熱點推薦:
您现在的位置: 電腦知識網 >> 操作系統 >> Windows系統管理 >> 正文

Windows CE初探

2013-11-11 21:47:29  來源: Windows系統管理 

  從Platform Builder來看Windows CE支持相當多CPU但現在市場上實際銷售的PDA幾乎全部采用ARM芯片arm是一個RISC構架的位微處理器它一次有個可見的寄存器rr其中rr是通用寄存器並可以做任何目的rr也是通用寄存器但是在切換到FIQ模式的時候使用它們的影子(shadow)寄存器最後這三個是特殊寄存器
  
  r (sp)    堆棧指針
  r (lr)    鏈接寄存器
  r (pc/psr)  程序計數器/狀態寄存器
  
  IDAPro和調試器裡都是用別名表示和其它RISC指令類似arm指令主要有分支(branch)指令載入和存儲指令和其它指令等除了載入和存儲指令其它指令都是不能直接操作內存的而且載入和存儲指令操作的是字節類型那麼內存地址必須要求字節對齊這也是RISC指令和CISC指令差異比較大的地方在操作字符串的時候相對就比較麻煩arm指令一個很有趣的地方就是可以直接修改訪問pc寄存器這樣如果寫shellcode的話就不必象SPARC或PowerPC一樣需要多條指令來定位自身
  
  另外Windows CE默認使用的字節序是littleendian
  
  [ Windows CE核心結構
  
  Windows CE是一個位的操作系統所以其虛擬內存的大小是GB(次方)Windows CE把這GB虛擬內存空間分為低地址GB和高地址GB應用程序使用的地址空間是低地址GB高地址GB專供Windows CE內核使用在Windows CE 源碼的PRIVATE/WINCEOS/COREOS/NK/INC/nkarmh頭文件裡有一些有趣的信息
  
  /* High memory layout
  *
  * This structure is mapped in at the end of the GB virtual
  * address space
  *
  * xFFFD first level page table (uncached) (nd half is r/o)
  * xFFFD disabled for protection
  * xFFFE second level page tables (uncached)
  * xFFFE disabled for protection
  * xFFFF exception vectors
  * xFFFF not used (r/o)
  * xFFFF disabled for protection
  * xFFFF r/o (physical overlaps with vectors)
  * xFFFF Interrupt stack (k)
  * xFFFF r/o (physical overlaps with Abort stack & FIQ stack)
  * xFFFF disabled for protection
  * xFFFF r/o (physical memory overlaps with vectors & intr stack & FIQ stack)
  * xFFFF Abort stack (k bytes)
  *&n
  
  bsp; xFFFF disabled for protection
  * xFFFF r/o (physical memory overlaps with vectors & intr stack)
  * xFFFF FIQ stack ( bytes)
  * xFFFF r/o (physical memory overlaps with Abort stack)
  * xFFFF disabled
  * xFFFFC kernel stack
  * xFFFFC KDataStruct
  * xFFFFCC disabled for protection (nd level page table for xFFF)
  */
  
  typedef struct arm_HIGH {
  ulong  firstPT[];    // xFFFD: st level page table
  PAGETBL  aPT[];      // xFFFD: nd level page tables
  char  reserved[xx*sizeof(PAGETBL)];
  
  char  exVectors[x];  // xFFFF: exception vectors
  char  reserved[xx];
  
  char  intrStack[x];  // xFFFF: interrupt stack
  char  reserved[xx];
  
  char  abortStack[x];  // xFFFF: abort stack
  char  reserved[xx];
  
  char  fiqStack[x];  // xFFFF: FIQ stack
  char  reserved[xCx];
  
  char  kStack[x];    // xFFFFC: kernel stack
  struct KDataStruct kdata; &
  
  nbsp; // xFFFFC: kernel data page
  } arm_HIGH;
  
