书籍详情
深入解析Windows操作系统 卷I(英文版 第7版)
作者:帕维尔·尤西夫维奇(Pavel Yosifovich),[加]亚历克斯·约内斯库(Alex Ionescu),[美]马克·拉希诺维奇(Mark Russinovich),[美]大卫·所罗门
出版社:人民邮电出版社
出版时间:2018-11-01
ISBN:9787115491800
定价:¥128.00
购买这本书可以去
内容简介
从Windows 8开始,微软开始了一个将操作系统融合的过程。而在Windows 10中,这个融合已经趋于完美,它运行在台式计算机/笔记本电脑、服务器、XBOX One、手机(Windows Mobile 10)、HoloLens和各种物联网设备上。本书作为深度解析Windows操作系统这一系列的第7版(第1部分即卷1),其内容则涵盖了Windows从Windows 8到Windows 10演变过程中的各个方面。本书介绍了Windows 10和Windows Sever 2016的架构与核心内部结构。通过本书,读者可以了解Windows系统架构及其一般组件,掌握如何使用诸如内核调试器之类的工具来探索内部数据结构,也可以了解Windows如何使用流程进行管理和隔离,理解和查看线程调度以及如何管理CPU资源,还可以深入理解Windows安全模型,包括在安全措施方面的*新进展,并了解Windows如何管理虚拟和物理内存,以及输入/输出系统如何管理物理设备和设备驱动程序。具体分为以下7个部分:概念和工具、系统架构、进程和作业、线程、内存管理、I/O系统和安全。本书内容丰富、信息全面,适合广大Windows平台开发人员、系统管理员及Windows爱好者阅读。
作者简介
帕维尔·尤西夫维奇(Pavel Yosifovich)是一位专注于Microsoft技术和工具的开发人员、培训师和作者。他是Microsoft的MVP和Pluralsight的作者。亚历克斯·约内斯库(Alex Ionescu)是CrowdStrike公司EDR战略副总裁,同时也是国际公认的低级别系统软件、操作系统研究和内核开发、安全培训和逆向工程方面的专家。马克·拉希诺维奇(Mark Russinovich)是微软全球企业级云平台Azure的首席技术官,也是分布式系统和操作系统领域公认的专家。他是Winternal软件公司的联合创始人,也是Sysinternals工具和网站的主要作者。大卫·所罗门(David Solomon)给世界各地的开发者和IT专业人士教授Windows内核的内部原理已有20年。他参与了本书每个版本的写作。大卫是1993年和2005年Microsoft Support Most Valuable Professional(MVP)奖的获得者。
目录
Introduction / 引言\ti
1 Concepts and tools / 第 1章 概念和工具\t1
1.1 Windows operating system versions / Windows操作系统版本\t1
1.1.1 Windows 10 and future Windows versions /
Windows 10和后续Windows版本\t3
1.1.2 Windows 10 and OneCore / Windows 10和Windows系统核心\t3
1.2 Foundation concepts and terms / 基本概念和术语\t4
1.2.1 Windows API / Windows API\t4
1.2.2 Services, functions, and routines / 服务、功能和例行程序\t7
1.2.3 Processes / 进程\t8
1.2.4 Threads / 线程\t18
1.2.5 Jobs / 作业\t20
1.2.6 Virtual memory / 虚拟内存\t21
1.2.7 Kernel mode vs. user mode / 内核模式vs用户模式\t23
1.2.8 Hypervisor / 虚拟机管理程序\t27
1.2.9 Firmware / 固件版本\t29
1.3.0 Terminal Services and multiple sessions / 终端服务和多会话\t29
1.3.1 Objects and handles / 对象和处理\t30
1.3.2 Security / 安全\t31
1.3.3 Registry / 注册表\t32
1.3.4 Unicode / Unicode编码\t33
1.3 Digging into Windows internals / 深入挖掘Windows内部\t35
1.3.1 Performance Monitor and Resource Monitor /
性能监控和资源监控\t36
1.3.2 Kernel debugging / 内核调试\t38
1.3.3 Windows Software Development Kit / Windows SDK\t43
1.3.4 Windows Driver Kit / Windows驱动套件\t43
1.3.5 Sysinternals tools / 五大利器\t44
1.4 结论\t44
2 System architecture / 第 2章 系统架构\t45
2.1 Requirements and design goals / 需求和设计目标\t45
2.2 Operating system model / 操作系统模型\t46
2.3 Architecture overview / 架构概述\t47
2.3.1 Portability / 可移植性\t50
2.3.2 Symmetric multiprocessing / 对称多处理\t51
2.3.3 Scalability / 可扩展性\t53
2.3.4 Differences between client and server versions /
客户端和服务端版本的差异\t54
2.3.5 Checked build / 已验证版本\t57
2.4 Virtualization-based security architecture overview /
基于虚拟化技术的安全架构概述\t59
2.5 Key system components / 核心系统组件\t61
2.5.1 Environment subsystems and subsystem DLLs /
环境子系统和子系统DLL\t62
2.5.2 Other subsystems / 其他子系统\t68
2.5.3 Executive / 执行性\t72
2.5.4 Kernel / 内核\t75
2.5.5 Hardware abstraction layer / 硬件抽象层\t79
2.5.6 Device drivers / 设备驱动\t82
2.5.7 System processes / 系统进程\t88
2.6 Conclusion / 结论\t99
3 Processes and jobs / 第3章 进程和作业\t101
3.1 Creating a process / 创建一个进程\t101
3.1.1 CreateProcess* functions arguments / CreateProcess*函数参数\t102
3.1.2 Creating Windows modern processes / 创建Windows进程\t103
3.1.3 Creating other kinds of processes / 创建其他类型线程\t104
3.2 Process internals / 进程核心\t105
3.3 Protected processes / 受保护的进程\t113
3.3.1 Protected Process Light (PPL) / PPL\t115
3.3.2 Third-party PPL support / 第三方PPL支持\t119
3.4 Minimal and Pico processes / 最小进程和微进程\t120
3.4.1 Minimal processes / 最小进程\t120
3.4.2 Pico processes / 微进程\t121
3.5 Trustlets (secure processes) / Trustlets(安全进程)\t123
