Improvement of the windows kernel. Hardcore installation with Linice: vchimosya pratsyuvati in the console kernel. Brief description of the HEVD module

How to start the kernel manager?

Master's statement:

In the process of software development, one of the most important factors is cost. In relation to application programs, they work in ways that operate in the client mode and are often installed in the IDE. In order to be able to improve, for example, drivers, you must run the kernel manager.

You need to launch the cmd command processor. Open the Start menu on the Start panel. At the window, click on the item “Viconaty...”. The “Launch programs” window will appear. In the text field, enter cmd and click the “OK” button.

Now create backup copy boot.ini file. Get to know the current trends right away copies of Windows, quickly using the command: echo %SystemRoot%

Then go to the disk with the installed operating system, enter the device letters, and after them, put a double checkbox. To use the cd command, go to the root directory. Now, using the attrib command, remove the “access”, “read-only” and “system” attributes from the boot.ini file. Use the copy command to create a backup copy and install attributes on the site.

To display a detailed list of options, run the bootcfg /query command. Look at the list to identify the element on the basis of which new settings will be created with the possibility of adjustment in kernel mode. ID of the owner of the record, memory trace.

To make a backup copy, use the bootcfg/copy command. To specify the ID of the record you are copying, use the /id parameter. Vikorist /d, indicate the entry that will be displayed. Now you need to go back to the list of options, use the bootcfg/query command and see the ID of the entry you added.

Now you need to enable the options to start the kernel manager in the previous version awesome post. If you will be debugging on the same machine, you just need to add the /debug option.

Where do you want to go? far away prosperity When connecting the target computer via a com port to the host machine, use the /port and /baud options to specify the port number and exchange speed.

If you will be comfortable with connections via a FireWire cable (IEEE 1394 interface), then in order to turn on the remote mode, select the /dbg1394 option and to specify the channel number with the /ch option.

To change your settings, run the bootcfg command with the /query parameter. After issuing the exit command, close the command processor window.

Whenever you need to change your preferences operating system. Open the Windows panel through the “Start” menu, and then open the “System” element. In the “Authority of the System” window, select the “Addatkovo” tab. From this tab, select the “Inspiration and Update” section and click the “Options” button. In the “Vantures and Updates” window, you need to activate the “Display list of operating systems” option. Close the offending dialog boxes with the “OK” button.

Restore your computer. Choose to be attracted to your friend. Log in to the system and start working on the same machine or get better. Speed ​​up in such ways as WinDbg and KD.

chPF OELPFPTSCHE KHLBBOYS RP TBVPFE U PFMBDLPK SDTB U BCHBTYKOSCHNY DBNRBNIY RBNSFY. lBL RTBCHYMP, CHBN OHTsOP VKDEF ЪBDBFSH PDOP YЪ KHUFTPKUFCH RPDLBYULY, RETEYUUMEOOCHI CH ZHBKME /etc/fstab . UVTPU PVTBBPCH RBNSFY PRO KHUFTPKUFCHB, OE SCHMSAEYYUS KHUFTPKUFCHBNY RPDLBYULY, OBRTYNE, MEOFSHCH, CH DBOOSHK NPNEOF OE RPDDETSYCHBAFUS.

Note: YURPMSHHKFE LPNBODH dumpon (8) DMS KHLBBOYS SDTH NEUFB, TUD OHTsOP UPITBOSFSH BCHBTYKOSHCHE DBNRSCH. RPUME OBUFTPKLY RP LPNBODE swapon (8) TBDEMB RPDLBYULY DPMTSOB VSHFSH CHSHCHBOB RTPZTBNNNB dumpon . pVSHYUOP LFP CHSHRPMOSEPHUS ЪBDBOYEN RETENOOOPK dumpdev CH ZHBKME rc.conf (5). eUMY 'BDBOB LFB RETENEOOBS, FP RPUME UVPS RTY RETCHPK savecore (8). pob UPITBOIF BCHBTYKOSHCHK DBNR SDTB CH LBFBMPZ, ЪBDBOOSCHK CH RETENEOOOPK dumpdir ZHBKMB rc.conf . rP KHNPMYUBOYA LBFBMPZPN DMS BCHBTYKOSCHI DBNRPCH SCHMSEFUS /var/crash .

