內容簡介

從Windows 8開始，微軟開始了一個將作業系統融合的過程。而在Windows 10中，這個融合已經趨於完美，它運行在臺式電腦/筆記型電腦、伺服器、XBOX One、手機（Windows Mobile 10）、HoloLens和各種物聯網設備上。

本書作為深度解析Windows作業系統這一系列的第7版（部分即卷1），其內容則涵蓋了Windows從Windows 8到Windows 10演變過程中的各個方面。

本書介紹了Windows 10和Windows Sever 2016的架構與核心內部結構。通過本書，讀者可以瞭解Windows系統架構及其一般元件，掌握如何使用諸如內核調試器之類的工具來探索內部資料結構，也可以瞭解Windows如何使用流程進行管理和隔離，理解和查看執行緒調度以及如何管理CPU資源，還可以深入理解Windows安全模型，包括在安全措施方面的很新進展，並瞭解Windows如何管理虛擬和實體記憶體，以及輸入/輸出系統如何管理物理設備和設備驅動程式。具體分為以下7個部分：概念和工具、系統架構、進程和作業、執行緒、記憶體管理、I/O系統和安全。

本書內容豐富、資訊全面，適合廣大Windows平臺開發人員、系統管理員及Windows愛好者閱讀。

作者介紹

帕維爾·尤西夫維奇（Pavel Yosifovich）是一位專注於Microsoft技術和工具的開發人員、培訓師和作者。他是Microsoft的MVP和Pluralsight的作者。
亞曆克斯·約內斯庫（Alex Ionescu）是CrowdStrike公司EDR戰略副總裁，同時也是靠前認可的低級別系統軟體、作業系統研究和內核開發、安全培訓和逆向工程方面的專家。

馬克·拉希諾維奇（Mark Russinovich）是微軟優選企業級雲平臺Azure的首席技術官，也是分散式系統和作業系統領域認可的專家。他是Winternal軟體公司的聯合創始人，也是Sysinternals工具和網站的主要作者。

大衛·所羅門（David Solomon）給世界各地的開發者和IT專業人士教授Windows內核的內部原理已有20年。他參與了本書每個版本的寫作。大衛是1993年和2005年Microsoft Support Most Valuable Professional（MVP）獎的獲得者。