3.5.1 Trustlet structure / Trustlet结构\t123
3.5.2 Trustlet policy metadata / Trustlet策略元数据\t124
3.5.3 Trustlet attributes / Trustlet属性\t125
3.5.4 System built-in Trustlets / 系统内置Trustlets\t125
3.5.5 Trustlet identity / Trustlet标识\t126
3.5.6 Isolated user-mode services / 隔离的用户模式服务\t127
3.5.7 Trustlet-accessible system calls / Trustlet可访问的系统调用\t128
3.6 Flow of CreateProcess / 创建进程流程\t129
3.6.1 Stage 1: Converting and validating parameters andflags /
阶段1:转换并验证参数和标记\t131
3.6.2 Stage 2: Opening the image to be executed /
阶段2:打开要执行的镜像\t135
3.6.3 Stage 3: Creating the Windows executive process object /
阶段3:创建Windows可执行进程对象\t138
3.6.4 Stage 4: Creating the initial thread and its stack and context /
阶段4:创建初始线程以及它的堆栈和上下文\t144
3.6.5 Stage 5: Performing Windows subsystem–specific initialization /
阶段5:执行Windows子系统的特殊初始化\t146
3.6.6 Stage 6: Starting execution of the initial thread /
阶段6:开始执行初始线程\t148
3.6.7 Stage 7: Performing process initialization in the context of the new process /
阶段7:在新进程中的上下文执行进程初始化\t148
3.7 Terminating a process / 终止一个进程\t154
3.8 Image loader / 镜像加载器\t155
3.8.1 Early process initialization / 早期进程初始化\t157
3.8.2 DLL name resolution and redirection / DLL名称解析和重定向\t160
3.8.3 Loaded module database / 已加载组件的数据库\t164
3.8.4 Import parsing / 导入解析\t168
3.8.5 Post-import process initialization / 后导入进程初始化\t170
3.8.6 SwitchBack / SwitchBack\t171
3.8.7 API Sets / API集\t173
3.9 Jobs / 作业\t176
3.9.1 Job limits / 作业限制\t177
3.9.2 Working with a job / 处理一个作业\t178
3.9.3 Nested jobs / 嵌套作业\t179
3.9.4 Windows containers (server silos) /
Windows容器(服务器仓库)\t183
3.10 Conclusion / 结论\t191
4 Threads / 第4章 线程\t193
4.1 Creating threads / 创建线程\t193
4.2 Thread internals / 线程内部\t194
4.2.1 Data structures / 数据结构\t194
4.2.2 Birth of a thread / 线程的产生\t206
4.3 Examining thread activity / 检查线程活性\t207
4.3.1 Limitations on protected process threads /
受保护进程中线程的限制\t212
4.4 Thread scheduling / 线程调度\t214
4.4.1 Overview of Windows scheduling / Windows调度概述\t214
4.4.2 Priority levels / 优先级等级\t215
4.4.3 Thread states / 线程状态\t223
4.4.4 Dispatcher database / 调度数据库\t228
4.4.5 Quantum / 量子\t231
4.4.6 Priority boosts / 提高优先级\t238
4.4.7 Context switching / 上下文切换\t255
4.4.8 Scheduling scenarios / 调度场景\t256
4.4.9 Idle threads / 空闲线程\t260
4.4.10 Thread suspension / 线程挂起\t264
4.4.11 (Deep) freeze / (深度)冻结\t264
4.4.12 Thread selection / 线程选择\t266
4.4.13 Multiprocessor systems / 多处理器系统\t268
4.4.14 Thread selection on multiprocessor systems /
多处理器系统的线程选择\t283
4.4.15 Processor selection / 处理器选择\t284
4.4.16 Heterogeneous scheduling (big.LITTLE) /
多重调度(big.LITTLE)\t286
4.5 Group-based scheduling / 基于组的调度\t287
4.5.1 Dynamic fair share scheduling / 动态公平共享调度\t289
4.5.2 CPU rate limits / CPU速率限制\t292
4.5.3 Dynamic processor addition and replacement /
动态处理器添加和替换\t295
4.6 Worker factories (thread pools) / 工人工厂(线程池)\t297
4.6.1 Worker factory creation / 创建工人工厂\t298
4.7 Conclusion / 结论\t300
5 Memory management / 第5章 内存管理\t301
5.1 Introduction to the memory manager / 内存管理介绍\t301
5.1.1 Memory manager components / 内存管理组件\t302
5.1.2 Large and small pages / 大小页面\t303
5.1.3 Examining memory usage / 检查内存使用\t305
5.1.4 Internal synchronization / 内部同步\t308
5.2 Services provided by the memory manager / 内存管理提供的服务\t309
5.2.1 Page states and memory allocations / 页面状态和内存分配\t310
5.2.2 Commit charge and commit limit / 提交调度和提交限制\t313
5.2.3 Locking memory / 锁定内存\t314
5.2.4 Allocation granularity / 分配粒度\t314
5.2.5 Shared memory and mapped files / 共享内存和映射文件\t315
5.2.6 Protecting memory / 内存保护\t317
5.2.7 Data Execution Prevention / 数据执行保护\t319
5.2.8 Copy-on-write / 写时复制\t321
5.2.9 Address Windowing Extensions / 地址窗口化扩展\t232
