Kernel Data Structures The operating system must keep a lot of information about the current state of the system. As things happen within the system these data structures must be changed to reflect the current reality. For example, a new process might be spawned when a user logged into the system.
Doubly Linked List nt! The "dl" and "db" commands walk a doubly linked list in the forward or backward direction and Kernel data structures do the "!
Any process may simultaneously belong to multiple sets or groups. For example, a process is always in the list of processes that are active in the system, a process may belong to the set of processes running inside a session and a process may be the part of a job.
This list is traversed by MiReplicatePteChange to update the kernel mode portion of the process's virtual address space. This list is used by ExpUpdateTimerResolution to update the time resolution to the lowest requested value amongst all the processes.
Pcb field, is used by the lower layers of the kernel and contains scheduling related information like threads, quantum, priority and execution times. The field ProfileListHead contains list of profile objects that have been created for this process.
This list is used by the profile interrupt to record the instruction pointer for profiling. The field ReadyListHead is list of threads that are ready to run in this process. This list is non-empty only for processes that are non-resident in memory.
The field ThreadListHead is the list of all threads in the process. This is used by the kernel to find all the threads in the process. The field JobLinks is the list of processes that are part of a job are queued together in a linked list with head of the list at EJOB.
The KeyedWaitChain field is used to maintain the thread in the list of threads that are waiting on a particular keyed event. These are the list of IRPs will have to be cancelled when the thread terminates.
The CallbackListHead field is used to store a linked list of Registry callbacks that would be invoked in order to notify registry filter drivers about registry operations the thread is performing.
This field is valid between the pre and post notification registry callbacks. The ActiveTimerListHead is the head of the list of timers that are set as active will expire after a certain period by the current thread.
Tcb field, is used by the lower layers of the kernel and contains information like thread stacks, scheduling, APCs, system calls, priority, execution times etc. ThreadListHead is the head of this list. This is used by functions like KiCommitThreadWait to activate other threads in a worker queue when the current worker thread associate with the queue waits on something other than a work queue.
The MutantListHead field is used to maintain a list of mutexes that the thread has acquired. The Win32Thread field points to the Win32K. The size of the structure allocate per thread is stored in Win32K. This field is set by the function KiCommitThreadWait right before the thread actually enters into its wait state.
The interrupt vector is the index of a particular slot in the IDT. The field DispatchCode is an array of bytes containing the first few instructions of the interrupt servicing code.
The IDT entry for a particular vector points directly to the DispatchCode array which in turn calls the function pointed to by DispatchAddress. This function is typically KiInterruptDispatch and is responsible for setting up the environment required to call the driver supplied ISR pointed to by the ServiceRoutine field.
This mechanism is used in the implementation of structured exception handling SEH.
A small part of the trap frame is populated by the CPU as a part of its own interrupt and exception handling, the rest of the trap frame is created by the software exception and interrupt handler provided by Windows i.
On the X64 CPU, some fields in the trap frame that contain non-volatile register values are not populated by the exception handlers.
DPCs are also used to notify kernel components about expired timers. These routines are used by drivers to perform actions in the context of a specific process, primarily to get access to the process's user mode virtual address space.
Certain functionality in Windows like attaching and detaching a thread to process and thread suspension are built on top of APCs. APCs are of 3 types - user mode, normal kernel mode, special kernel mode. SpecialApcDisable to a negative value causes special and normal kernel APCs to be disabled for that thread.
The field RundownRoutine points to a function that executes when APC is discarded during thread termination. This allows threads to get temporary access to another processes user mode virtual address space.
Since APCs are thread and process specific, when a thread attaches to a process different from its current process its APC state data needs to be saved. This is required because APC that are currently queued to the thread that need the original process's address cannot be delivered in the new process context to which the thread attaches itself.
Events, semaphores, mutexes, timers, threads, processes, and queues are examples of native kernel objects. This is one of the first 10 values in the enumerated type nt!Within the kernel data structures, this means that two entries in the file descriptor table reference the same file table entry.
As a result, a read and write to either of the file descriptor is the same, as in, they reference the same file. Mostly these data structures exist in physical memory and are accessible only by the kernel and its subsystems. Data structures contain data and pointers; addresses of other data structures or the addresses of routines.
Taken all together, the data structures used .
6. Kernel Data Structures. This chapter introduces several built-in data structures for use in Linux kernel code. As with any large software project, the Linux kernel provides these generic data structures and primitives to encourage code reuse.
Data Structures in the Linux Kernel Linux kernel provides different implementations of data structures like doubly linked list, B+ tree, priority heap and many many more.
This part considers the following data structures and algorithms. Usually you encounter this word when you read about kernel debugging, tracing, or kernel dumps. A kernel dump can copy out only the kernel structures, or the kernel structures as well as the process/user data.
Most of the time you just need the kernel data structures. Within the kernel data structures, this means that two entries in the file descriptor table reference the same file table entry.
As a result, a read and write to either of the file descriptor is the same, as in, they reference the same file.