Introduction/引言i
1 Concepts and tools/章概念和工具1
1.1 Windows operating system versions/Windows作業系統版本1
1.1.1 Windows 10 and future Windows versions/
Windows 10和後續Windows版本3
1.1.2 Windows 10 and OneCore/Windows 10和Windows系統核心3
1.2 Foundation concepts and terms/基本概念和術語4
1.2.1 Windows API/Windows API4
1.2.2 Services, functions, and routines/服務、功能和例行程式7
1.2.3 Processes/進程8
1.2.4 Threads/執行緒18
1.2.5 Jobs/作業20
1.2.6 Virtual memory/虛擬記憶體21
1.2.7 Kernel mode vs. user mode/核心模式vs使用者模式23
1.2.8 Hypervisor/虛擬機器管理程式27
1.2.9 Firmware/固件版本29
1.3.0 Terminal Services and multiple sessions/終端服務和多會話29
1.3.1 Objects and handles/物件和處理30
1.3.2 Security/安全31
1.3.3 Registry/註冊表32
1.3.4 Unicode/Unicode編碼33
1.3 Digging into Windows internals/深入挖掘Windows內部35
1.3.1 Performance Monitor and Resource Monitor/
性能監控和資源監控36
1.3.2 Kernel debugging/內核調試38
1.3.3 Windows Software Development Kit/Windows SDK43
1.3.4 Windows Driver Kit/Windows驅動套件43
1.3.5 Sysinternals tools/五大利器44
1.4 結論44
2 System architecture/第 2章系統架構45
2.1 Requirements and design goals/需求和設計目標45
2.2 Operating system model/作業系統模型46
2.3 Architecture overview/架構概述47
2.3.1 Portability/可攜性50
2.3.2 Symmetric multiprocessing/對稱多處理51
2.3.3 Scalability/可擴展性53
2.3.4 Differences between client and server versions/
用戶端和服務端版本的差異54
2.3.5 Checked build/已驗證版本57
2.4 Virtualization-based security architecture overview/
基於虛擬化技術的安全架構概述59
2.5 Key system components/核心系統元件61
2.5.1 Environment subsystems and subsystem DLLs/
環境子系統和子系統DLL62
2.5.2 Other subsystems/其他子系統68
2.5.3 Executive/執行性72
2.5.4 Kernel/內核75
2.5.5 Hardware abstraction layer/硬體抽象層79
2.5.6 Device drivers/設備驅動82
2.5.7 System processes/系統進程88
2.6 Conclusion/結論99
3 Processes and jobs/第3章進程和作業101
3.1 Creating a process/創建一個進程101
3.1.1 CreateProcess* functions arguments/CreateProcess*函數參數102
3.1.2 Creating Windows modern processes/創建Windows進程103
3.1.3 Creating other kinds of processes/創建其他類型執行緒104
3.2 Process internals/進程核心105
3.3 Protected processes/受保護的進程113
3.3.1 Protected Process Light (PPL)/PPL115
3.3.2 Third-party PPL support/協力廠商PPL支持119
3.4 Minimal and Pico processes/最小進程和微進程120
3.4.1 Minimal processes/最小進程120
3.4.2 Pico processes/微進程121
3.5 Trustlets (secure processes)/Trustlets（安全進程）123
3.5.1 Trustlet structure/Trustlet結構123
3.5.2 Trustlet policy metadata/Trustlet策略中繼資料124
3.5.3 Trustlet attributes/Trustlet屬性125
3.5.4 System built-in Trustlets/系統內置Trustlets125
3.5.5 Trustlet identity/Trustlet標識126
3.5.6 Isolated user-mode services/隔離的使用者模式服務127
3.5.7 Trustlet-accessible system calls/Trustlet可訪問的系統調用128
3.6 Flow of CreateProcess/創建進程流程129
3.6.1 Stage 1: Converting and validating parameters andflags/
階段1：轉換並驗證參數和標記131
3.6.2 Stage 2: Opening the image to be executed/
階段2：打開要執行的鏡像135
3.6.3 Stage 3: Creating the Windows executive process object/
階段3：創建Windows可執行進程物件138
3.6.4 Stage 4: Creating the initial thread and its stack and context/
階段4：創建初始執行緒以及它的堆疊和上下文144
3.6.5 Stage 5: Performing Windows subsystem–specific initialization/
階段5：執行Windows子系統的特殊初始化146
3.6.6 Stage 6: Starting execution of the initial thread/
階段6：開始執行初始執行緒148
3.6.7 Stage 7: Performing process initialization in the context of the new process/
階段7：在新進程中的上下文執行進程初始化148