5.3 Kernel-mode heaps (system memory pools) / 内核模式堆(系统内存池)\t324
5.3.1 Pool sizes / 池大小\t325
5.3.2 Monitoring pool usage / 监控池的使用\t327
5.3.3 Look-aside lists / 旁观列表\t331
5.4 Heap manager / 堆管理\t332
5.4.1 Process heaps / 堆进程\t333
5.4.2 Heap types / 堆类型\t334
5.4.3 The NT heap / NT堆\t334
5.4.4 Heap synchronization / 堆同步\t334
5.4.5 The low-fragmentation heap / 低碎片堆\t335
5.4.6 The segment heap / 分段堆\t336
5.4.7 Heap security features / 堆安全功能\t341
5.4.8 Heap debugging features / 堆调试功能\t342
5.4.9 Pageheap / 页面堆\t343
5.4.10 Fault-tolerant heap / 容错堆\t347
5.5 Virtual address space layouts / 虚拟地址空间布局\t348
5.5.1 x86 address space layouts / X86地址空间布局\t349
5.5.2 x86 system address space layout / X86系统地址空间布局\t352
5.5.3 x86 session space / X86会话空间\t353
5.5.4 System page table entries / 系统页面表条目\t355
5.5.5 ARM address space layout / ARM地址空间布局\t356
5.5.6 64-bit address space layout / 64bit地址空间布局\t357
5.5.7 x64 virtual addressing limitations / 64虚拟地址限制\t359
5.5.8 Dynamic system virtual address space management /
动态系统虚拟地址空间管理\t359
5.5.9 System virtual address space quotas / 系统虚拟地址空间配额\t364
5.5.10 User address space layout / 用户地址空间布局\t365
5.6 Address translation / 地址转化\t371
5.6.1 x86 virtual address translation / X86虚拟地址转化\t371
5.6.2 Translation look-aside buffer / 旁观缓冲转化\t377
5.6.3 x64 virtual address translation / X64虚拟地址转化\t380
5.6.4 ARM virtual address translation / ARM虚拟地址转化\t381
5.7 Page fault handling / 页面错误处理\t383
5.7.1 Invalid PTEs / 非法PTE\t384
5.7.2 Prototype PTEs / 原型PTE\t385
5.7.3 In-paging I/O / 页面内I/O\t386
5.7.4 Collided page faults / 页面错误冲突\t387
5.7.5 Clustered page faults / 页面错误聚集\t387
5.7.6 Page files / 页面文件\t389
5.7.7 Commit charge and the system commit limit /
提交调度和系统提交限制\t394
5.7.8 Commit charge and page file size / 提交调度和页面文件大小\t397
5.8 Stacks / 栈\t398
5.8.1 User stacks / 用户栈\t399
5.8.2 Kernel stacks / 内核栈\t400
5.8.3 DPC stack / DPC栈\t401
5.9 Virtual address descriptors / 虚拟地址描述符\t401
5.9.1 Process VADs / VAD进程\t402
5.9.2 Rotate VADs / VAD轮询\t403
5.10 NUMA / NUMA\t404
5.11 Section objects / 段对象\t405
5.12 Working sets / 工作集\t412
5.12.1 Demand paging / 分页需求\t413
5.12.2 Logical prefetcher and ReadyBoot / 逻辑预取和启动准备\t413
5.12.3 Placement policy / 安置策略\t416
5.12.4 Working set management / 工作集管理\t417
5.12.5 Balance set manager and swapper / 平衡集合管理器和置换器\t421
5.12.6 System working sets / 系统工作集\t422
5.12.7 Memory notification events / 内存提醒事件\t423
5.13 Page frame number database / 页面框架序号数据库\t425
5.13.1 Page list dynamics / 页面动态列表\t428
5.13.2 Page priority / 页面优先级\t436
5.13.3 Modified page writer and mapped page writer /
修改和映射页面写入\t438
5.13.4 PFN data structures / PFN数据结构\t440
5.13.5 Page file reservation / 页面文件预定\t443
5.14 Physical memory limits / 物理内存限制\t446
5.14.1 Windows client memory limits / Windows客户端内存限制\t447
5.15 Memory compression / 内存压缩\t449
5.15.1 Compression illustration / 压缩图表\t450
5.15.2 Compression architecture / 压缩架构\t453
5.16 Memory partitions / 内存分割\t456
5.17 Memory combining / 内存联合\t459
5.17.1 The search phase / 寻找阶段\t460
5.17.2 The classifi cation phase / 分类阶段\t461
5.17.3 The page combining phase / 页面联合阶段\t462
5.17.4 From private to shared PTE / 从私有PTE到共享PTE\t462
5.17.5 Combined pages release / 联合页面释放\t464
5.18 Memory enclaves / 内存区\t467
5.18.1 Programmatic interface / 编程接口\t468
5.18.2 Memory enclave initializations / 内存区初始化\t469
5.18.3 Enclave construction / 区结构\t469
5.18.4 Loading data into an enclave / 将数据加载到区\t471
5.18.5 Initializing an enclave / 初始化一个区\t472
5.19 Proactive memory management (SuperFetch) /
主动内存管理(SuperFetch)\t472
5.19.1 Components / 组件\t473
5.19.2 Tracing and logging / 跟踪和记录\t474
5.19.3 Scenarios / 场景\t475
5.19.4 Page priority and rebalancing / 页面优先级和平衡调整\t476