  其中KDataStruct的結構非常重要而且有意思有些類似Win下的PEB結構定義了系統各種重要的信息
  
  struct KDataStruct {
  LPDWORD lpvTls;     /* x Current thread local storage pointer */
  HANDLE ahSys[NUM_SYS_HANDLES]; /* x If this moves change kapih */
  // NUM_SYS_HANDLES == : PUBLIC/COMMON/SDK/INC/kfuncsh
  x SH_WIN
  x SH_CURTHREAD
  xc SH_CURPROC
  x SH_KWIN
  x SH_GDI
  x SH_WMGR
  xc SH_WNET
  x SH_COMM
  x SH_FILESYS_APIS
  x SH_SHELL
  xc SH_DEVMGR_APIS
  x SH_TAPI
  x SH_PATCHER
  xc SH_SERVICES
  
  char  bResched;    /* x reschedule flag */
  char  cNest;     /* x kernel exception nesting */
  char  bPowerOff;   /* x TRUE during power off processing */
  char  bProfileOn;&nb
  
  sp;  /* x TRUE if profiling enabled */
  ulong  unused;     /* x unused */
  ulong  rsvd;     /* xc was DiffMSec */
  PPROCESS pCurPrc;    /* x ptr to current PROCESS struct */
  PTHREAD pCurThd;    /* x ptr to current THREAD struct */
  DWORD  dwKCRes;    /* x */
  ulong  handleBase;   /* xc handle table base address */
  PSECTION aSections[]; /* xa section table for virutal memory */
  LPEVENT alpeIntrEvents[SYSINTR_MAX_DEVICES];/* xa */
  LPVOID alpvIntrData[SYSINTR_MAX_DEVICES]; /* x */
  ulong  pAPIReturn;   /* xa direct API return address for kernel mode */
  uchar  *pMap;     /* xa ptr to MemoryMap array */
  DWORD  dwInDebugger;  /* xa ! when in debugger */
  PTHREAD pCurFPUOwner;  /* xac current FPU owner */
  PPROCESS pCpuASIDPrc;  /* xb current ASID proc */
  long  nMemForPT;   /* xb Memory used for PageTables */
  
  long  alPad[];   /* xb padding */
  
  DWORD  aInfo[];   /* x misc kernel info */
  // PUBLIC/COMMON/OAK/INC/pkfuncsh
  x KINX_PROCARRAY   address of process array
  x KINX_PAGESIZE   system page size
  x KINX_PFN_SHIFT   shift for page # in PTE
  xc KINX_PFN_MASK   mask for page # in PTE
  x KINX_PAGEFREE   # of free physical pages
  x KINX_SYSPAGES   # of pages used by kernel
  x KINX_KHEAP     ptr to kernel heap array
  xc KINX_SECTIONS   ptr to SectionTable array
  x KINX_MEMINFO    ptr to system MemoryInfo struct
  x KINX_MODULES    ptr to module list
  x KINX_DLL_LOW    lower bound of DLL shared space
  xc KINX_NUMPAGES   total # of RAM pages
  x KINX_PTOC  &nb
  sp;   ptr to ROM table of contents
  x KINX_KDATA_ADDR  kernel mode version of KData
  x KINX_GWESHEAPINFO Current amount of gwes heap in use
  xc KINX_TIMEZONEBIAS Fast timezone bias info
  x KINX_PENDEVENTS  bit mask for pending interrupt events
  x KINX_KERNRESERVE  number of kernel reserved pages
  x KINX_API_MASK   bit mask for registered api sets
  xc KINX_NLS_CP    hiword OEM code page loword ANSI code page
  x KINX_NLS_SYSLOC  Default System locale
  x KINX_NLS_USERLOC  Default User locale
  x KINX_HEAP_WASTE  Kernel heap wasted space
  xc KINX_DEBUGGER   For use by debugger for protocol communication
  x KINX_APISETS    APIset pointers
  x KINX_MINPAGEFREE  water mark of the minimum number of free pages
  x KINX_CELOGSTATUS  CeLog status flags
  xc KINX_NKSECTION   Address of NKSection
  x KINX_PWR_EVTS   Events to be set after power on
  xc KINX_NKSIG     last entry of KINFO signature when NK is ready
  
  /* x interlocked api code */
  /* x end */
  }
  
  Win下可以通過PEB結構定位kerneldll的基址然後通過PE文件結構查找Windows API在Windows CE下coredlldll的作用相當於Win的kerneldll由於KDataStruct結構開始於xFFFFC偏移x的aInfo[KINX_MODULES]是一個指向模塊鏈表的指針通過這個鏈表能否找到coredlldll模塊呢?讓我們來看一下模塊的結構
  
  // PRIVATE/WINCEOS/COREOS/NK/INC/kernelh
  typedef struct Module {
From:http://tw.wingwit.com/Article/os/xtgl/201311/9250.html
    Copyright © 2005-2013 電腦知識網 Computer Knowledge   All rights reserved.