What is kernel mode?

原文地址

 

I've talked about this before but I want to really highlight it because I still see people wrestling with it.

In Windows CE 5.0 and earlier, "kernel mode" is an access levelattached to a thread.  If a thread is "in kernel mode" it can accesskernel address space.  You could call SetKMode to put your thread intoor out of kernel mode, whenever you wanted (it required trust, ofcourse).  Most system APIs were not implemented by the kernel (nk.exe),so calling an API didn’t put your thread into kernel mode.  Unless youcalled an API that was implemented by nk.exe, in which case your threadwould temporarily enter kernel mode for the duration of the call.

In Windows CE 6.0 the implementation is actually the same, exceptthat the SetKMode API is no longer supported.  You can't put threadsinto or out of kernel mode at a time of your choice.  However, mostsystem APIs are implemented by modules that are now loaded into thekernel process, so calling an API usually puts your thread into kernelmode.

While the implementation is the same, the result is effectivelydifferent meanings.  In CE 5.0, "kernel mode" was a property a threadcould acquire or release on demand.  In CE 6.0, the rule is fairlysimple: your thread is in kernel mode while executing code inside thekernel process, and not in kernel mode when executing code inside auser process.  We use the term loosely, like talking about "kernel modedrivers," "kernel mode code" and "kernel mode addresses." Wheneverpeople use these phrases they're trying to talk about code andaddresses that are only accessible to the kernel process, that are ataddresses above 0x80000000.  (Side note, you also have to be clearabout whether you're talking about everything inside the kernel processvs. only the kernel module, kernel.dll.)

The one remaining gotcha in the CE 6.0 rule is callbacks.  If auser application passes a function pointer to kernel mode code, and thekernel mode code calls the function pointer directly, then the threadis STILL in kernel mode (remember it is still a property of the thread,just not so obviously) while executing user mode code.  And thatis very bad for security.  Because the user mode code could doanything; it could access kernel addresses or call kernel-only APIs. If you write a driver that takes a function pointer from the caller andlater calls it, make sure your driver only does so by using the newCEDDK function, CeDriverPerformCallback.  That way your thread jumpsback to the user process properly before calling the function, sothat the function call can't do anything that the user process itselfcouldn't do already.  Or even better -- find a different way toimplement what you're doing.  Ask yourself this: if an attacker passedme an evil function pointer, could they get me to do something bad ontheir behalf?  If you don't know the answer, don't take functionpointers from your callers.

You might wonder about function pointers and memory marshalling. "Marshalling" only applies to passing data buffers between processes --not to passing function pointers between processes.  Youcan't "marshal" a function so that you can safely call it from kernelcode.  The CeDriverPerformCallback function is the only way to shed theprivileges that a kernel mode driver has, for the duration of thecall.  I suppose you could consider that a form of "marshalling" but Idon't.

 

UPDATE Jan 31, 2007: Andrew Tuck, one of our supportengineers, pointed out another detail that can lead to confusion. (Thanks, Andrew!)  Often (at least in Windows environments, if not allOS'), the most privileged processor modeis referred to as "kernel mode."  This usage of the term refers to whenthe CPU is operating with additional privileges, such as the ability tocall special instructions that aren't normally legal.  For exampleinterrupt handling often happens in this CPU "kernel mode."  Thisterminology is unrelated to the "kernel mode" concept I've been talkingabout in this article.  When a Windows CE thread is in "kernel mode" itis not running in the most privileged processor mode.  Only veryrestricted parts of the CE kernel and OAL run in that mode.  TheWindows CE "kernel mode" thread property controls whether the pagetables for kernel address space are mapped, and some other things. (Forexample, in CE 5.0 it controlled whether the thread could makefast-path API calls, like I described in the API call post I wrote a while back.)