5.19.5 Robust performance / 鲁棒性能\t478
5.19.6 ReadyBoost / 启动准备\t479
5.19.7 ReadyDrive / 驱动准备\t480
5.19.8 Process refl ection / 进程反射\t480
5.20 Conclusion / 结论\t482
6 I/O system / 第6章 I/O系统\t483
6.1 I/O system components / I/O系统组件\t483
6.1.1 The I/O manager / I/O管理器\t485
6.1.2 Typical I/O processing / 典型I/O过程\t486
6.2 Interrupt Request Levels and Deferred Procedure Calls /
中断请求级别和延迟过程唤醒\t488
6.2.1 Interrupt Request Levels / 中断请求级别\t488
6.2.2 Deferred Procedure Calls / 延迟过程唤醒\t490
6.3 Device drivers / 设备驱动\t492
6.3.1 Types of device drivers / 设备驱动类型\t492
6.3.2 Structure of a driver / 驱动结构\t498
6.3.3 Driver objects and device objects / 驱动对象和设备对象\t500
6.3.4 Opening devices / 设备打开\t507
6.4 I/O processing / I/O过程\t510
6.4.1 Types of I/O / I/O的种类\t511
6.4.2 I/O request packets / I/O请求包\t513
6.4.3 I/O request to a single-layered hardware-based driver /
基于单层硬件驱动的I/O请求\t525
6.4.4 I/O requests to layered drivers / 分层驱动I/O请求\t533
6.4.5 Thread-agnostic I/O / 未知线程I/O\t536
6.4.6 I/O cancellation / 取消I/O\t537
6.4.7 I/O completion ports / I/O完成端口\t541
6.4.8 I/O prioritization / I/O优先级\t546
6.4.9 Container notifications / 容器提醒\t552
6.5 Driver Verifier / 驱动验证\t552
6.5.1 I/O-related verification options / I/O相关验证选项\t554
6.5.2 Memory-related verification options / 内存相关验证选项\t555
6.6 The Plug and Play manager / 即插即用管理器\t559
6.6.1 Level of Plug and Play support / 即插即用支持级别\t560
6.6.2 Device enumeration / 设备枚举\t561
6.6.3 Device stacks / 设备栈\t563
6.6.4 Driver support for Plug and Play / 支持即插即用的设备\t569
6.65 Plug-and-play driver installation / 即插即用驱动安装\t571
6.7 General driver loading and installation / 一般驱动的加载和安装\t575
6.7.1 Driver loading / 驱动加载\t575
6.7.2 Driver installation / 驱动安装\t577
6.8 The Windows Driver Foundation / Windows驱动基础\t578
6.8.1 Kernel-Mode Driver Framework / 内核模式驱动框架\t579
6.8.2 User-Mode Driver Framework / 用户模式驱动框架\t587
6.9 The power manager / 电源管理\t590
6.9.1 Connected Standby and Modern Standby / 连接待机和新版待机\t594
6.9.2 Power manager operation / 电源管理操作\t595
6.9.3 Driver power operation / 驱动电源操作\t596
6.9.4 Driver and application control of device power /
驱动和设备电源的应用程序控制\t599
6.9.5 Power management framework / 电源管理框架\t600
6.9.6 Power availability requests / 电源可用性请求\t602
6.10 Conclusion / 结论\t603
7 Security / 第7章 安全\t605
7.1 Security ratings / 安全评级\t605
7.1.1 Trusted Computer System Evaluation Criteria /
可信计算基系统评估标准\t605
7.1.2 The Common Criteria / 普遍标准\t607
7.2 Security system components / 安全系统组件\t608
7.3 Virtualization-based security / 基于虚拟化的安全\t611
7.3.1 Credential Guard / 证书防护\t612
7.3.2 Device Guard / 设备防护\t617
7.4 Protecting objects / 保护对象\t619
7.4.1 Access checks / 访问验证\t621
7.4.2 Security identifiers / 安全标识\t625
7.4.3 Virtual service accounts / 虚拟服务账户\t646
7.4.4 Security descriptors and access control / 安全描述符和访问控制\t650
7.4.5 Dynamic Access Control / 动态访问控制\t666
7.5 The AuthZ API / AuthZ API\t666
7.5.1 Conditional ACEs / 条件响应ACE\t667
7.6 Account rights and privileges / 账户权限和特权\t668
7.6.1 Account rights / 账户权限\t669
7.6.2 Privileges / 特权\t670
7.6.3 Super privileges / 超级特权\t675
7.7 Access tokens of processes and threads / 进程和线程的账户口令\t677
7.8 Security auditing / 安全审计\t677
7.8.1 Object access auditing / 对象访问审计\t679
7.8.2 Global audit policy / 全局审计策略\t682
7.8.3 Advanced Audit Policy settings / 高级审计策略设置\t683
7.9 AppContainers / 应用容器\t684
7.9.1 Overview of UWP apps / UWP应用概述\t685
7.9.2 The AppContainer / 应用容器\t687
7.10 Logon / 登录\t710
7.10.1 Winlogon initialization / Winlogon初始化\t711
7.10.2 User logon steps / 用户登录步骤\t713
7.10.3 Assured authentication / 确信的认证\t718
7.10.4 Windows Biometric Framework / Windows生物识别验证\t719
7.10.5 Windows Hello / Windows你好\t721
