13 Oct
2005
13 Oct
'05
11:25 p.m.
Alex Ionescu wrote:
It is funny to note now that what you say here is a thought that spinned
around in my mind for years in the past. My personal answer was exactly
yours.
If we clone Windows NT, this is correct. But dumping is illegal.
The pieces of code MS sold us match this definition. I ask myself: is
this a technical limitation, or imposed by market staff?
As Gunnar saw, probably there is a common set of facilities you need
every time you write a personality server. I would like to write it once
for them all (If I could, but you showed you are much more skilled than
me!). Casper, as already noted, pointed out it is a complex piece of
code to write. You are required to write the equivalent of the abstract
NtCreateProcess, to be called by the Windows personality server and by
the POSIX personality server and by the OS/2 server and by the...
My question is: is it worth writing such a live run-time code? (DLLs are
"dead code", because they live un the context of the process that loads
them; vice versa, a subsystem is a "live DLL", because it lives before
the process that will use it; if you like biology, there is the same
difference between a virus and a bacterium).
Well, Alex, I repeatedly used the adjective "polluted", which does not
mean "connected". I meant they put helper pieces of code, here and
there, to make the Win32 server's life easier. If you want a more
technical equivalent of "polluted", read it "less general, less
abstract". Casper is definitely right!
I view this as a "misunderstanding with some
design choices", if not
even a "misunderstanding of NT Subsystem design".
Subsystem design is subtle. Cutler is not an ordinary person. Also the
subsystem design was conceived in another era, in CS terms. Cutler and
his group designed it when the OS (beginning-to-ruin) myth was CM Mach
(at the same time, RMS invented Hurd; recently Apple could sell it
rebranded as Mac OS X...).
The design choice, in short, is the rôle of the "Client/Server
Runtime SubSystem" (CSR=CSRSS.EXE+CSRSRV.DLL) in the design of the
"O.S. Personality" code, that is the emulation code that manages
processes of the same operating system in user mode, making them
belive to run on the emulated O.S.
The Client/Server Runtime SubSystem, which is unfortunately
incorrectly named by Microsoft, is actually the Win32 Personality.
Later I discovered a theologian and philosopher - W. Ockam
(1295/1300-1349) - that today most of us (don't) know is the father of
the KIS(S) principle. Do not invent an hypothesis if it *not needed*. I
used to say "Those developers at MS are really eccentric! Why did they
call the Win32 subsystem server CSRSS.EXE? They are really dumb!".
The unnecessary assumption is, of course, that they *incorrectly named* it.
It manages Win32 processes in user-mode, and allows
them to access
kernel features which would pollute the native-mode ntdll.dll, would
they have been included there. Only Win32 processes use csrss and
registration is done in kernel32. Console windows, another Win32-ism
also use csrss.
This is what we observe today in a live system of the NT family. But, if
you see a man that wears a black suit, are you sure he's a priest? It
could be a MiB, or a punk, or simply an old fashioned gentleman.
For instance, everybody here knows that the dynamic library NTDLL.DLL
exposes the so called "native API", the NT real API. But even you are
diverted by that sweet assonance and commit the mistake of saying it has
the native-mode mark. Indeed its subsystem ID is 3.
When I discovered it, I had a shock, a few years ago.
Does it fit in you picture?
Because NT was designed with a set of universal native
APIs, this was
necessary so that routines useful to only one personality wouldn't be
exported as native APIs. For example, fork() is a POSIX-only API, not
Windows 32. Therefore, it was not included in ntdll.dll, even though
the kernel supports it. Instead, it's used by the POSIX subsystem. The
same goes for Console windows and their APIs, which are usable only in
Win32. Access to the video hardware is done in kernel-mode, but the
functions are called through CSRSS.
A very good example, but a less precise description. NtCreateProcess is
an API that is more abstract than Win32 CreateProcess and than POSIX
fork/exec. As it is more abstract, the respective less general semantics
can be implemented using it. As Casper pointed out, more general, more
abstract, means more complex.
Now, CSRSS is in a way a Client/Server Subsystem,
because it's merely
a 4KB host to CSR Servers, which implement parts of the Win32
behaviour. The 3 servers currently used are: basesrv.dll, which
handles SxS (Side by Side assemblies, a Windows XP feature), VDM
(16-bit emulation) and stuff like Process/Thread creation, winsrv.dll,
which handles some graphical things and windowmessage-related
functionality (such as hardware event dispatching) plus all the
Console code (winsrv is internally split into 2 CSR Servers). I think
a big problem here is that ea believes that CSRSS is the place where
you would add a POSIX subsystem. This isn't the case. CSRSS is
reserved for Win32 CSR Servers.
Of course, not in the instance where basesrv.dll and winsrv.dll are
loaded. I think the csrss.exe + csrsrv.dll (the core) were the original
CSR. Of course the os2ss and psxss MS sold us don't use it. They
couldn't, because the current CSR core was intentionally "polluted" to
support only basesrv.dll and winsrv.dll. But it is not our fault.
Also I dont think the Win32 server should run in more than one instance.
