电脑故障

位置:IT落伍者 >> 电脑故障 >> 浏览文章

Windows CE初探


发布日期:2018/8/22
 

从Platform Builder来看Windows CE支持相当多CPU但现在市场上实际销售的PDA几乎全部采用ARM芯片arm是一个RISC构架的位微处理器它一次有个可见的寄存器rr其中rr是通用寄存器并可以做任何目的rr也是通用寄存器但是在切换到FIQ模式的时候使用它们的影子(shadow)寄存器最后这三个是特殊寄存器

r (sp) 堆栈指针

r (lr) 链接寄存器

r (pc/psr) 程序计数器/状态寄存器

IDAPro和调试器里都是用别名表示和其它RISC指令类似arm指令主要有分支(branch)指令载入和存储指令和其它指令等除了载入和存储指令其它指令都是不能直接操作内存的而且载入和存储指令操作的是字节类型那么内存地址必须要求字节对齐这也是RISC指令和CISC指令差异比较大的地方在操作字符串的时候相对就比较麻烦arm指令一个很有趣的地方就是可以直接修改访问pc寄存器这样如果写shellcode的话就不必象SPARC或PowerPC一样需要多条指令来定位自身

另外Windows CE默认使用的字节序是littleendian

[ Windows CE核心结构

Windows CE是一个位的操作系统所以其虚拟内存的大小是GB(次方)Windows CE把这GB虚拟内存空间分为低地址GB和高地址GB应用程序使用的地址空间是低地址GB高地址GB专供Windows CE内核使用在Windows CE 源码的PRIVATE/WINCEOS/COREOS/NK/INC/nkarmh头文件里有一些有趣的信息

/* High memory layout

*

* This structure is mapped in at the end of the GB virtual

* address space

*

*xFFFD first level page table (uncached) (nd half is r/o)

*xFFFD disabled for protection

*xFFFE second level page tables (uncached)

*xFFFE disabled for protection

*xFFFF exception vectors

*xFFFF not used (r/o)

*xFFFF disabled for protection

*xFFFF r/o (physical overlaps with vectors)

*xFFFF Interrupt stack (k)

*xFFFF r/o (physical overlaps with Abort stack & FIQ stack)

*xFFFF disabled for protection

*xFFFF r/o (physical memory overlaps with vectors & intr stack & FIQ stack)

*xFFFF Abort stack (k bytes)

*&n

bsp; xFFFF disabled for protection

*xFFFF r/o (physical memory overlaps with vectors & intr stack)

*xFFFF FIQ stack ( bytes)

*xFFFF r/o (physical memory overlaps with Abort stack)

*xFFFF disabled

*xFFFFC kernel stack

*xFFFFC KDataStruct

*xFFFFCC disabled for protection (nd level page table for xFFF)

*/

typedef struct arm_HIGH {

ulongfirstPT[];// xFFFD: st level page table

PAGETBLaPT[];// xFFFD: nd level page tables

charreserved[xx*sizeof(PAGETBL)];

charexVectors[x];// xFFFF: exception vectors

charreserved[xx];

charintrStack[x];// xFFFF: interrupt stack

charreserved[xx];

charabortStack[x];// xFFFF: abort stack

charreserved[xx];

charfiqStack[x];// xFFFF: FIQ stack

charreserved[xCx];

charkStack[x];// xFFFFC: kernel stack

struct KDataStruct kdata; &

nbsp;// xFFFFC: kernel data page

} arm_HIGH;