7.11 User Account Control and virtualization / 用户账户控制和虚拟化\t722
7.11.1 File system and registry virtualization /
文件系统和注册表虚拟化\t722
7.11.2 Elevation / 提升\t729
7.12 Exploit mitigations / 攻击缓解\t735
7.12.1 Process-mitigation policies / 进程缓解策略\t735
7.12.2 Control Flow Integrity / 控制流完整性\t740
7.12.3 Security assertions / 安全断言\t752
7.13 Application Identifi cation / 应用程序标识\t756
7.14 AppLocker / 应用锁\t757
7.15 Software Restriction Policies / 软件限制策略\t762
7.16 Kernel Patch Protection / 内核补丁保护\t764
7.17 PatchGuard / 补丁防护\t765
7.18 HyperGuard / 高度防护\t768
7.19 Conclusion / 结论\t770
Index / 索引\t771
1 Concepts and tools / 第 1章 概念和工具\t1
1.1 Windows operating system versions / Windows操作系统版本\t1
1.1.1 Windows 10 and future Windows versions /
Windows 10和后续Windows版本\t3
1.1.2 Windows 10 and OneCore / Windows 10和Windows系统核心\t3
1.2 Foundation concepts and terms / 基本概念和术语\t4
1.2.1 Windows API / Windows API\t4
1.2.2 Services, functions, and routines / 服务、功能和例行程序\t7
1.2.3 Processes / 进程\t8
1.2.4 Threads / 线程\t18
1.2.5 Jobs / 作业\t20
1.2.6 Virtual memory / 虚拟内存\t21
1.2.7 Kernel mode vs. user mode / 内核模式vs用户模式\t23
1.2.8 Hypervisor / 虚拟机管理程序\t27
1.2.9 Firmware / 固件版本\t29
1.3.0 Terminal Services and multiple sessions / 终端服务和多会话\t29
1.3.1 Objects and handles / 对象和处理\t30
1.3.2 Security / 安全\t31
1.3.3 Registry / 注册表\t32
1.3.4 Unicode / Unicode编码\t33
1.3 Digging into Windows internals / 深入挖掘Windows内部\t35
1.3.1 Performance Monitor and Resource Monitor /
性能监控和资源监控\t36
1.3.2 Kernel debugging / 内核调试\t38
1.3.3 Windows Software Development Kit / Windows SDK\t43
1.3.4 Windows Driver Kit / Windows驱动套件\t43
1.3.5 Sysinternals tools / 五大利器\t44
1.4 结论\t44
2 System architecture / 第 2章 系统架构\t45
2.1 Requirements and design goals / 需求和设计目标\t45
2.2 Operating system model / 操作系统模型\t46
2.3 Architecture overview / 架构概述\t47
2.3.1 Portability / 可移植性\t50
2.3.2 Symmetric multiprocessing / 对称多处理\t51
2.3.3 Scalability / 可扩展性\t53
2.3.4 Differences between client and server versions /
客户端和服务端版本的差异\t54
2.3.5 Checked build / 已验证版本\t57
2.4 Virtualization-based security architecture overview /
基于虚拟化技术的安全架构概述\t59
2.5 Key system components / 核心系统组件\t61
2.5.1 Environment subsystems and subsystem DLLs /
环境子系统和子系统DLL\t62
2.5.2 Other subsystems / 其他子系统\t68
2.5.3 Executive / 执行性\t72
2.5.4 Kernel / 内核\t75
2.5.5 Hardware abstraction layer / 硬件抽象层\t79
2.5.6 Device drivers / 设备驱动\t82
2.5.7 System processes / 系统进程\t88
2.6 Conclusion / 结论\t99
3 Processes and jobs / 第3章 进程和作业\t101
3.1 Creating a process / 创建一个进程\t101
3.1.1 CreateProcess* functions arguments / CreateProcess*函数参数\t102
3.1.2 Creating Windows modern processes / 创建Windows进程\t103
3.1.3 Creating other kinds of processes / 创建其他类型线程\t104
3.2 Process internals / 进程核心\t105
3.3 Protected processes / 受保护的进程\t113
3.3.1 Protected Process Light (PPL) / PPL\t115
3.3.2 Third-party PPL support / 第三方PPL支持\t119
3.4 Minimal and Pico processes / 最小进程和微进程\t120
3.4.1 Minimal processes / 最小进程\t120
3.4.2 Pico processes / 微进程\t121
3.5 Trustlets (secure processes) / Trustlets(安全进程)\t123
3.5.1 Trustlet structure / Trustlet结构\t123
3.5.2 Trustlet policy metadata / Trustlet策略元数据\t124
3.5.3 Trustlet attributes / Trustlet属性\t125
3.5.4 System built-in Trustlets / 系统内置Trustlets\t125
3.5.5 Trustlet identity / Trustlet标识\t126
3.5.6 Isolated user-mode services / 隔离的用户模式服务\t127
3.5.7 Trustlet-accessible system calls / Trustlet可访问的系统调用\t128
3.6 Flow of CreateProcess / 创建进程流程\t129
3.6.1 Stage 1: Converting and validating parameters andflags /
阶段1:转换并验证参数和标记\t131
3.6.2 Stage 2: Opening the image to be executed /
阶段2:打开要执行的镜像\t135
3.6.3 Stage 3: Creating the Windows executive process object /