MIVP NPCEFA KOBDBFSH KHUFTPKUFCHP DMS UVTPUB PVTBB RBNSFI CCOP Yute RBTBNEFT DUMP h Uftple LPOZHEZHTBGYPOPOPZP ZhBKMB FBBPK URPUPV YurpMShPSHPSHPSHPSHPSHPSHPSHPSHPSHPSHPSHPSHPPShBFSHBFSHBFSH HEFUS I in DPMCEO YURPMSHPCHBFSHUS, FPMSHLP Eumi Chechchuhifhif RPMHubfsh Bchbtycoschchi PVTBSHSH RBNSFY SDTB, LPFPPPPPPTPPEKOKOKOP CAMBTEF TBVPFH RTI Kommers

Note: dBMEE FETNYO gdb P'EBYUF PFMBDYUIL gdb , ЪBRHEOOOSCHK CH ``TETSINE PFMBDLY SDTB "". RETEIPD CH LFPF TETSYN DPUFYZBEFUS ЪBRHULPN gdb U RBTBNEFTPN -k. h TETSYNE PFMBDLY SDTB gdb YЪNEOSEF UCHPЈ RTYZMBYEOYE PRO (kgdb) .

Tip: Eumi HSH IURPMSHEHEF FREEBSD BBOUTE TBOOAA, Chesh, Chchrpmososhchih Khuyuyee PFMBDPZP SDTB LPNBODPZP PIPP, BUFBPBPBPBPBPBPBPPBPBPBPBPBPBPBPBPBPBPBPBPBPBPBPBPBPBPPunpaking VPBPVPBPBPVPBPBPPBPPDPPDPDPPDPPDPPBPPPPPPPPPPPPunPPBPBPPPPPunPPPPunpunies

# cp kernel kernel.debug # strip -g kernel

LFPF VIBZ OE FBL HC Y OEPVIPDYN, OP TELPNEODHEN. (PH FreeBSD 4th VPMEE TEMYYBI LFPF YBZ CHSPRMOSEFUS BCHFPNBFYUEULY CH LPOGE RTPGEUUB RPUFTPEOOYS SDTB make .) lPZDB SDTP HUEYEOP, BCHFPNBFYUEULY YMY RTY RPNPEY LPNBOD CHCHYE, CHCH NPTSEFE KHUFBOPCHYFSH EZP PVSHYUOSCHN PVTBBPN, OVTTBCH make install .

'BNEFSHFE, YUFP CH UFBTSHCHI CHETUISІ FreeBSD (DP 3.1, OE CHLMAYUBS LFPF TEMY), YURPMSH'HEFUS SDTB CH ZHTNBFPMPPDMPBMPBMPBMPBMPBMPBMPBRPBRBPBMPBRRPBR. y VPMSHIPK FBVMYGEK UYNCHPMPCH CH OE HUEOOOOPN PFMBDPUOPN SDTE LFP YЪMYYOSS FTBFB. RPUMEDOYE TEMYYSH FreeBSD YURPMSHJHAF SDTB CH ZHTNBFE ELF, HERE LFP OE SCHMSEFUS RTPVMENPK.

EUCH Feufythef OPCHPA SDTP, Ulbzen, ObvyTBS OPCHPZP SDTB h RTIMBYYYAYYAIYAYAYAYAYYA KOBZTHYUILB, OP ChBN OBZTKHTKHBFSH TBVPFBFS at dtkhzin SDTPN, UPCHB UPCHB Chethsfshush Optnbmsho PNH Zholgipyutpchboa, bztkhzbkfa rnovan FPMSHLP h PDOPRPMSHPCHBFMSHULPN TETCEN RTY RPNPAI Zhmbzb -S, hlbshchbenpzp RTYA Kommers , B ЪBFEN CHSHCHRPMOYFE FBLYЄ VIBZY:

# fsck -p # mount -a -t ufs # so your filesystem for /var/crash is writable # savecore -N /kernel.panicked /var/crash # exit # ...to multi-user

LFB RPUMEDPCHBFEMSHOPUFSH KHLBSCCHBEF RTPZTBNNE savecore (8) ABOUT YURPMSHЪPCHBOYE DTHZPZP SDTB DMS YICHMEYUEOYS UYNCHPMYUEULYI YNEO. YOBYU POB VKhDEF YURPMSHЪPCHBFSH SDTP, TBVPFBAEECH DBOOSCHK NPNEOF Y, ULPTEI CHUEZP, OYUEZP OE UDEMBEF, RPFPNH YuFP ERW.

b FERETSH, RPUME UVTPUB BCHBTYKOPZP DBNRB, RETEKDYFE CH LBFBMPZ /sys/compile/WHATEVER Y ЪBRKHUFYFE LPNBODH gdb-k. yЪ RTPZTBNNSH gdb UDEMBKFE PVF SFP:

Symbol-File Kernel.debug Exec-file /var/crash/kernel.0 Core-file /var/crash/vmcore.0 y ChKHBMS-CheSchbtsfa PFMBCHBFSH Bchbtikehchoschk, YurpMShs YUIPDOFDFDFDFDF OSEFDEFDEFDEFDEFDEFDEDFEDFEDFEDDEFEDFEDFEDFEDFEDDEFDEDFEDFEDFEDFEDFEDDEFEDFEDFEDDEFDEDFEDFLE DTHZPK RTPZTBNNPK.

ChPF TsKHTOBM LPNBOD UEBOUB TBVPFSH gdb, YMMAUFTYTHAEIK UFH RTPPGEDHTH. dMYOOSCH UFTPLY VSHMY TBPTCHBOSH DMS KHMHYUYEOYS YUYFBVEMSHOPUFY Y DMS KHDPVUFCHB UFTPLY VSHCHMY RTPOKHNETPCHBOSHCH. CHUE PUFBMSHOPE SCHMSEFUS FTBUUYTPCHLPK PIYVLY, TEBMSHOP CHP'YLOKHCHIEK PP CHTENS TBVPFSCH OBD DTBKCHETPN LPOUPMY pcvt.

1:Script started on Fri Dec 30 23:15:22 1994 2: # cd /sys/compile/URIAH 3: # gdb -k kernel /var/crash/vmcore.1 4:Reading symbol data from /usr/src/ sys/compile/URIAH/kernel ...done. 5:IdlePTD 1f3000 6:panic: because you said to! 7:current pcb at 1e3f70 8:Reading in symbols for ../../i386/i386/machdep.c...done. 9: (kgdb) where 10:#0 boot (arghowto=256) (../../i386/i386/machdep.c line 767) 11:#1 0xf0115159 in panic 12:#2 ) (../. ./i386/i386/machdep.c line 698) 13:#3 0xf010185e in db_fncall () 14:#4 0xf0101586 in db_command db_command_loop () 16:#6 0xf01040a0 in db_trap () 17:#7 0xf019 2976 in kdb_trap (12, 0, -272630436, -266743723) 18:#8 0xf0 ...) 20:#10 0xf019cb2f in trap (...) 21:#11 0xf01932a1 in exception:calltrap () 22:#12 0xf0191503 in cnopen (.. .) 23:#13 0xf0132c4 #14 0xf012d014 in vn_open () 25:#15 0xf012a183 in open () 26:#16 0xf019d4eb in syscall (...) 27: (kgdb) up 10 28:Reading in symbols for 8. /. /trap.c...done. 29: #10 0xf019cb2f in trap (frame = (tf_es = -260440048, tf_ds = 16, tf_\30: edi = 3072, tf_esi = -266445372, tf_eb3 = 3 = 6 266427884, tf_edx = 12, = -266427884, tf \ 32:_eax = 64772224, tf_trapno = 12, tf_err = -272695296, tf_eip = -26\ 33:6672343, tf_cs = -266469368, tf_eflags = 66066, tf_esp = 3072, tf_\ 34:ss = -266427884)) (. ./../i386/i386/trap.c line 283) 35:283 (void) trap_pfault(&frame, FALSE); 36: (kgdb) frame frame->tf_ebp frame->tf_eip 37:Reading in symbols for ../../i386/isa/pcvt/pcvt_drv.c...done. 38:#0 0xf01ae729 in pcopen (dev=3072, flag=3, mode=8192, p=(struct p\ 39:roc *) 0xf07c0c00) (../../i386/isa/pcvt/pcvt_drv.c line 403) 40:403 return ((*linesw.l_open)(dev, tp)); 41: (kgdb) list 42:398 43:399 tp->t_state |= TS_CARR_ON; 44:400 tp->t_cflag |= CLOCAL; /* cannot be a modem (:-) */ 45:401 46:402 #if PCVT_NETBSD || (PCVT_FREEBSD >= 200) 47:403 return ((*linesw.l_open)(dev, tp)); 48:404 #else 49:405 return ((*linesw.l_open)(dev, tp, flag)); 50:406 #endif /* PCVT_NETBSD || (PCVT_FREEBSD >= 200) */ 51:407 ) 52: (kgdb) print tp 53:Reading in symbols for ../../i386/i386/cons.c...done. 54:$1 = (struct tty *) 0x1bae 55: (kgdb) print tp->t_line 56:$2 = 1767990816 57: (kgdb) up 58:#1 0xf0191503 in cnopen (dev=0x0,000 , p=(st\ 59:ruct proc *) 0xf07c0c00) (../../i386/i386/cons.c line 126) 60: return ((*cdevsw.d_open)(dev, flag, mode, p) ); 61: (kgdb) 62:#2 0xf0132c34 spec_open () 63: (kgdb) 64:#3 0xf012d014 in vn_open () 65: (kgdb) 66:#4 0xf012a183 up 68:#5 0xf019d4eb in syscall (frame = (tf_es = 39, tf_ds = 39, tf_edi = 69: 2158592, tf_esi = 0, tf_ebp = -272638422, tf = 1, tf_ecx = 0, tf_eax = 5, tf_trapno = 582; /../i386/i386/trap.c line 673) 73:673 error = (*callp->sy_call)(p, args, rval); 74: (kgdb) up 75:Initial frame selected; you can't go. 76: (kgdb) quit 77: # exit 78:exit 79: 80:Script done on Fri Dec 30 23:18:04 1994