其中KDataStruct的结构非常重要而且有意思有些类似Win下的PEB结构定义了系统各种重要的信息

struct KDataStruct {

LPDWORD lpvTls; /* x Current thread local storage pointer */

HANDLEahSys[NUM_SYS_HANDLES]; /* x If this moves change kapih */

// NUM_SYS_HANDLES == : PUBLIC/COMMON/SDK/INC/kfuncsh

x SH_WIN

x SH_CURTHREAD

xc SH_CURPROC

x SH_KWIN

x SH_GDI

x SH_WMGR

xc SH_WNET

x SH_COMM

x SH_FILESYS_APIS

x SH_SHELL

xc SH_DEVMGR_APIS

x SH_TAPI

x SH_PATCHER

xc SH_SERVICES

charbResched; /* x reschedule flag */

charcNest;/* x kernel exception nesting */

charbPowerOff;/* x TRUE during power off processing */

charbProfileOn;&nb

sp;/* x TRUE if profiling enabled */

ulong unused; /* x unused */

ulong rsvd;/* xc was DiffMSec */

PPROCESS pCurPrc; /* x ptr to current PROCESS struct */

PTHREAD pCurThd;/* x ptr to current THREAD struct */

DWORD dwKCRes;/* x*/

ulong handleBase; /* xc handle table base address */

PSECTION aSections[]; /* xa section table for virutal memory */

LPEVENT alpeIntrEvents[SYSINTR_MAX_DEVICES];/* xa */

LPVOIDalpvIntrData[SYSINTR_MAX_DEVICES];/* x */

ulong pAPIReturn; /* xa direct API return address for kernel mode */

uchar *pMap;/* xa ptr to MemoryMap array */

DWORD dwInDebugger; /* xa ! when in debugger */

PTHREAD pCurFPUOwner; /* xac current FPU owner */

PPROCESS pCpuASIDPrc; /* xb current ASID proc */

longnMemForPT;/* xb Memory used for PageTables */

longalPad[];/* xb padding */

DWORD aInfo[];/* x misc kernel info */

// PUBLIC/COMMON/OAK/INC/pkfuncsh

xKINX_PROCARRAY address of process array

xKINX_PAGESIZEsystem page size

xKINX_PFN_SHIFT shift for page # in PTE

xcKINX_PFN_MASKmask for page # in PTE

xKINX_PAGEFREE# of free physical pages

xKINX_SYSPAGES# of pages used by kernel

xKINX_KHEAP ptr to kernel heap array

xcKINX_SECTIONSptr to SectionTable array

xKINX_MEMINFO ptr to system MemoryInfo struct

xKINX_MODULES ptr to module list

xKINX_DLL_LOW lower bound of DLL shared space

xcKINX_NUMPAGEStotal # of RAM pages

xKINX_PTOC&nb

sp; ptr to ROM table of contents

xKINX_KDATA_ADDRkernel mode version of KData

xKINX_GWESHEAPINFOCurrent amount of gwes heap in use

xcKINX_TIMEZONEBIASFast timezone bias info

xKINX_PENDEVENTSbit mask for pending interrupt events

xKINX_KERNRESERVE number of kernel reserved pages

xKINX_API_MASKbit mask for registered api sets

xcKINX_NLS_CPhiword OEM code page loword ANSI code page

xKINX_NLS_SYSLOCDefault System locale

xKINX_NLS_USERLOC Default User locale

xKINX_HEAP_WASTEKernel heap wasted space

xcKINX_DEBUGGERFor use by debugger for protocol communication

xKINX_APISETS APIset pointers

xKINX_MINPAGEFREE water mark of the minimum number of free pages

xKINX_CELOGSTATUS CeLog status flags

xcKINX_NKSECTION Address of NKSection

xKINX_PWR_EVTSEvents to be set after power on

xcKINX_NKSIG last entry of KINFO signature when NK is ready

/* x interlocked api code */

/* x end */

}

Win下可以通过PEB结构定位kerneldll的基址然后通过PE文件结构查找Windows API在Windows CE下coredlldll的作用相当于Win的kerneldll由于KDataStruct结构开始于xFFFFC偏移x的aInfo[KINX_MODULES]是一个指向模块链表的指针通过这个链表能否找到coredlldll模块呢?让我们来看一下模块的结构

// PRIVATE/WINCEOS/COREOS/NK/INC/kernelh

typedef struct Module {

上一篇:酷!Vista下文件夹也可虚拟磁盘分区

下一篇:Windows 7合理设置电源管理