阶段3:创建Windows可执行进程对象\t138
3.6.4 Stage 4: Creating the initial thread and its stack and context /
阶段4:创建初始线程以及它的堆栈和上下文\t144
3.6.5 Stage 5: Performing Windows subsystem–specific initialization /
阶段5:执行Windows子系统的特殊初始化\t146
3.6.6 Stage 6: Starting execution of the initial thread /
阶段6:开始执行初始线程\t148
3.6.7 Stage 7: Performing process initialization in the context of the new process /
阶段7:在新进程中的上下文执行进程初始化\t148
3.7 Terminating a process / 终止一个进程\t154
3.8 Image loader / 镜像加载器\t155
3.8.1 Early process initialization / 早期进程初始化\t157
3.8.2 DLL name resolution and redirection / DLL名称解析和重定向\t160
3.8.3 Loaded module database / 已加载组件的数据库\t164
3.8.4 Import parsing / 导入解析\t168
3.8.5 Post-import process initialization / 后导入进程初始化\t170
3.8.6 SwitchBack / SwitchBack\t171
3.8.7 API Sets / API集\t173
3.9 Jobs / 作业\t176
3.9.1 Job limits / 作业限制\t177
3.9.2 Working with a job / 处理一个作业\t178
3.9.3 Nested jobs / 嵌套作业\t179
3.9.4 Windows containers (server silos) /
Windows容器(服务器仓库)\t183
3.10 Conclusion / 结论\t191
4 Threads / 第4章 线程\t193
4.1 Creating threads / 创建线程\t193
4.2 Thread internals / 线程内部\t194
4.2.1 Data structures / 数据结构\t194
4.2.2 Birth of a thread / 线程的产生\t206
4.3 Examining thread activity / 检查线程活性\t207
4.3.1 Limitations on protected process threads /
受保护进程中线程的限制\t212
4.4 Thread scheduling / 线程调度\t214
4.4.1 Overview of Windows scheduling / Windows调度概述\t214
4.4.2 Priority levels / 优先级等级\t215
4.4.3 Thread states / 线程状态\t223
4.4.4 Dispatcher database / 调度数据库\t228
4.4.5 Quantum / 量子\t231
4.4.6 Priority boosts / 提高优先级\t238
4.4.7 Context switching / 上下文切换\t255
4.4.8 Scheduling scenarios / 调度场景\t256
4.4.9 Idle threads / 空闲线程\t260
4.4.10 Thread suspension / 线程挂起\t264
4.4.11 (Deep) freeze / (深度)冻结\t264
4.4.12 Thread selection / 线程选择\t266
4.4.13 Multiprocessor systems / 多处理器系统\t268
4.4.14 Thread selection on multiprocessor systems /
多处理器系统的线程选择\t283
4.4.15 Processor selection / 处理器选择\t284
4.4.16 Heterogeneous scheduling (big.LITTLE) /
多重调度(big.LITTLE)\t286
4.5 Group-based scheduling / 基于组的调度\t287
4.5.1 Dynamic fair share scheduling / 动态公平共享调度\t289
4.5.2 CPU rate limits / CPU速率限制\t292
4.5.3 Dynamic processor addition and replacement /
动态处理器添加和替换\t295
4.6 Worker factories (thread pools) / 工人工厂(线程池)\t297
4.6.1 Worker factory creation / 创建工人工厂\t298
4.7 Conclusion / 结论\t300
5 Memory management / 第5章 内存管理\t301
5.1 Introduction to the memory manager / 内存管理介绍\t301
5.1.1 Memory manager components / 内存管理组件\t302
5.1.2 Large and small pages / 大小页面\t303
5.1.3 Examining memory usage / 检查内存使用\t305
5.1.4 Internal synchronization / 内部同步\t308
5.2 Services provided by the memory manager / 内存管理提供的服务\t309
5.2.1 Page states and memory allocations / 页面状态和内存分配\t310
5.2.2 Commit charge and commit limit / 提交调度和提交限制\t313
5.2.3 Locking memory / 锁定内存\t314
5.2.4 Allocation granularity / 分配粒度\t314
5.2.5 Shared memory and mapped files / 共享内存和映射文件\t315
5.2.6 Protecting memory / 内存保护\t317
5.2.7 Data Execution Prevention / 数据执行保护\t319
5.2.8 Copy-on-write / 写时复制\t321
5.2.9 Address Windowing Extensions / 地址窗口化扩展\t232
5.3 Kernel-mode heaps (system memory pools) / 内核模式堆(系统内存池)\t324
5.3.1 Pool sizes / 池大小\t325
5.3.2 Monitoring pool usage / 监控池的使用\t327
5.3.3 Look-aside lists / 旁观列表\t331
5.4 Heap manager / 堆管理\t332
5.4.1 Process heaps / 堆进程\t333
5.4.2 Heap types / 堆类型\t334
5.4.3 The NT heap / NT堆\t334
5.4.4 Heap synchronization / 堆同步\t334
5.4.5 The low-fragmentation heap / 低碎片堆\t335
5.4.6 The segment heap / 分段堆\t336
5.4.7 Heap security features / 堆安全功能\t341
5.4.8 Heap debugging features / 堆调试功能\t342
5.4.9 Pageheap / 页面堆\t343
5.4.10 Fault-tolerant heap / 容错堆\t347
5.5 Virtual address space layouts / 虚拟地址空间布局\t348