lPNNEOFBTYY L CHISCHERTYCHEDEOOPNH TSHTOBMH:

UFTPLB 6:

LFP DBNR, CHSFSHCHK RTY RPNPEY DDB (UNPFTY OYCE), RPFPNH LPNNEOFBTYK L BCHBTYKOPNH PUFBOPCHH YNEEF YNEOOOP CHYDB'UB'YUBLUBBUB PDOBLP YЪOBYUBMSHOPK RTYYYOPK RETEIPD B CH DDB VSHMB BCHBTYKOBS PUFBOPCHLB RTY PP'YLOPCHEOYA PIYLL UFTBOYGSCH RBNSFY.

UFTPLB 20:

LFP NEUFPOBIPTSDEOOYE ZHKHOLGYY trap() CH FTBUUYTPCHLE UFELB.

UFTPLB 36:

rTYOKHDIFEMSHOPE YURPMSHЪPCHBOIE OPChPK ZTBOYGSCH UFELB; FERTSH LFP OE OHTSOP. rTEDRPMBZBEFUS, YuFP ZTBOYGSCH UFELB KHLBSCCHBAF ABOUT RTBCHYMSHOP TBURPMPTSEOYE, DBCE CH UMHYUBE BCHBTYKOPZP PUFBOPCHB. ZMSDS PRO UFTPLH YUIPDOPZP LPDB 403, NVTSOP ULBUBFSH, YuFP CHEUSHNB CHETPSFOP, YuFP MYVP CHYOPCHBF DPUFHR RP KHLBBFEMA ``tp'', MYVP ZBSP ZBSP ZPSB SCHUBPVP

UFTPLB 52:

rPIPTSE, YuFP CHYOPCHBF KHLBBFEMSH, VP ON SCHMSEFUS DPRKHUFYNSCHN BDTEUPN.

UFTPLB 56:

PDOBLP, PYUECHYDOP, UFP ON KHLBSCCHBEF ABOUT NHUPT, FBL UFP NSCH OBIM BOTH PІYVLH! (DMS FEI, LFP OE ЪOBLPN U LFPC YUBUFSHHA LPDB: tp->t_line UMHTSYF DMS ITBOEOYS TETSYNB LBOBMSB LPOUPMSHOPZP KHUFTPKUFCHB, Y LFP DPMTSOP VShchFSH DPUFBFPYuOP NBMEOSHLPE GEMPE YUYUMP. )

The manager is a friend of the compiler, which is necessary for creating programs. However, many of those who write computer programs and act as administrators are not aware of the principles and mechanisms of their work.


It is important to be a supervisor.

In light of the fact that programs vikorista the manager day and night, especially if you go into deep lull mode, it is good to say that if the manager is not a program, but a frozen one, it will easily overheat and break down. Because as much work as the machine can handle, the compiler cannot be informed.

Of course, there are fragments of different types of programming, and they have their own controllers for each of them. And, naturally, for certain categories of these languages ​​there is importance in the work of editors: for example, the editor of programs in interpreted Ruby is used differently, but not for the language, which is compiled into Java bytecode, and chick for Java, have your own Chergu, will be the mother of excellence Visual C++ developer.

I'll tell you about the setup for the Windows platform. Having understood the principles of work of administrators for it, it will be possible to work with both developers under POSIX systems, and with administrators who work not on the same operating system, but on the same level as the virtual machine. interpreter.


