Information Technology Reference
In-Depth Information
execution. Also, every system call carries IDs of the process (PID) and the thread
(TID) from where the call has been originated. The structure of the system call is
depicted below:
PID
TID
CID
Input Arguments
Output Arguments
Result
Input arguments, as well as output arguments may include any data structures,
allowed by the system, such as numerical values, flags, object handles, and data
strings. Some of these arguments indicate direct relations among different system
calls that could be utilized to bind system calls together to define the
GSR
. The
following is an example of binding two system calls together by their arguments to
form a single building block of the
GSR
:
Data Write Block
[C:\Dir\Filename]
Handle [File]
IN
ZwCreateFile
IN
OUT
Access Flags
Status
Status
Access Flags
ZwWriteFile
OUT
IN
OUT
Result
Handle [File]
Fig. 2.
GSR
Building Block Internal Structure
In this case, “Data Write Block” is derived from two basic system calls
ZwCreateFile and ZwWriteFile. The unit is responsible for writing specific data into a
newly created file. System calls inside the block are linked together by several key
parameters. For this particular block we consider the following three parameters to
play the key role in identifying the correct pair of block's internals:
•
Object Name / Path
•
Object Access Flags
•
Object Handle
The file system operates on files in a number of different ways, but with only a few
system calls. Therefore, it needs to define strict regulations for every key system call,
specifying what exactly that system call is expected to do with the file. A number of
flags are supported by almost every system call; most of these flags are designed to
specify Access Rights to be applied by the system call onto the target object, the file
in this particular case. For example, in order to create a file for writing, the “Generic