3.7 Terminating a process/終止一個進程154
3.8 Image loader/鏡像載入器155
3.8.1 Early process initialization/早期進程初始化157
3.8.2 DLL name resolution and redirection/DLL名稱解析和重定向160
3.8.3 Loaded module database/已載入元件的資料庫164
3.8.4 Import parsing/導入解析168
3.8.5 Post-import process initialization/後導入進程初始化170
3.8.6 SwitchBack/SwitchBack171
3.8.7 API Sets/API集173
3.9 Jobs/作業176
3.9.1 Job limits/作業限制177
3.9.2 Working with a job/處理一個作業178
3.9.3 Nested jobs/嵌套作業179
3.9.4 Windows containers (server silos)/
Windows容器（伺服器倉庫）183
3.10 Conclusion/結論191
4 Threads/第4章執行緒193
4.1 Creating threads/創建執行緒193
4.2 Thread internals/執行緒內部194
4.2.1 Data structures/資料結構194
4.2.2 Birth of a thread/執行緒的產生206
4.3 Examining thread activity/檢查執行緒活性207
4.3.1 Limitations on protected process threads/
受保護進程中執行緒的限制212
4.4 Thread scheduling/執行緒調度214
4.4.1 Overview of Windows scheduling/Windows調度概述214
4.4.2 Priority levels/優先順序等級215
4.4.3 Thread states/執行緒狀態223
4.4.4 Dispatcher database/調度資料庫228
4.4.5 Quantum/量子231
4.4.6 Priority boosts/提高優先順序238
4.4.7 Context switching/上下文切換255
4.4.8 Scheduling scenarios/調度場景256
4.4.9 Idle threads/空閒執行緒260
4.4.10 Thread suspension/執行緒掛起264
4.4.11 (Deep) freeze/（深度）凍結264
4.4.12 Thread selection/執行緒選擇266
4.4.13 Multiprocessor systems/多處理器系統268
4.4.14 Thread selection on multiprocessor systems/
多處理器系統的執行緒選擇283
4.4.15 Processor selection/處理器選擇284
4.4.16 Heterogeneous scheduling (big.LITTLE)/
多重調度（big.LITTLE）286
4.5 Group-based scheduling/基於組的調度287
4.5.1 Dynamic fair share scheduling/動態公平共用調度289
4.5.2 CPU rate limits/CPU速率限制292
4.5.3 Dynamic processor addition and replacement/
動態處理器添加和替換295
4.6 Worker factories (thread pools)/工人工廠（執行緒池）297
4.6.1 Worker factory creation/創建工人工廠298
4.7 Conclusion/結論300
5 Memory management/第5章記憶體管理301
5.1 Introduction to the memory manager/記憶體管理介紹301
5.1.1 Memory manager components/記憶體管理元件302
5.1.2 Large and small pages/大小頁面303
5.1.3 Examining memory usage/檢查記憶體使用305
5.1.4 Internal synchronization/內部同步308
5.2 Services provided by the memory manager/記憶體管理提供的服務309
5.2.1 Page states and memory allocations/頁面狀態和記憶體分配310
5.2.2 Commit charge and commit limit/提交調度和提交限制313
5.2.3 Locking memory/鎖定記憶體314
5.2.4 Allocation granularity/分配細微性314
5.2.5 Shared memory and mapped files/共用記憶體和映射檔315
5.2.6 Protecting memory/記憶體保護317
5.2.7 Data Execution Prevention/資料執行保護319
5.2.8 Copy-on-write/寫時複製321
5.2.9 Address Windowing Extensions/位元址窗口化擴展232
5.3 Kernel-mode heaps (system memory pools)/核心模式堆（系統記憶體池）324
5.3.1 Pool sizes/池大小325
5.3.2 Monitoring pool usage/監控池的使用327
5.3.3 Look-aside lists/旁觀列表331
5.4 Heap manager/堆管理332
5.4.1 Process heaps/堆進程333
5.4.2 Heap types/堆類型334
5.4.3 The NT heap/NT堆334
5.4.4 Heap synchronization/堆同步334
5.4.5 The low-fragmentation heap/低碎片堆335
5.4.6 The segment heap/分段堆336
5.4.7 Heap security features/堆安全功能341
5.4.8 Heap debugging features/堆調試功能342
5.4.9 Pageheap/頁面堆343
5.4.10 Fault-tolerant heap/容錯堆347
5.5 Virtual address space layouts/虛擬位址空間佈局348
5.5.1 x86 address space layouts/X86位址空間佈局349
5.5.2 x86 system address space layout/X86系統位址空間佈局352
5.5.3 x86 session space/X86會話空間353
5.5.4 System page table entries/系統頁面表條目355
5.5.5 ARM address space layout/ARM位址空間佈局356
5.5.6 64-bit address space layout/64bit位址空間佈局357
