What is the process of switching c read / write files from user mode to kernel mode?

One ： background

1. A curious question

We are learning C# In the process of , I always hear a word called   Kernel mode  , For example, with C# Read and write files , It will involve code from   User mode   To   Kernel mode   Handoff , use  HttpClient  Get remote data , It will also involve   User mode   To   Kernel mode   Handoff , What kind of interaction process is this ？ After all, our program is unmanageable   Kernel mode  , Today we will explore together .

Two ： Explore the interaction process of two states

1. Where is the junction of the two states

We know the boundary between the world and the underworld   Gate of hell , Same thing   User mode   and   Kernel mode   At the junction of  ntdll.dll  layer , Draw a picture like this ：

The operating system is for protection   Kernel mode   Code for , It is definitely not possible to use a pointer directly in the user mode , After all, one is ring 3, In a ring 0, and cpu Hardware protection is also provided , How do you get in ？ For the convenience of research , Let's start with a small example .

2. A simple file read

We use  File.ReadAllLines()  Realize file reading , The code is as follows ：

    internal class Program
    {
        public static object lockMe = new object();

        static void Main(string[] args)
        {
            var txt= File.ReadAllLines(@"D:\1.txt");

            Console.WriteLine(txt);

            Console.ReadLine();
        }
    }

stay Windows On the platform , The external entry of all kernel functions is  Win32 Api , Between the lines , This file also needs to be used for reading , Can be in WinDbg Use in  bp ntdll!NtReadFile  stay Gate of hell Intercept at .

0:000> bp ntdll!NtReadFile
breakpoint 0 redefined
0:000> g
ModLoad: 00007ffe`fdb20000 00007ffe`fdb50000   C:\Windows\System32\IMM32.DLL
ModLoad: 00007ffe`e2660000 00007ffe`e26bf000   C:\Program Files\dotnet\host\fxr\6.0.5\hostfxr.dll
Breakpoint 0 hit
ntdll!NtReadFile:
00007ffe`fe24c060 4c8bd1          mov     r10,rcx

ha-ha , Successfully intercepted , Next use  uf ntdll!NtReadFile  Display the assembly code of the method body .

0:000> uf ntdll!NtReadFile
ntdll!NtReadFile:
00007ffe`fe24c060  mov     r10,rcx
00007ffe`fe24c063  mov     eax,6
00007ffe`fe24c068  test    byte ptr [SharedUserData+0x308 (00000000`7ffe0308)],1
00007ffe`fe24c070  jne     ntdll!NtReadFile+0x15 (00007ffe`fe24c075) 
00007ffe`fe24c072  syscall
00007ffe`fe24c074  ret
00007ffe`fe24c075  int     2Eh
00007ffe`fe24c077  ret

From the perspective of assembly code , The logic is very simple , It's just one. if Judge , Decide whether to go  syscall  still  int 2Eh, It is obvious that no matter which way you take, you can enter   Kernel mode , Let's talk about it one by one .

3. int 2Eh Entry method

I believe no one in the debugging world does not know int do , After all, I have seen it countless times  int 3, In essence , In the kernel layer, a   Interrupt vector table , Each number is mapped to a piece of function code , When you turn on the computer and get windows Taking over also relies on   Interrupt vector table  , Okay , Next, let's take a brief look at how to find 3 Corresponding function code .

windbg There is one of them.  !idt  The command is used to find the function code corresponding to the number .

lkd> !idt 3

Dumping IDT: fffff804347e1000

03: fffff80438000f00 nt!KiBreakpointTrap

You can see , It corresponds to the kernel level  nt!KiBreakpointTrap  function , In the same way, let's look at  2E.

lkd> !idt 2E

Dumping IDT: fffff804347e1000

2e: fffff804380065c0 nt!KiSystemService

Now it's finally clear , The first way to enter the kernel state is  KiSystemService, From the name , It is a similar general method , The next step is how to get into the kernel state Read the file In the way ？

To find the answer , You can look back at the assembly code  mov eax,6 , there 6 Is the method number to which the kernel state needs to be routed , ha-ha , Which method does it correspond to ？ because windows Closed source of , We don't know , Fortunately github Someone on the has made a list ：https://j00ru.vexillium.org/syscalls/nt/64/  , Corresponding to my machine is .

As you can see from the picture, it is actually  nt!NtReadFile , Here I think the truth should be revealed , Let's talk about  syscall.

4. syscall How to walk

syscall yes CPU A special feature , be called   The system quickly calls , Between the lines , It relies on a set of  MSR register   Help code quickly from   User mode   Cut to   Kernel mode , Efficiency is far better than walking   Interrupt routing table   It's much faster , This is why the code has if Judge , In fact, it's judgment cpu Is this feature supported .

Just now I said that it has the help of  MSR register , One of the registers  MSR_LSTAR  The address of the kernel state entry function is stored , We can use  rdmsr c0000082  Take a look at .

lkd> rdmsr c0000082
msr[c0000082] = fffff804`38006cc0

lkd> uf fffff804`38006cc0
nt!KiSystemCall64:
fffff804`38006cc0 0f01f8          swapgs
fffff804`38006cc3 654889242510000000 mov   qword ptr gs:[10h],rsp
fffff804`38006ccc 65488b2425a8010000 mov   rsp,qword ptr gs:[1A8h]
...

You can see that in the code , It enters  nt!KiSystemCall64  function , And then execute the following  6  Corresponding  nt!NtReadFile  Complete the business logic , Finally, it is  nt!KiSystemCall64  complete Kernel mode To User mode Handoff .

Knowing these two ways , Next, you can patch up the picture a little , increase  syscall  and  int xxx  Two ways to enter the customs .

3、 ... and ： summary

Through assembly code analysis , We finally know   User mode   To   Kernel mode   Switching principle of , There are two ways , One is  int 2e, One is  syscall , Deepen our understanding of C# Read the file A deeper understanding of .