windows kernel internals traps interrupts exceptions
DESCRIPTION
Windows Kernel Internals Traps Interrupts ExceptionsTRANSCRIPT
![Page 1: Windows Kernel Internals Traps Interrupts Exceptions](https://reader031.vdocument.in/reader031/viewer/2022013118/54688599af795988338b5b52/html5/thumbnails/1.jpg)
© Microsoft Corporation 1
Windows Kernel InternalsTraps, Interrupts, Exceptions
David B. Probert, Ph.D.Windows Kernel Development
Microsoft Corporation
![Page 2: Windows Kernel Internals Traps Interrupts Exceptions](https://reader031.vdocument.in/reader031/viewer/2022013118/54688599af795988338b5b52/html5/thumbnails/2.jpg)
© Microsoft Corporation 2
What makes an OS interesting!
Fundamental abstractions in modern CPUs:normal processor executionvirtual address protection/mappinginterruptions to the above
Traps, hardware interrupts (devices, timers), exceptions, faults, machine checks, software interrupts
![Page 3: Windows Kernel Internals Traps Interrupts Exceptions](https://reader031.vdocument.in/reader031/viewer/2022013118/54688599af795988338b5b52/html5/thumbnails/3.jpg)
© Microsoft Corporation 3
![Page 4: Windows Kernel Internals Traps Interrupts Exceptions](https://reader031.vdocument.in/reader031/viewer/2022013118/54688599af795988338b5b52/html5/thumbnails/4.jpg)
© Microsoft Corporation 4
Intel’s System Architecture
![Page 5: Windows Kernel Internals Traps Interrupts Exceptions](https://reader031.vdocument.in/reader031/viewer/2022013118/54688599af795988338b5b52/html5/thumbnails/5.jpg)
© Microsoft Corporation 5
The local APICAPIC: Advanced Programmable Interrupt Controller)Local APIC built into modern Pentium processorsReceives interrupts from:
processor interrupt pinsexternal interrupt sources
hardwired devicestimers (including internal timer)Perf monitorsThermal monitorsInternal errors
and/OR an external I/O APICSends IPIs in MP systems
![Page 6: Windows Kernel Internals Traps Interrupts Exceptions](https://reader031.vdocument.in/reader031/viewer/2022013118/54688599af795988338b5b52/html5/thumbnails/6.jpg)
© Microsoft Corporation 6
![Page 7: Windows Kernel Internals Traps Interrupts Exceptions](https://reader031.vdocument.in/reader031/viewer/2022013118/54688599af795988338b5b52/html5/thumbnails/7.jpg)
© Microsoft Corporation 7
NT Interrupt levels
![Page 8: Windows Kernel Internals Traps Interrupts Exceptions](https://reader031.vdocument.in/reader031/viewer/2022013118/54688599af795988338b5b52/html5/thumbnails/8.jpg)
© Microsoft Corporation 8
Software Interrupt DeliverySoftware interrupts delivered by writing ICR in APICxor ecx, ecxmov cl, _HalpIRQLtoTPR[eax] ; get IDTEntry for IRQLor ecx, (DELIVER_FIXED OR ICR_SELF)mov dword ptr APIC[LU_INT_CMD_LOW], ecx
_HalpIRQLtoTPR label bytedb ZERO_VECTOR ; IRQL 0db APC_VECTOR ; IRQL 1db DPC_VECTOR ; IRQL 2
#define APC_VECTOR 0x3D // IRQL 01 APC#define DPC_VECTOR 0x41 // IRQL 02 DPC
![Page 9: Windows Kernel Internals Traps Interrupts Exceptions](https://reader031.vdocument.in/reader031/viewer/2022013118/54688599af795988338b5b52/html5/thumbnails/9.jpg)
© Microsoft Corporation 9
IDT table_IDT label byte
IDTEntry _KiTrap00 ; 0: Divide ErrorIDTEntry _KiTrap01 ; 1: DEBUG TRAPIDTEntry _KiTrap02 ; 2: NMI/NPX ErrorIDTEntry _KiTrap03 ; 3: BreakpointIDTEntry _KiTrap04 ; 4: INTOIDTEntry _KiTrap05 ; 5: PrintScreenIDTEntry _KiTrap06 ; 6: Invalid OpcodeIDTEntry _KiTrap07 ; 7: no NPXIDTEntry _KiTrap08 ; 8: DoubleFaultIDTEntry _KiTrap09 ; 9: NPX SegOvrn...