Drivers for Windows: two types

There are two different types of administrators for Windows. I think everyone stuck with the first ones if they programmed in Delphi (haven’t programmed in the new one? I can’t believe it. Why did you program in school and in junior courses?). These are the owners of koristuvatsk programs. There were a lot of them, and there was a stench, as well as (especially, before speaking, often) at the warehouse of integrated centers for the development of additives. Among the editors that are expanding beyond software products are traditionally OllyDbg, and I wrote about him in Computer News.

Another type of insecticide is the kernel manager of the operating system. The stinks are sharpened and vikorist sooner and behind their device are significantly cut off due to the chewing additives of the koristuvach. The most popular and, at the same time, the shortest of the kernel managers is SoftIce. Possibly, you didn’t just hear about him, but you just made fun of him.

The fragments of the skin of two types of medicinal products have their own specificity, then I will tell you about the skin of them in a report.


Nalagojuvach vlasnih programs

The owner of the system's software add-ons is simpler, since the best and most advanced work is carried out by the operating system. Windows has special program interfaces that are designed to improve the user experience - called the Windows Debugging API. The most useful APIs are used by all the tools that are included in the popular development middleware integrations for Windows.

In order for the improvement to begin, the manager must start the process that is being improved in a special way - so that the system knows that this process is in progress. After this, the development cycle begins: the program is completed until the final stage, which is called a development stage, or a debug event. In this case, the development cycle starts at a slow speed in order to prevent the controller from freezing.

Ale tse lishche cob. Because what is needed in the work of the handler begins as soon as the workload has begun. And, in essence, who does the supervisor's job belong to? To help the programmer localize the error with precision to a specific function, a specific operation, a specific change. This difficult task can also be helped by the operating system.

Well, it’s become a thing of the past, and now there’s a need to be recognized as such, as this is connected with the text of the program. It is possible that the program itself includes special tax information - a table of tax symbols. You can place communication information between addresses and function names, data types, and code row numbers. The best way to get better is to be a knowledgeable Windows programmer. Symbol tables are changing Different formats, and you can always benefit from a program compiled by a compiler from one vendor, with the help of an editor from another vendor. However, the most advanced format can still be specified - through the PDB (Program Database), and, of course, from the Microsoft Corporation.

Also, since the symbol table is in PDB format, you can speed up the symbol development process with a special tool from Microsoft. When entering the system kernel and called Imagehlp.dll, it has long been seen in the local library. The character processor allows you to find, at a given address, the closest private function or global change, as well as the number of the row and the name of the file with the output text that contains this row. Reversal operations are supported, for example, searching for the address of a function behind them.

This, of course, is not all of the work that the supplementary developer does. For example, with the well-established rich flow additives, there are many subtle moments associated with the interaction of flows. The story for the improvement of such often simple speeches as services has its own nuances.

But let’s not get bogged down on the nuances – for example, I’ll tell you about the statistics and read about them. Now let's take a look at the kernel managers.


Kernel developer

Powerful kernels are highly complex programs, with little use of core components, and, I respect you, it’s entirely clear why: they have a daily assistant in the form of an operating system. In this case, it is their client, and even the stench itself, which is responsible for chewing.

Most kernel managers operate on two computers connected by a null modem cable. A null modem is a way to connect two computers directly with a cable via COM or LTP ports. Another computer is needed because part of the host will sit on the first one (on the one where the system is installed, which is being developed) access Before hardware security, and then all data output goes via a null modem to another computer.

Current processors of the Intel x86 architecture have special processing registers (both in the old 368 and in new models of processors of all kinds, they are called DR0-DR7). These registers allow the user to set control points for reading and writing memory, as well as for input-output ports. Overall, everything looks like this, and I don’t think it’s right to immediately write a report for what the skin shows from the facial registers, which are interrupted by the puncture points and give other similar information. Let's talk more briefly about specific kernel managers for Windows.

Well, first of all, it is the kernel of the operating system itself. This applies to all NT line operating systems, starting with Windows 2000. The entire file is NTOSKRNL.EXE, and you can open it by setting the "/Debug" option for the operating system in BOOT.INI. This manager will require a null modem connection to another computer with the same OS.

Another kernel developer from Microsoft is WinDBG. Strictly speaking, it is not a kernel adjuster, but a hybrid adjuster that can be used for development of kernel programs. Well, as a substitute for the editor built into the kernel, there is a graphical shell, so it’s easier to use it. This manager also supports special extensions that may come in handy during high-level maintenance tasks. Ale and vin for the development of the kernel will require two computers.