When you look at the process list, in a TS machine, those many csrss.exe
you see are (but one) μSessions of the Win32 server (the mother is the
one with lowest PID). Imagine Linus' face if you propose to load a new
instance of the Linux kernel each time you login... well it is exactly
what happens when you connect from a TS client (win32k.sys is loaded
again). I don't know how you define that way of programming: perhaps, in
a sentence, "Does it compile? Let's sell it!". Well, two.
Now, let's move on...what actually loads CSRSS? This is called SMSS,
the Session Manager SubSystem. The Session Manager handles all the
subsystems that are installed on an NT Machine. By default, this means
CSRSS, the Win32 subsystem. If you install SFU 3.5, or are using
Windows Server 2003 R2, you will also get psxss.exe.
The original PSXSS.EXE was, as you know, a nice trick. MS had to show
that NT was POSIX 1003.1 compliant, to get DOD contracts. But, of
course, it should do it fast and could not show "too much". This decency
shows how they got two prizes with one shot. PSX is not a vertical
subsystem, but a side subsystem, or a second-level personality. In fact
it requires the Win32 subsystem running to work. The first prize is that
you show NT is a POSIX system. The second prize is that you can not drop
Win32 to run your POSIX system. Market and market, not computer science.
This recalls me that recently MS was sentenced, because it is impossible
to remove IE from Windows. A recurring trick.
On older Windows, you can also have os2ss.exe. These
are the POSIX and
OS/2 subsystems.
Once again, let's look back. OS/2 was the original user mode API Cutler
was sked by MS to make available on top of the NT core. As Windows 3.0
was a worldwide success and the alliance with IBM broke, they had to
switch to Win32. As there was a common ancestor, do you think they
rewrote the CSR from ground up? It is more likely that they freezed the
CSR used by OS/2 and, after a lazy copy & paste, extended it ("polluted
it") to build what we today say it should be named w32ss.exe.
They have nothing to do with CSR at all, and they are
actually, in
themselves, CSRSSes for their own subsystems.
This is by design, an evil design... ;) Would have MS shown how easy is
writing your own subsystem in a moment when they had to face IBM OS/2
rival API? My friends, close every gate, every window, every hole and
harmour the Win32 server!
This is the naming mistake I was talking about;
Microsoft should have
named csrss as w32ss.exe.
Ockam! ;)
So, SMSS is the first process that will load, and it will then load
the subsystems, say csrss psxss and os2ss. These subsystems will then
load server dlls which expose functionality that can be called from
user-mode processes.
SM is a super server. But then, if it is so super, why does it humble
itself in defining DOS devices, in loading a process of one of its
controlled children (I refer to WINLOGON.EXE)... If that is not
"pollution", maybe a nuclear bomb exploded somewhere in the vicinity. :(
As I'm writing this, my Win2K3 machine is running
posix grep and
working perfectly. It's not touchign CSRSS at all, nor should it have
to. CSRSS is a win32 subsystem.
CSRSS.EXE+CSRSRV.DLL, as they load BASESRV.DLL and WINSRV.DLL, *are* the
Win32 personality subsystem server.
Think about it like the program run by the Architect in Matrix: when
you double click on Microsoft Word's icon and the process is created,
it happily belives to run under Windows, it can see the familiar
libraries, it can call CreateFile and get back a reasonable file. In
fact, CreateFile calls NtCreateFile and so on. Microsoft Word lives
in a fake World. ;)
The two opposite directions the CSR can turn for are:
- be a process totally bound to the Windows personality
Which it's -supposed- to be. CSR is W32SS. - be a general purpose process, a facility for
any kind of personality
Other personalities don't need CSR! They have PSX and OS2 and VMS and
etc...
More on demand.
Another issue which ea has brought up is that NT is somehow to
"connected" to Win32. I beg to differ. I've spent a week working on a
sample native
application. It currently can display running processes, drivers,
create a new process and create/delete/list files. Here are some
screenshots:
http://members.tripod.com/WinAlOS/rtlcli.png
http://members.tripod.com/WinAlOS/rtlcli2.png
http://members.tripod.com/WinAlOS/rtlcli3.png
Note that there is no CSR, no win32k.sys loaded. NT is running in its
rawest form. You need less then 16MB of memory (notice that the
processes are using <1MB, the rest is up to the drivers, which you can
disable) and about the same amount of diskspace. This works perfectly
in Windows 2003 without any need to "separate win32".
I actually didn't understand if Russinovich was paid by MS to show that,
or if he actually could get there alone, the real NT hacker! Because, if
you look at what that really means, you get a strange feeling.
First, the rumors that pollution (Win32/Win64 infiltration) is gone to a
point where the old NT-designed core is less stable, are immediatley
silenced. Russinovich, indipendently (and with the naive "Oooh" by some
MS engineers...), showed it!
Second, in a hidden and really smart way, you promote the equivalence
CSR=Windows: "Note that there is no CSR, no win32k.sys loaded.". Bill is
a genius! I love him.
With best regards,
--
:Emanuele Aliberti