IDTEntry _KiTrap0A ; A: Invalid TSSIDTEntry _KiTrap0B ; B: no Segment IDTEntry _KiTrap0C ; C: Stack FaultIDTEntry _KiTrap0D ; D: GenProtIDTEntry _KiTrap0E ; E: Page FaultIDTEntry _KiTrap0F ; F: ReservedIDTEntry _KiTrap10 ;10: 486 coprocIDTEntry _KiTrap11 ;11: 486 alignIDTEntry _KiTrap0F ;12: ReservedIDTEntry _KiTrap0F ;13: XMMI IDTEntry _KiTrap0F ;14: Reserved
![Page 10: Windows Kernel Internals Traps Interrupts Exceptions](https://reader031.vdocument.in/reader031/viewer/2022013118/54688599af795988338b5b52/html5/thumbnails/10.jpg)
© Microsoft Corporation 10
![Page 11: Windows Kernel Internals Traps Interrupts Exceptions](https://reader031.vdocument.in/reader031/viewer/2022013118/54688599af795988338b5b52/html5/thumbnails/11.jpg)
© Microsoft Corporation 11
Entry of Interrupt Descriptor Table(KIDTENTRY)
typedef struct _KIDTENTRY {USHORT Offset;USHORT Selector;USHORT Access;USHORT ExtendedOffset;
} KIDTENTRY;
![Page 12: Windows Kernel Internals Traps Interrupts Exceptions](https://reader031.vdocument.in/reader031/viewer/2022013118/54688599af795988338b5b52/html5/thumbnails/12.jpg)
© Microsoft Corporation 12
![Page 13: Windows Kernel Internals Traps Interrupts Exceptions](https://reader031.vdocument.in/reader031/viewer/2022013118/54688599af795988338b5b52/html5/thumbnails/13.jpg)
© Microsoft Corporation 13
_KiTrapxx - trap entry pointsEntry points are for internally generated exceptions not external
interrupts, or user software interrupts
On entry the stack looks like:
[ss][esp]eflagscseip
ss:sp-> [error]
CPU saves previous SS:ESP, eflags, and CS:EIP on the new stack if there was a privilige transition
Some exceptions save an error code, others do not
![Page 14: Windows Kernel Internals Traps Interrupts Exceptions](https://reader031.vdocument.in/reader031/viewer/2022013118/54688599af795988338b5b52/html5/thumbnails/14.jpg)
© Microsoft Corporation 14
ENTER_TRAPMacro Description: Build frame and set
registers needed by trap or exception.