However, there is a kernel tuner that can work on one computer. Tse SoftIce. In this case, SoftIce can develop application programs. The use of this controller for the programmer is true, for example, in the case of real-time systems that are linked to the system timer. If you rely on the help of a primary supervisor, the result may appear incorrect if the program is running correctly, and SoftIce may change both the program and the timer. This is useful when running rich streaming programs. In addition, SoftIce has a very, very good way of displaying information about all flows in the system, about synchronizing flows for multiple flow add-ons, and information about the handle. There is a simplest one for the application programmer. most effective.


For those who like it

At the same time, the discussion about editors for Windows add-ons is not as relevant as it was ten years ago. The whole world has become hooked on the Internet, and the main traders of SoftIce have become crackers, tireless workers in the field of piracy. Tim is no less, it’s not so bad. Playing with SoftIce, of course, develops a person’s knowledge about the computer, although it is important to stick only with the controllers and not with real people, which can have side effects. , I think that's all true guess.

Applications are one of the most advanced types of software, but in terms of development, application programs of the same level as koristuvach are difficult to use. Well, since you have a lot of time to develop a power manager, your knowledge of operating systems and programming will increase significantly, and therefore your chances of getting a well-paid job will increase.

So, if you want to create a powerful blessing, then immediately familiarize yourself with the materials on this topic. In my opinion, the best book for beginners would be John Robbins's book "The Improvement of Windows Add-ons." It is already old, dated back to 2001, but the information contained in it is relevant and immediately, as it may be obscure, it is fundamental in nature. This book has an application for writing editors for Windows, and it will also be of use to you if you program in C++ and want to get better at writing problems. Vlasna, from this very book I have gleaned information about the rulers, as published in the statistics. If you can’t find this book (after all, it’s too old), here’s the address, which might be of benefit to you. The first one is the axis: www.xakep.ru/post/19158/default.asp. This article from the magazine "Hacker" talks more about kernel managers, without having worked, and in addition, it contains the code of the simplest editor. And at the address kalashnikoff.ru/Assembler/issues/016.htm you can learn how to write a DOS editor. However, it is best to read MSDN and it is useful to know which editor has secret output texts so that you can contact him. Well, of course, since you have taken up writing the editor, then good luck with your difficult task!

The controllers of the kernel mode are determined by the CPU and the operating system. This means that if you slow down the kernel mode, the operating system also slows down. It doesn't matter that the operating system transitions to a sharp stop if you work with the timer and synchronization problems. Still, due to the fault of one manager, which will be discussed below (in the “SoftlCE Manager” section of this section), it is not possible to modify the code in the core mode behind the kernel mode.

There are not so many developers in kernel mode. Axis of them: Windows 80386 Debugger (WDEB386), Kernel Debugger (1386KD), WinDBG and SoftlCE. Each of these adjusters briefly describes the following sections.

Operator WDEB386

WDEB386 is a utility for the Windows 98 kernel mode, which is available throughout the Platform SDK. This editor is brown only for those who write virtual drivers. Windows devices 98 (VxD). Similar to most kernel mode managers for Windows operating systems, the WDEB386 driver supports two machines and a null modem cable. Two machines are needed so that the part of the controller, which is installed on the whole machine, allows access to its hardware, so that it can issue its commands and receive commands from the other machine.

The WDEB386 controller has a long history. It started out as an internal background tool for Microsoft in Windows 3.0. It was important to be victorious, and it did not provide sufficient encouragement for well-being exit code and other accepted authorities with whom we were called by the developers of Visual C++ and Visual Basic.

"Dot" (DOT) commands are the most important feature of the WDEB386. By changing INT 41 you can expand WDEB386 to add commands. This extension allows the authors of VxD drivers to create customized commands that give them free access to the information in them. virtual devices. Nalagojuvalna Windows version 98 supports the absence of DOT commands, which allow you to maintain the exact state of the operating system at any point during the development process.

Operator I386KD

Windows 2000 evolves from Windows 98 in that the real part of the kernel mode manager is the NTOSKRNL part. EXE - file of the main kernel of the operating system Windows systems 2000. This tool is available in both standard (release) and upgraded operating system configurations. To improve performance in kernel mode, set the boot option /DEBUG to BOOT. INI and, in addition, the option /DEBUGPORT, if it is necessary to set the value of the communication port of the manager to the kernel mode that is being upgraded (COM1). I386KD is installed on its power machine and is informed by Windows machine 2000 via a null modem cable.