5.5.7 x64 virtual addressing limitations/64虛擬位址限制359
5.5.8 Dynamic system virtual address space management/
動態系統虛擬位址空間管理359
5.5.9 System virtual address space quotas/系統虛擬位址空間配額364
5.5.10 User address space layout/用戶位址空間佈局365
5.6 Address translation/地址轉化371
5.6.1 x86 virtual address translation/X86虛擬位址轉化371
5.6.2 Translation look-aside buffer/旁觀緩衝轉化377
5.6.3 x64 virtual address translation/X64虛擬位址轉化380
5.6.4 ARM virtual address translation/ARM虛擬位址轉化381
5.7 Page fault handling/分頁錯誤處理383
5.7.1 Invalid PTEs/非法PTE384
5.7.2 Prototype PTEs/原型PTE385
5.7.3 In-paging I/O/頁面內I/O386
5.7.4 Collided page faults/分頁錯誤衝突387
5.7.5 Clustered page faults/分頁錯誤聚集387
5.7.6 Page files/分頁檔389
5.7.7 Commit charge and the system commit limit/
提交調度和系統提交限制394
5.7.8 Commit charge and page file size/提交調度和分頁檔大小397
5.8 Stacks/棧398
5.8.1 User stacks/用戶棧399
5.8.2 Kernel stacks/內核棧400
5.8.3 DPC stack/DPC棧401
5.9 Virtual address descriptors/虛擬位址描述符401
5.9.1 Process VADs/VAD進程402
5.9.2 Rotate VADs/VAD輪詢403
5.10 NUMA/NUMA404
5.11 Section objects/段對象405
5.12 Working sets/工作集412
5.12.1 Demand paging/分頁需求413
5.12.2 Logical prefetcher and ReadyBoot/邏輯預取和啟動準備413
5.12.3 Placement policy/安置策略416
5.12.4 Working set management/工作集管理417
5.12.5 Balance set manager and swapper/平衡集合管理器和置換器421
5.12.6 System working sets/系統工作集422
5.12.7 Memory notification events/記憶體提醒事件423
5.13 Page frame number database/頁面框架序號資料庫425
5.13.1 Page list dynamics/頁面動態清單428
5.13.2 Page priority/頁面優先順序436
5.13.3 Modified page writer and mapped page writer/
修改和映射頁面寫入438
5.13.4 PFN data structures/PFN資料結構440
5.13.5 Page file reservation/分頁檔預定443
5.14 Physical memory limits/實體記憶體限制446
5.14.1 Windows client memory limits/Windows用戶端記憶體限制447
5.15 Memory compression/記憶體壓縮449
5.15.1 Compression illustration/壓縮圖表450
5.15.2 Compression architecture/壓縮架構453
5.16 Memory partitions/記憶體分割456
5.17 Memory combining/記憶體聯合459
5.17.1 The search phase/尋找階段460
5.17.2 The classifi cation phase/分類階段461
5.17.3 The page combining phase/頁面聯合階段462
5.17.4 From private to shared PTE/從私有PTE到共用PTE462
5.17.5 Combined pages release/聯合頁面釋放464
5.18 Memory enclaves/記憶體區467
5.18.1 Programmatic interface/程式設計介面468
5.18.2 Memory enclave initializations/記憶體區初始化469
5.18.3 Enclave construction/區結構469
5.18.4 Loading data into an enclave/將數據載入到區471
5.18.5 Initializing an enclave/初始化一個區472
5.19 Proactive memory management (SuperFetch)/
主動記憶體管理（SuperFetch）472
5.19.1 Components/組件473
5.19.2 Tracing and logging/跟蹤和記錄474
5.19.3 Scenarios/場景475
5.19.4 Page priority and rebalancing/頁面優先順序和平衡調整476
5.19.5 Robust performance/魯棒性能478
5.19.6 ReadyBoost/啟動準備479
5.19.7 ReadyDrive/驅動準備480
5.19.8 Process refl ection/進程反射480
5.20 Conclusion/結論482
6 I/O system/第6章 I/O系統483
6.1 I/O system components/I/O系統元件483
6.1.1 The I/O manager/I/O管理器485
6.1.2 Typical I/O processing/典型I/O過程486
6.2 Interrupt Request Levels and Deferred Procedure Calls/
插斷要求級別和延遲過程喚醒488
6.2.1 Interrupt Request Levels/插斷要求級別488
6.2.2 Deferred Procedure Calls/延遲過程喚醒490
6.3 Device drivers/設備驅動492
6.3.1 Types of device drivers/設備驅動類型492
6.3.2 Structure of a driver/驅動結構498
6.3.3 Driver objects and device objects/驅動物件和設備物件500
6.3.4 Opening devices/設備打開507
6.4 I/O processing/I/O過程510