Save:Non-volatile regs,FS,ExceptionList,PreviousMode,Volatile regsSeg Regs from V86 modeDS, ES, GS
Don't Save:Floating point state
Set:Direction,DS, ES
Don't Set:PreviousMode,ExceptionList
![Page 15: Windows Kernel Internals Traps Interrupts Exceptions](https://reader031.vdocument.in/reader031/viewer/2022013118/54688599af795988338b5b52/html5/thumbnails/15.jpg)
© Microsoft Corporation 15
Intel exception lexicon
Faults - correctable, faulting instuction re-executed
Traps - correctable, trapping instruction generally skipped
Aborts - unrecoverable, cause
![Page 16: Windows Kernel Internals Traps Interrupts Exceptions](https://reader031.vdocument.in/reader031/viewer/2022013118/54688599af795988338b5b52/html5/thumbnails/16.jpg)
© Microsoft Corporation 16
CommonDispatchException()CommonDispatchException (
ExceptCode - Exception code to put into exception recordExceptAddress - Instruction at which HW exceptionNumParms, Parameters 1, 2, 3
)
Allocates exception record on stackSets up exception record using specified parametersSets up arguments and calls _KiDispatchException()
![Page 17: Windows Kernel Internals Traps Interrupts Exceptions](https://reader031.vdocument.in/reader031/viewer/2022013118/54688599af795988338b5b52/html5/thumbnails/17.jpg)
© Microsoft Corporation 17
KiDispatchException()KiDispatchException (
IN PEXCEPTION_RECORD ExceptionRecord,IN PKEXCEPTION_FRAME ExceptionFrame,IN PKTRAP_FRAME TrapFrame,IN KPROCESSOR_MODE PreviousMode,IN BOOLEAN FirstChance
)Move machine state from trap and exception frames to a context frameSelect method of handling the exception based on previous modeKernel-mode: try KD, try RtlDispatchException(), otherwise bugcheckUser-mode: try DebugPort, else copy exception to user stack, set
TrapFrame->Eip = (ULONG)KeUserExceptionDispatcherand return
![Page 18: Windows Kernel Internals Traps Interrupts Exceptions](https://reader031.vdocument.in/reader031/viewer/2022013118/54688599af795988338b5b52/html5/thumbnails/18.jpg)
© Microsoft Corporation 18
PspLookupKernelUserEntryPoints()// Lookup the user mode "trampoline" code for exception dispatchingPspLookupSystemDllEntryPoint
("KiUserExceptionDispatcher“, &KeUserExceptionDispatcher)// Lookup the user mode "trampoline" code for APC dispatchingPspLookupSystemDllEntryPoint
("KiUserApcDispatcher", &KeUserApcDispatcher)// Lookup the user mode "trampoline" code for callback dispatchingPspLookupSystemDllEntryPoint
("KiUserCallbackDispatcher", &KeUserCallbackDispatcher)// Lookup the user mode "trampoline" code for callback dispatchingPspLookupSystemDllEntryPoint ("KiRaiseUserExceptionDispatcher",
&KeRaiseUserExceptionDispatcher)
![Page 19: Windows Kernel Internals Traps Interrupts Exceptions](https://reader031.vdocument.in/reader031/viewer/2022013118/54688599af795988338b5b52/html5/thumbnails/19.jpg)
© Microsoft Corporation 19
KeUserExceptionDispatcherntdll:KiUserExceptionDispatcher()// Entered on return from kernel mode to dispatch user mode exception// If a frame based handler handles the exception// then the execution is continued// else last chance processing is performed
basically this just wraps RtlDispatchException()
![Page 20: Windows Kernel Internals Traps Interrupts Exceptions](https://reader031.vdocument.in/reader031/viewer/2022013118/54688599af795988338b5b52/html5/thumbnails/20.jpg)
© Microsoft Corporation 20
RtlDispatchException()RtlDispatchException(ExceptionRecord, ContextRecord)// attempts to dispatch an exception to a call frame based handler// searches backwards through the stack based call frames// search begins with the frame specified in the context record// search ends when handler found, stack is invalid, or end of call chain
for (RegistrationPointer = RtlpGetRegistrationHead();RegistrationPointer != EXCEPTION_CHAIN_END;RegistrationPointer = RegistrationPointer->Next)
{check for valid record (#if ntos: check DPC stack too)switch RtlpExecuteHandlerForException()case ExceptionContinueExecution: return TRUEcase ExceptionContinueSearch: continuecase ExceptionNestedException: …default: return FALSE
}
![Page 21: Windows Kernel Internals Traps Interrupts Exceptions](https://reader031.vdocument.in/reader031/viewer/2022013118/54688599af795988338b5b52/html5/thumbnails/21.jpg)
© Microsoft Corporation 21
Discussion