Windows内核--WRK和真实的Windows内核源代码差多少?(1.3)

        前面有提到WRK是微软官方公布的XP/Server 2003供学习和研究的内核源代码。WRK介绍关于source code如下：

WRK源代码已经很完备

WRK v1.2 includes most of the NTOS kernel sources from the latest released
version of Windows, which supports the AMD64 architecture on the Desktop.
The kernel sources excluded from the kit are primarily in the areas of
plug-and-play, power management, the device verifier, kernel debugger
interface, and virtual dos machine.  The primary modifications to WRK
from the released kernel are related to cleanup and removal of server
support, such as code related to the Intel IA64.

        由上可见，WRK1.2包含了绝大部分NTOS内核源代码，移除了PNP、电源管理、设备验证器、内核调试接口和虚拟DOS模拟器这些代码，另外关于服务器端相关的内核代码也有移除。

(移除的代码对我们分析Windows Kernel已经无关紧要!)

WRK Prebuilt Binary文件

•     WS03SP1HALS\x86\...\halxxxx.dll
•      bootvid.lib/hal.lib/kdcom.lib/ntosarch.lib/ntoswrk.lib/sdbapint.lib   

Prebuilt Binary Makefile 

  最终会link如上这些binary(部分lib当作map文件).      

WRK-v1.2\base\ntos\build\makefile:
 
linklibpath = -LIBPATH:$(topobj) -LIBPATH:PREBUILT\$(targ)
ntoswrklib  = ntoswrk.lib
ntosarchlib = ntosarch.lib
bootlibs = bootvid.lib sdbapint.lib kdcom.lib 
 
fullkernel	  = EXE\$(kernel)
 
# kernel link definitions
LINKFLAGS = -IGNORE:4087,4001,4010,4037,4039,4065,4070,4078,4087,4089,4221,4198 -WX -NODEFAULTLIB -machine:$(machine) $(linklibpath)
LINK 	  = link.exe -nologo
LINKEDIT  = link.exe -edit -nologo
 
LIB  = $(LIB) $(linklibpath)
 
!if "$(targ)" == "i386"
archlinkopts = -safeseh -functionpadmin:5 -debugtype:cv,fixup       -STACK:0x40000,0x2000 -align:0x1000 
hotpatch 	 = -stub:PREBUILT\i386\stub512.com
entrypoint	 = KiSystemStartup@4 
!else
archlinkopts = -functionpadmin:6 -debugtype:cv,fixup,pdata -STACK:0x80000,0x2000 
hotpatch 	 = PREBUILT\amd64\hotpatch.obj
LINKFLAGS    = -IGNORE:4108,4088,4218,4218,4235 $(LINKFLAGS)
LIBFLAGS     = -IGNORE:4108,4088,4218,4218,4235 $(LIBFLAGS)
entrypoint	 = KiSystemStartup
!endif
 
ntosmerge    = -merge:PAGECONST=PAGE -merge:INITCONST=INIT -merge:INITDATA=INIT -merge:PAGELKCONST=PAGELK \
 -merge:PAGEVRFY_CONST=PAGEVRFY -MERGE:_PAGE=PAGE -MERGE:_TEXT=.text -merge:.rdata=.text 
 
ntosversion  = -release -version:5.2 -osversion:5.2 -subsystem:native,5.02 
 
ntoslinkopts = $(ntosversion) $(ntosmerge) -SECTION:INIT,d -OPT:REF -OPT:ICF -INCREMENTAL:NO \
 -FULLBUILD -debug $(archlinkopts) -opt:nowin98 -pdbcompress -driver
 
kernelexp:
	copy ..\init\ntoskrnl.src+..\init\$(targ)def.src $(OBJ)\$(kernel).pp
	$(CC) $(CFLAGS0) -EP $(OBJ)\$(kernel).pp > $(fullkernel).def
	-del $(OBJ)\$(kernel).pp
	$(LIB) $(LIBFLAGS) -IGNORE:4001 $(OBJ)\*.lib $(ntoswrklib) -def:$(fullkernel).def -out:$(fullkernel).lib
 
kernellib:
	$(LIB) $(fullkernel).lib $(ntosarchlib) -out:$(fullkernel).lib
 
kernelexe:
	$(LINK) $(LINKFLAGS) $(ntoslinkopts) -out:$(fullkernel).exe -map:$(fullkernel).map -pdb:$(fullkernel).pdb -entry:$(entrypoint) \
		$(hotpatch) PREBUILT\$(targ)\ntoskrnl.res $(OBJ)\ntkrnlmp.obj $(OBJ)\*.lib $(ntoswrklib) hal.lib $(fullkernel).exp $(bootlibs)
	$(LINKEDIT) -section:.rsrc,!d $(fullkernel).exe 

WRK Source Code

WRK目录介绍

cache\  - cache manager （缓存管理器）
config\ - registry implementation (注册表)
dbgk\   - user-mode debugger support
ex\     - executive functions (kernel heap, synchronization, time) （和rtl都是支援函数）
fsrtl\  - file system run-time support
io\     - I/O manager （驱动程序IO相关）
ke\     - scheduler, CPU management, low-level synchronization (核心调度/同步机制)
lpc\    - local procedure call implementation
mm\     - virtual memory manager （申请/释放虚拟内存和物理内存等）
ob\     - kernel object manager (创建/删除内核对象等，比如进程/线程对象)
ps\     - process/thread support （进程/线程 创建/终止等）
se\     - security functions  （安全相关）
wmi\    - Windows Management Instrumentation

inc\    - NTOS-only include files
rtl\    - kernel run-time support （Runtime Library, 有点像kernel的"libc"）
init\   - kernel startup  (开机初始化)

HAL

        微软没有提供HAL源代码，有提供DLL和PDB供使用和调试。

           以halmacpi为例:   

        HAL可以实现隔离掉硬件的差异，主要是硬件结构强相关部分，比如中断、Clock和处理器切换等.

ntoskrnl和HAL

         wrkamd64.exe Imports依赖的函数如上，可以看到有HAL/KDCOM/BOOTVID等。以后会详细介绍。