5.5.1 x86 address space layouts / X86地址空间布局\t349
5.5.2 x86 system address space layout / X86系统地址空间布局\t352
5.5.3 x86 session space / X86会话空间\t353
5.5.4 System page table entries / 系统页面表条目\t355
5.5.5 ARM address space layout / ARM地址空间布局\t356
5.5.6 64-bit address space layout / 64bit地址空间布局\t357
5.5.7 x64 virtual addressing limitations / 64虚拟地址限制\t359
5.5.8 Dynamic system virtual address space management /
动态系统虚拟地址空间管理\t359
5.5.9 System virtual address space quotas / 系统虚拟地址空间配额\t364
5.5.10 User address space layout / 用户地址空间布局\t365
5.6 Address translation / 地址转化\t371
5.6.1 x86 virtual address translation / X86虚拟地址转化\t371
5.6.2 Translation look-aside buffer / 旁观缓冲转化\t377
5.6.3 x64 virtual address translation / X64虚拟地址转化\t380
5.6.4 ARM virtual address translation / ARM虚拟地址转化\t381
5.7 Page fault handling / 页面错误处理\t383
5.7.1 Invalid PTEs / 非法PTE\t384
5.7.2 Prototype PTEs / 原型PTE\t385
5.7.3 In-paging I/O / 页面内I/O\t386
5.7.4 Collided page faults / 页面错误冲突\t387
5.7.5 Clustered page faults / 页面错误聚集\t387
5.7.6 Page files / 页面文件\t389
5.7.7 Commit charge and the system commit limit /
提交调度和系统提交限制\t394
5.7.8 Commit charge and page file size / 提交调度和页面文件大小\t397
5.8 Stacks / 栈\t398
5.8.1 User stacks / 用户栈\t399
5.8.2 Kernel stacks / 内核栈\t400
5.8.3 DPC stack / DPC栈\t401
5.9 Virtual address descriptors / 虚拟地址描述符\t401
5.9.1 Process VADs / VAD进程\t402
5.9.2 Rotate VADs / VAD轮询\t403
5.10 NUMA / NUMA\t404
5.11 Section objects / 段对象\t405
5.12 Working sets / 工作集\t412
5.12.1 Demand paging / 分页需求\t413
5.12.2 Logical prefetcher and ReadyBoot / 逻辑预取和启动准备\t413
5.12.3 Placement policy / 安置策略\t416
5.12.4 Working set management / 工作集管理\t417
5.12.5 Balance set manager and swapper / 平衡集合管理器和置换器\t421
5.12.6 System working sets / 系统工作集\t422
5.12.7 Memory notification events / 内存提醒事件\t423
5.13 Page frame number database / 页面框架序号数据库\t425
5.13.1 Page list dynamics / 页面动态列表\t428
5.13.2 Page priority / 页面优先级\t436
5.13.3 Modified page writer and mapped page writer /
修改和映射页面写入\t438
5.13.4 PFN data structures / PFN数据结构\t440
5.13.5 Page file reservation / 页面文件预定\t443
5.14 Physical memory limits / 物理内存限制\t446
5.14.1 Windows client memory limits / Windows客户端内存限制\t447
5.15 Memory compression / 内存压缩\t449
5.15.1 Compression illustration / 压缩图表\t450
5.15.2 Compression architecture / 压缩架构\t453
5.16 Memory partitions / 内存分割\t456
5.17 Memory combining / 内存联合\t459
5.17.1 The search phase / 寻找阶段\t460
5.17.2 The classifi cation phase / 分类阶段\t461
5.17.3 The page combining phase / 页面联合阶段\t462
5.17.4 From private to shared PTE / 从私有PTE到共享PTE\t462
5.17.5 Combined pages release / 联合页面释放\t464
5.18 Memory enclaves / 内存区\t467
5.18.1 Programmatic interface / 编程接口\t468
5.18.2 Memory enclave initializations / 内存区初始化\t469
5.18.3 Enclave construction / 区结构\t469
5.18.4 Loading data into an enclave / 将数据加载到区\t471
5.18.5 Initializing an enclave / 初始化一个区\t472
5.19 Proactive memory management (SuperFetch) /
主动内存管理(SuperFetch)\t472
5.19.1 Components / 组件\t473
5.19.2 Tracing and logging / 跟踪和记录\t474
5.19.3 Scenarios / 场景\t475
5.19.4 Page priority and rebalancing / 页面优先级和平衡调整\t476
5.19.5 Robust performance / 鲁棒性能\t478
5.19.6 ReadyBoost / 启动准备\t479
5.19.7 ReadyDrive / 驱动准备\t480
5.19.8 Process refl ection / 进程反射\t480
5.20 Conclusion / 结论\t482
6 I/O system / 第6章 I/O系统\t483
6.1 I/O system components / I/O系统组件\t483
6.1.1 The I/O manager / I/O管理器\t485
6.1.2 Typical I/O processing / 典型I/O过程\t486
6.2 Interrupt Request Levels and Deferred Procedure Calls /
中断请求级别和延迟过程唤醒\t488
6.2.1 Interrupt Request Levels / 中断请求级别\t488
6.2.2 Deferred Procedure Calls / 延迟过程唤醒\t490
6.3 Device drivers / 设备驱动\t492
6.3.1 Types of device drivers / 设备驱动类型\t492
6.3.2 Structure of a driver / 驱动结构\t498