6.4.1 Types of I/O/I/O的種類511
6.4.2 I/O request packets/I/O請求包513
6.4.3 I/O request to a single-layered hardware-based driver/
基於單層硬體驅動的I/O請求525
6.4.4 I/O requests to layered drivers/分層驅動I/O請求533
6.4.5 Thread-agnostic I/O/未知執行緒I/O536
6.4.6 I/O cancellation/取消I/O537
6.4.7 I/O completion ports/I/O完成埠541
6.4.8 I/O prioritization/I/O優先順序546
6.4.9 Container notifications/容器提醒552
6.5 Driver Verifier/驅動驗證552
6.5.1 I/O-related verification options/I/O相關驗證選項554
6.5.2 Memory-related verification options/記憶體相關驗證選項555
6.6 The Plug and Play manager/隨插即用管理器559
6.6.1 Level of Plug and Play support/隨插即用支持級別560
6.6.2 Device enumeration/設備枚舉561
6.6.3 Device stacks/設備棧563
6.6.4 Driver support for Plug and Play/支援隨插即用的設備569
6.65 Plug-and-play driver installation/隨插即用驅動安裝571
6.7 General driver loading and installation/一般驅動的載入和安裝575
6.7.1 Driver loading/驅動載入575
6.7.2 Driver installation/驅動安裝577
6.8 The Windows Driver Foundation/Windows驅動基礎578
6.8.1 Kernel-Mode Driver Framework/核心模式驅動框架579
6.8.2 User-Mode Driver Framework/使用者模式驅動框架587
6.9 The power manager/電源管理590
6.9.1 Connected Standby and Modern Standby/連接待機和新版待機594
6.9.2 Power manager operation/電源管理操作595
6.9.3 Driver power operation/驅動電源操作596
6.9.4 Driver and application control of device power/
驅動和設備電源的應用程式控制599
6.9.5 Power management framework/電源管理框架600
6.9.6 Power availability requests/電源可用性請求602
6.10 Conclusion/結論603
7 Security/第7章安全605
7.1 Security ratings/安全評級605
7.1.1 Trusted Computer System Evaluation Criteria/
可信計算基系統評估標準605
7.1.2 The Common Criteria/普遍標準607
7.2 Security system components/安全系統元件608
7.3 Virtualization-based security/基於虛擬化的安全611
7.3.1 Credential Guard/證書防護612
7.3.2 Device Guard/設備防護617
7.4 Protecting objects/保護對象619
7.4.1 Access checks/訪問驗證621
7.4.2 Security identifiers/安全標識625
7.4.3 Virtual service accounts/虛擬服務帳戶646
7.4.4 Security descriptors and access control/安全性描述元和存取控制650
7.4.5 Dynamic Access Control/動態存取控制666
7.5 The AuthZ API/AuthZ API666
7.5.1 Conditional ACEs/條件回應ACE667
7.6 Account rights and privileges/帳戶許可權和特權668
7.6.1 Account rights/帳戶許可權669
7.6.2 Privileges/特權670
7.6.3 Super privileges/超級特權675
7.7 Access tokens of processes and threads/進程和執行緒的帳戶口令677
7.8 Security auditing/安全審計677
7.8.1 Object access auditing/對象訪問審計679
7.8.2 Global audit policy/全域審計策略682
7.8.3 Advanced Audit Policy settings/不錯審計策略設置683
7.9 AppContainers/應用容器684
7.9.1 Overview of UWP apps/UWP應用概述685
7.9.2 The AppContainer/應用容器687
7.10 Logon/登錄710
7.10.1 Winlogon initialization/Winlogon初始化711
7.10.2 User logon steps/使用者登錄步驟713
7.10.3 Assured authentication/確信的認證718
7.10.4 Windows Biometric Framework/Windows生物識別驗證719
7.10.5 Windows Hello/Windows你好721
7.11 User Account Control and virtualization/用戶帳戶控制和虛擬化722
7.11.1 File system and registry virtualization/
檔案系統和註冊表虛擬化722
7.11.2 Elevation/提升729
7.12 Exploit mitigations/攻擊緩解735
7.12.1 Process-mitigation policies/進程緩解策略735
7.12.2 Control Flow Integrity/控制流完整性740
7.12.3 Security assertions/安全斷言752
7.13 Application Identifi cation/應用程式標識756
7.14 AppLocker/應用鎖757
7.15 Software Restriction Policies/軟體限制策略762
7.16 Kernel Patch Protection/內核補丁保護764
7.17 PatchGuard/補丁防護765
7.18 HyperGuard/高度防護768
7.19 Conclusion/結論770
Index/索引771

看更多