Nalagojuvach kernel mode NTOSKRNL. EXE run only those that are sufficient to run the CPU, so that the operating system can be streamlined. Most of the processing work - symbol processing, expansion of the interruption point and disassembly - is installed on the 1386KD side. Alone Windows hour NT 4 Device Driver Kit (DDK) documenting the protocol of the null modem cable. Microsoft doesn't document anything anymore.

The complexity of 1386KD is obvious when you take into account all the commands that you need to access the internal system of Windows 2000. Knowing the mechanism of device drivers in Windows 2000 will help the programmer follow the instructions commands Don't worry about everything, the i386KD won't stagnate at all, because it's a console program, as it's already very difficult to use the tools to improve the output level.

  • Authors:

    Barinov S.S., Shevchenko O.G.

  • Rick:
  • Dzherelo:

    Computer science computer technologies/ Materials of the VI International Scientific and Technical Conference of Students, Postgraduate Students and Young Scientists – November 23-25, 2010, Donetsk, DonNTU. – 2010. – 448 p.

Abstract

A thorough analysis of the improvement of the computer mode and the kernel mode of the entire operating system was carried out Microsoft Windows, the importance and the problem of organizing the improvement of the remaining On the basis of the obtained results, the main possibilities are formulated to encourage the kernel mode in case of emergency and interactive improvement. Analysis carried out Essential solutions In order to ensure the best results. Particular respect goes to the Microsoft Windows Debugger.

Main part

Establishment is the process of determining the reasons for pardons security software. In some projects, development takes up to 50% of the total development time. Improvement can be simplified with the use of specialized tools that are constantly being updated. The main such tool is the adjuster, which allows you to control the execution of the software, monitor its overruns and get involved in the new one. It is important for the kernel to be developed by driver vendors.

Application software development tools provide a programmer with a wide range of capabilities. Whether the development core is integrated, includes the ability to develop without the need for third-party utilities. If we talk about system software and the development of zocrema drivers, then due to its specificity the process of development is extremely difficult and there is little automation. All phases of development, including prosperity, are closed. For the skin of them, the required special minds: writing software code is going to be completed forever computer system, improvement - on the feeding system, testing - in the conditions, etc. The kernel mode itself is more complex in the mastered and, apparently, less friendly.

You can talk about the marriage of costs and the development of the core. If you want such things, you often can’t talk about alternatives. For example, the Microsoft Windows Debugger has a high entry barrier. There are plenty of programmers to talk about the first negative evidence when getting to know him, and most of his opportunities are lost unclaimed.

Coming from the structure of the virtual address space, if in addition a compilation is allowed, after which the program saves the data recording in sufficient memory space, then the program will corrupt the available memory and will not interfere with the work of other programs of the operating system and. Todi yak program code Kernel mode can damage important data structures of the operating system, which will inevitably lead to a crash. Ineffective driver writing can cause serious degradation of the entire operating system.

    Daily drinks will ensure your feet basic functions:
  • improvement of the same level as the output code;
  • keruvannya vikonannyam;
  • look and change of memory;
  • review and change instead of processor registers;
  • review of the stack of coins.

To make things easier with disassembled code, use the so-called so-called. nutritional symbols. During the work of the compositor, in addition to the image of the compiled file, it is also possible to create a data file to contain information that is not required for compiled programs, but is extremely useful for them: names of global functions changes, description of structures. Nice symbols are available to everyone linked files Windows operating system.

It is up to the manufacturer to interrupt and update the program code to achieve the specified command in the program code. If the program code is compiled in a step-by-step mode - interruption occurs due to the skin tokens of the programming or when exiting subprograms. In case of strong viconic interruption, the viconicann appears at the back of the planned plots of the code - the places where the jumping points are installed.

When the code is interrupted in the kernel mode, problems arise. The administrator interacts with the programmer using the vikoryst interface of the koristuvach. Tobto. At least the visible part of the editor is configured in kernel mode and for this purpose it is naturally supported by the application programming interface (Windows API), which in turn is based on the kernel mode module. Thus, suppression of the kernel code mode can lead to mutual blocking: the system will stop responding to the user’s requests.

To access the kernel memory, the warehouse manager must also enter kernel mode. This leads to two problems, which are obvious consequences of the organization of memory in the protected mode of the processor.

