1 / 16

Adding a new system call to Windows WRK

Adding a new system call to Windows WRK. Practical session #2 バリ ゲローフィ. Outline. Putting your code into git Adding a new system call Using it from user-space Counting basic kernel events Assignment #1.

aleda
Download Presentation

Adding a new system call to Windows WRK

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Adding a new system call to Windows WRK Practical session #2 バリ ゲローフィ Advanced operating systems course, The University of Tokyo

  2. Outline • Putting your code into git • Adding a new system call • Using it from user-space • Counting basic kernel events • Assignment #1

  3. Download (or copy from USB) and install:http://code.google.com/p/msysgit/downloads/list-> Git-1.6.5.1-preview20091022.exe

  4. Installing git • Choose: • “Run git and include Unix tools from the Windows Command prompt” • Choose defaults after..

  5. Putting your code into git 1.) Open a command window 2.) Go to C:\WRK-v1.2\base\ntos 3.) Execute: git init 4.) Edit .git\info\exclude and add two lines: *.[oa] BUILD 5.) Execute: git add . git commit –m “initial commit”

  6. Adding a new system call • We will edit the following files: (under C:\WRK-v1.2\) • base\ntos\ke\i386\systable.asm • System call table • public\sdk\inc\Ntexapi.h • Interface header (function declaration) • base\ntos\ps\create.c • Actual syscall implementation (function definition)

  7. base\ntos\ke\i386\systable.asm(system call table) • System call table specifies: • syscall_name, has_arguments?, number_of_arguments • Argument table specifies: • total number of bytes of arguments • Go to line 392 and add a new TABLE_ENTRY: TABLE_ENTRY MySysCall 1, 1 (Note: always add entries to the end of the table!) • Increase TABLE_END: TABLE_END 296 • Add new line to ARGTBL (at line nr. 434): ARGTBL_ENTRY 4,0,0,0,0,0,0,0

  8. public\sdk\inc\Ntexapi.h (function declaration) • Go to line 2794 (after the last function) and add new declaration: • Notice the naming convention: in the system call table we called it MySysCall, but the actual declaration has to be NtMySysCall ! NTSYSCALLAPI NTSTATUS NTAPI NtMySysCall ( __in ULONG Arg );

  9. base\ntos\ps\create.c(function definition) • Go to line 26 (in front of the macros) and add new entry: #pragma alloc_text(PAGE, NtMySysCall) • Add definition somewhere in the file: • (Note: it could be in any other source file… ) NTSTATUS NtMySysCall( __in ULONG Arg ) { DbgPrint("MySysCall: %u\n", Arg); return STATUS_SUCCESS; }

  10. Recompile and deploy your new kernel image… 1.) Go to C:\WRK-v1.2\base\ntos 2.) Execute: nmake x86= 3.) Boot up the VM 4.) Copy wrkx86.exe from Z:\WRK-v1.2\base\ntos\BUILD\EXE\ (this is your local computer’s folder) to C:\WINDOWS\system32\ (this is a folder in the VM)

  11. How to see what’s changed? # # modified: base/ntos/ke/i386/systable.asm # modified: base/ntos/ps/create.c # modified: public/sdk/inc/ntexapi.h # • git status: • git diff: +++ b/base/ntos/ke/i386/systable.asm @@ -389,8 +389,9 @@ TABLE_ENTRY WaitForKeyedEvent, 1, 4 TABLE_ENTRY QueryPortInformationProcess, 0, 0 TABLE_ENTRY GetCurrentProcessorNumber, 0, 0 TABLE_ENTRY WaitForMultipleObjects32, 1, 5 +TABLE_ENTRY MySysCall 1, 1 -TABLE_END 295 +TABLE_END 296 ARGTBL_BEGIN ARGTBL_ENTRY 24,32,44,44,64,44,64,68 @@ -430,5 +431,6 @@ ARGTBL_ENTRY 24,8,8,8,0,16,16,4 ARGTBL_ENTRY 4,8,8,20,16,8,8,16 ARGTBL_ENTRY 20,12,4,4,36,36,24,20 ARGTBL_ENTRY 0,16,12,16,16,0,0,20 +ARGTBL_ENTRY 4,0,0,0,0,0,0,0

  12. Commit your changes and see the change log • git add . • git commit –m “my first system call” • git log: commit 99e1e01a8f5b438bba9f87f8103f49c64aec145d Author: unknown <bgerofi@.(none)> Date: Mon Nov 9 16:37:24 2009 +0900 my first system call commit 0fcf64351ee944554137756c28cdd615093e7f17 Author: unknown <bgerofi@.(none)> Date: Mon Nov 9 12:16:54 2009 +0900 initial commit

  13. Calling the new syscall from user-space (1/2) • Boot up the VM with your new kernel image • Start up MS Visual Studio • File -> New Project -> Win32 Console Project • 128H = 296, the number of the system call we have just added! • eax: syscall number, edx: first argument’s address • Int 2Eh; - trap into kernel #include <windows.h> LONG __stdcall MySysCall(IN ULONG Arg) { char *Param = (char*)&Arg; __asm { mov eax, 128H; mov edx, Param; int 2Eh; } }

  14. Calling the new syscall from user-space (2/2) • In main() call MySysCall: • Check the debugger window and see what’s displayed: int _tmain(int argc, _TCHAR* argv[]) { MySysCall(5); return 0; } Built by: 3800.WRKP1.2(daveprobert) Kernel base = 0x80800000 PsLoadedModuleList = 0x808a1438 System Uptime: not available NetWorkProviderInfoFailed: c0000034 Web\networkprovider MySysCall: 5

  15. Let’s count some basic kernel events and let the syscall display it • You can choose what you count (some ideas) • Context switches (KiSwapContext) • Page faults (MiDispatchFault) • Process creations (PspCreateProcess) • Hardware interrupts (PerfInfoLogInterrupt) • etc… • Hints: • We will need a global variable in the kernel • Increment it when the event occurs • Print the value in the system call!

  16. Assignment #1 • Purpose: • Get familiar a bit with the kernel code • Understand thread-state transitions through real execution scenarios • Add a system call for specifying a process or thread ID • (You can see these IDs in Process Explorer that is provided in your VM) • Track thread state changes in the kernel code • Print out transitions in the debug window

More Related