6.3.3 Driver objects and device objects / 驱动对象和设备对象\t500
6.3.4 Opening devices / 设备打开\t507
6.4 I/O processing / I/O过程\t510
6.4.1 Types of I/O / I/O的种类\t511
6.4.2 I/O request packets / I/O请求包\t513
6.4.3 I/O request to a single-layered hardware-based driver /
基于单层硬件驱动的I/O请求\t525
6.4.4 I/O requests to layered drivers / 分层驱动I/O请求\t533
6.4.5 Thread-agnostic I/O / 未知线程I/O\t536
6.4.6 I/O cancellation / 取消I/O\t537
6.4.7 I/O completion ports / I/O完成端口\t541
6.4.8 I/O prioritization / I/O优先级\t546
6.4.9 Container notifications / 容器提醒\t552
6.5 Driver Verifier / 驱动验证\t552
6.5.1 I/O-related verification options / I/O相关验证选项\t554
6.5.2 Memory-related verification options / 内存相关验证选项\t555
6.6 The Plug and Play manager / 即插即用管理器\t559
6.6.1 Level of Plug and Play support / 即插即用支持级别\t560
6.6.2 Device enumeration / 设备枚举\t561
6.6.3 Device stacks / 设备栈\t563
6.6.4 Driver support for Plug and Play / 支持即插即用的设备\t569
6.65 Plug-and-play driver installation / 即插即用驱动安装\t571
6.7 General driver loading and installation / 一般驱动的加载和安装\t575
6.7.1 Driver loading / 驱动加载\t575
6.7.2 Driver installation / 驱动安装\t577
6.8 The Windows Driver Foundation / Windows驱动基础\t578
6.8.1 Kernel-Mode Driver Framework / 内核模式驱动框架\t579
6.8.2 User-Mode Driver Framework / 用户模式驱动框架\t587
6.9 The power manager / 电源管理\t590
6.9.1 Connected Standby and Modern Standby / 连接待机和新版待机\t594
6.9.2 Power manager operation / 电源管理操作\t595
6.9.3 Driver power operation / 驱动电源操作\t596
6.9.4 Driver and application control of device power /
驱动和设备电源的应用程序控制\t599
6.9.5 Power management framework / 电源管理框架\t600
6.9.6 Power availability requests / 电源可用性请求\t602
6.10 Conclusion / 结论\t603
7 Security / 第7章 安全\t605
7.1 Security ratings / 安全评级\t605
7.1.1 Trusted Computer System Evaluation Criteria /
可信计算基系统评估标准\t605
7.1.2 The Common Criteria / 普遍标准\t607
7.2 Security system components / 安全系统组件\t608
7.3 Virtualization-based security / 基于虚拟化的安全\t611
7.3.1 Credential Guard / 证书防护\t612
7.3.2 Device Guard / 设备防护\t617
7.4 Protecting objects / 保护对象\t619
7.4.1 Access checks / 访问验证\t621
7.4.2 Security identifiers / 安全标识\t625
7.4.3 Virtual service accounts / 虚拟服务账户\t646
7.4.4 Security descriptors and access control / 安全描述符和访问控制\t650
7.4.5 Dynamic Access Control / 动态访问控制\t666
7.5 The AuthZ API / AuthZ API\t666
7.5.1 Conditional ACEs / 条件响应ACE\t667
7.6 Account rights and privileges / 账户权限和特权\t668
7.6.1 Account rights / 账户权限\t669
7.6.2 Privileges / 特权\t670
7.6.3 Super privileges / 超级特权\t675
7.7 Access tokens of processes and threads / 进程和线程的账户口令\t677
7.8 Security auditing / 安全审计\t677
7.8.1 Object access auditing / 对象访问审计\t679
7.8.2 Global audit policy / 全局审计策略\t682
7.8.3 Advanced Audit Policy settings / 高级审计策略设置\t683
7.9 AppContainers / 应用容器\t684
7.9.1 Overview of UWP apps / UWP应用概述\t685
7.9.2 The AppContainer / 应用容器\t687
7.10 Logon / 登录\t710
7.10.1 Winlogon initialization / Winlogon初始化\t711
7.10.2 User logon steps / 用户登录步骤\t713
7.10.3 Assured authentication / 确信的认证\t718
7.10.4 Windows Biometric Framework / Windows生物识别验证\t719
7.10.5 Windows Hello / Windows你好\t721
7.11 User Account Control and virtualization / 用户账户控制和虚拟化\t722
7.11.1 File system and registry virtualization /
文件系统和注册表虚拟化\t722
7.11.2 Elevation / 提升\t729
7.12 Exploit mitigations / 攻击缓解\t735
7.12.1 Process-mitigation policies / 进程缓解策略\t735
7.12.2 Control Flow Integrity / 控制流完整性\t740
7.12.3 Security assertions / 安全断言\t752
7.13 Application Identifi cation / 应用程序标识\t756
7.14 AppLocker / 应用锁\t757
7.15 Software Restriction Policies / 软件限制策略\t762
7.16 Kernel Patch Protection / 内核补丁保护\t764
7.17 PatchGuard / 补丁防护\t765
7.18 HyperGuard / 高度防护\t768
7.19 Conclusion / 结论\t770
Index / 索引\t771
猜您喜欢