The first problem is the translation of virtual memory addresses. Drivers continuously interact with programs in the computer mode, ending in memory. The Windows operating system translates virtual addresses from physical ones, depending on the context of the stream. The context of a thread is a structure that represents the state of a thread and includes, in short, a set of registers and other information. If the information is passed to another thread, there is a reversal of the context, which saves information about one thread and updates information about another. When the context of a thread is re-mapped to the thread of another process, the directory of pages, vikoristov is also re-mapped to translate the virtual address from the physical one.

The peculiarity lies in the fact that when dispatching system clicks, the Windows operating system does not remix the context. In this case, the kernel mode code can use virtual addresses and the core mode.

Otherwise, when dispatching, interrupt or kill system threads. Pererirvannya may be the case, so it is impossible to convey what context there is for the flow of vikors. System threads do not belong to any process and cannot translate virtual addresses to the server mode. It is evident that in these situations it is not possible to go back to remembering the regime of the koristuvach.

Another problem is the storage of memory that is being moved. Most of the information in memory is moved and at any time can be moved from physical memory on hard drive at the side of the file. When accessing a page that is in physical memory, in a normal situation the processor will generate a Page Fault that is processed by the memory manager, and as a result the page will be read from the page file the wife has physical memory.

The described behavior breaks down when the error handler software code is corrupted high rhubarb interrupt request levels (IRQL). With an IRQL that is avoided, the IRQL of the memory manager can be moved to the rest, because The operating system is blocked when interrupted Page Fault. This will lead to the collapse of the operating system.

Operations are usually divided into interactive and emergency. With an interactive local enhancement, the upgrader is installed in the same system as the upgrade object. Under the hour of interactive remote development, the equipment will be installed in different systems. With a well-developed kernel code, the system must be controlled, starting from the first stages of its implementation, if the system is not yet functioning, so simple subsequent interfaces, such as COM, FireWire, USB, are used to connect the systems. In the meantime, due to trends in the development of software virtualization at various levels of abstraction, it is becoming increasingly common virtual machines. The guest OS acts as a host OS, the hosted OS includes the host host interface.

Thus, for emergency operation there is no need to install the installation method on the test computer. The distribution of the Windows operating system includes emergency response mechanisms. Before restarting the operating system, you can save information about the system so that the developer can analyze and determine the cause. This information saved in a file is called a memory dump.

The main features for optimizing the kernel mode are provided by the Windows operating system itself as part of the “Debugging Tools for Windows” package, which is widely available. These include the graphical and console editors WinDbg and KD (also known as Windows Debugger). The work of these administrators revolves around mechanisms supplied by the operating system and embedded in its kernel.

The main mode of Windows Debugger is the command interpreter mode. Products have a modular structure, a number of packages that are supplied. Windows commands Debugger supports third party modules, Called expanded. In fact, most of the implemented commands are designed in the form of expansion.

Windows Debugger focuses on remote interactive and emergency support, which, when selected, reveals all its capabilities. At the same time, full-scale local interactive development is not supported: the editor allows you to only review parts of the kernel structure.

There is an extension module for Windows Debugger called LiveKD, created by Mark Russinovich, which implements local interactive enhancement for the singer. LiveKD creates a memory dump of the working system on the go and uses it for improvement.

The “Debugging Tools for Windows” tool package is regularly updated and supports all current Windows operating systems.

The author of the SoftICE kernel, released by Compuware in the DriverStudio software package, traditionally serving as an alternative to the Debugging Tools for Windows package. SoftICE's main goal was to implement local interactive functionality on hardware that is being supported. The owner has virtually complete control over the operation of the operating system.

From the 3rd quarter of 2006, sales of products from the “DriverStudio” family began due to “the absence of technical and business problems, as well as the lack of market penetration.” Remaining version operating system, support for which was implemented, i.e. Windows XP Service Pack 2. As a rule, service update packages do not change the application interface of the operating system, but the numbers of system clicks and other undocumented information can don't change. The SoftICE manager is hidden on hard-coded addresses internal structures tributes As a result, with the release of Service Pack 3, this chaos was destroyed. Obviously, later versions of the Windows operating system are also not supported.

Syser Kernel Debugger was created by a small Chinese company Sysersoft as a replacement for the SoftICE browser. Persha final version Bula was released in 2007. Like SoftICE, Syser Kernel Debugger is designed to enable interactive development on your operating system. Only 32-bit editions of current versions of Windows are supported.

on Narazi Windows Debugger is the main tool for discovering kernel modules. This is also a team dedicated to developing the kernel of the Windows operating system.

Application © 2022 Mobile and computer gadgets