38 lines
961 B
Markdown
38 lines
961 B
Markdown
---
|
|
name: Windows内核基础
|
|
description: IRQL、内存池、同步机制
|
|
version: 1.0.0
|
|
---
|
|
|
|
# Windows Kernel Development Basics
|
|
|
|
## IRQL Levels
|
|
- PASSIVE_LEVEL (0): Normal execution
|
|
- APC_LEVEL (1): Asynchronous Procedure Calls
|
|
- DISPATCH_LEVEL (2): DPC and scheduler
|
|
- DEVICE_IRQL (3+): Hardware interrupts
|
|
|
|
## Memory Pools
|
|
```c
|
|
// NonPagedPool: Always resident, use at DISPATCH_LEVEL
|
|
PVOID buffer = ExAllocatePool2(POOL_FLAG_NON_PAGED, size, 'Tag1');
|
|
|
|
// PagedPool: Can be paged out, use at PASSIVE_LEVEL
|
|
PVOID buffer = ExAllocatePool2(POOL_FLAG_PAGED, size, 'Tag2');
|
|
|
|
// Don't forget to free
|
|
ExFreePoolWithTag(buffer, 'Tag1');
|
|
```
|
|
|
|
## Synchronization
|
|
- Spin Lock: High IRQL, short duration
|
|
- Mutex: PASSIVE_LEVEL only
|
|
- Fast Mutex: Similar to kernel mutex
|
|
- Event: Signal/Wait mechanism
|
|
|
|
## Common Pitfalls
|
|
- Accessing paged memory at DISPATCH_LEVEL
|
|
- Forgetting to dereference objects
|
|
- Not handling IRP cancellation
|
|
- Memory leaks (use Driver Verifier)
|