorded underneath), and each such stub DLL fits in with a different capacity classification as its name shows. For instance, programming interface ms-win-center processthreads-l1-1-0.dll fares process/string related APIs (CreateProcessA/W, CreateRemoteThread and so forth), and programming interface ms-win-center stack l1-1-0.dll fares client mode store administration APIs (HeapCreate, HeapAlloc and so forth).
ApiSet Stub DLLs:
Here we can see clearly that Kernel32!OpenProcess will not do much work actually, it simply jumps to OpenProcess_0 which is imported from one of the stub DLLs (api-ms-win-core-synch-l1-1-0.dll).
The IDA Pro and Dependency Walker show this dependency explicitly, however when we further look into the disassembly code of api-ms-win-core-synch-l1-1-0!OpenProcess, we will be surprised to find the function is actually an empty function which just returns 0, and all its exported functions with 3 arguments share the same function stub (see the screenshot below). So how does Kernel32!OpenProcess work properly if it is resolved to an empty function?
Ad: Norton setup at http://www.norton.com/setup
The secret lies in the DLL loading process, Windbg debugging output tells us Kernel32!OpenProcess will not jump to api-ms-win-core-synch-l1-1-0!OpenProcess at runtime, and the import table entry of OpenProcess is actually filled with the address of Kernelbase!OpenProcess, and all api-ms-win-*.dll are never loaded into the process address space (refer to !peb output)
The real implementation code was moved from Kernel32!OpenProcess to Kernelbase!OpenProcess (see below), which further invokes Ntdll!ZwOpenProcess. In fact, not only OpenProcess, most Win32 APIs have been undergone the same “refactoring along architectural layering lines”.
In my next blog on Windows 7 internals, we are going to look inside a cool feature of Windows 7 – “XP Mode”, please stay tuned.
Last edited on Mon Jan 2nd, 2017 11:34 am by ImMike
|Current time is 04:31 pm|
|Ontario Fishing Forum > Ontario Fishing Forum > Ontario Fly Fishing Forum > Windows 7 – Kernel API Refactoring||Top|