Presentation is loading. Please wait.

Presentation is loading. Please wait.

Windows workshop 2010 Understanding Software Dependencies in Windows Roland Yap School of Computing National University of Singapore Singapore

Published byCornelia Kennedy Modified over 9 years ago

Similar presentations

Presentation on theme: "Windows workshop 2010 Understanding Software Dependencies in Windows Roland Yap School of Computing National University of Singapore Singapore"— Presentation transcript:

1 Windows workshop 2010 Understanding Software Dependencies in Windows Roland Yap School of Computing National University of Singapore Singapore ryap@comp.nus.edu.sg

2 Motivation Software is complex with a ecosystem of dependencies –Installation can cause other S/W to fail (e.g overwriting old library versions) –Uninstallation can cause S/W to fail (e.g removing critical shared libraries) Interactions and dependencies between software are difficult to understand We explore visualization as a tool for understanding software dependencies –See Y. Wu, R.H.C. Yap and R. Ramnath, Comprehending Module Dependencies and Sharing, ICSE 2010, to appear Note: Dave’s talk – what is an application?

3 Examples of dependencies (1) Binaries used by notepad –c:\windows\apppatch\acgenral.dll –c:\windows\system32\avgrsstx.dll –c:\windows\system32\imm32.dll –c:\windows\system32\lpk.dll –c:\windows\system32\msacm32.dll –c:\windows\system32\msctf.dll –c:\windows\system32\msctfime.ime –c:\windows\system32\shimeng.dll –c:\windows\system32\usp10.dll –c:\windows\system32\uxtheme.dll –c:\windows\system32\winmm.dll –c:\windows\system32\winspool.drv –c:\windows\winsxs\x86_microsoft.windows.common- controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll

4 Examples of dependencies (2) Simple boot (only Windows installed) –DLLs: 154 –EXEs: 10 –Drivers: 1 –Ime: 1 Typical boot (Windows + applications) –DLLs: 274 –EXEs: 15 –Telephony/Modem: 6 –Drivers: 3 –ActiveX: 2 –Ime: 1

5 What are binaries? EXE (executables) are considered binaries Other binary types are DLL (dynamic linked libraries), OCX (ActiveX controls), SYS (drivers) and CPL (control panel applets), …

6 Visualization Objectives Visualizing binaries used by a particular executable Visualize any commonalities between binaries Visualize dependencies between binaries

7 Visualization (1) Basic dependency graph Graph is too dense

8 Revisiting processes (1) Process creation: Broken into many native calls. Very different from UNIX’s fork+execve The user space Win32 API CreateProcess() 1.Open the EXE file (ZwCreateFile) 2.Create process object (ZwCreateProcess) 3.Create thread object (ZwCreateThread) 4.Notify Windows subsystem (csrss) 5.Start the initial thread (ZwResumeThread) Note: Recall Dave’s talk – NT native system calls

9 Revisiting processes (2) Binary loading: broken into many native calls Similar to UNIX: dlopen = open + mmap +… The user space Win32 API LoadLibrary() 1.Open the binary (ZwCreateFile) 2.Create a Section object (ZwCreateSection) 3.Map the binary to VM (ZwMapViewOfSection) 4.Dynamic linking, relocation…

10 Binary Dependency Visualization Two types of nodes: EXE, DLL + etc Three types of directed edges 1.EXE X launches another EXE Y 2.EXE X load a DLL Y 3.A function in binary X calls a function in binary Y How are binaries shared among programs? –EXE Dependency Graph –Only Type 1 and 2 edge –Group DLLs by loader How binaries interact? –DLL Dependency Graph –Only Type 2 and 3 edge –Group DLLs manually by functionality or software vendor

11 Visualization (1) Basic dependency graph Graph is too dense

12 A more usable Visualization: EXE Dependency Graph Grouped dependency graph 1 1 1 2 2

13 Collecting binary dependency information EXE X launches another EXE Y –Use the kernel PsSetCreateProcessNotifyRoutine() API EXE X load a DLL Y –Use the kernel PsSetLoadImageNotifyRoutine() API A function in binary X calls a function in binary Y –Instrument code execution

14 Comparing Microsoft Word and Open Office Writer

15 DLL Dependency Graph: actual binary usage Some definitions: –An EXE-DLL dependency in a DLL Dependency Graph is when there is has a control transfer from code in executable x to code in DLL y. We say that x has an EXE-DLL dependency on y. –A DLL-DLL dependency in a DLL Dependency Graph is when there is has a control transfer from code in DLL x to code in DLL y. We say that x has a DLL-DLL dependency on y

16 Visualizing binaries executed (1) Generate call tree, call graph, DLL dependency graph PIN tool to collect execution trace –Trace include call, return, thread, context, system call events –Call and return records stack pointer, PC and target address. Not trivial to maintain call stack by tracking call and return –Non-return function (long jump) –Thread, fiber –Context –Kernel callback

17 Visualizing binaries executed Call graph is large. Group functions to images => DLL dependency graph. DLL dependency graph is still large. Group DLLs by properties: –By functionality: graphics, audio, network… –By vendor: microsoft, adobe… –By path: C:\windows\system32\*.dll, D:\vmware\*.dll…

18 Grouping by functionality wget: DLL dependency without grouping

19 Grouping by functionality wget: DLL dependency with grouping

20 Examples of grouping By functionality (GIMP)

21 Examples of grouping By software vendor (GIMP)

22 Boot trace Most common dlls e.g kernel32, gdi32 Svchost using a lot of dlls

23 Conclusion Actual software dependencies quite complex in Windows 2 effective visualizations: –EXE Dependency Graphs: commonality between binaries –DLL Dependency Graphs: actual binary usage

Download ppt "Windows workshop 2010 Understanding Software Dependencies in Windows Roland Yap School of Computing National University of Singapore Singapore"

Similar presentations

Introduction to the Windows XP Architecture

Introduction to the Windows XP Architecture
Device Drivers Witawas Srisa-an Embedded Systems Design and Implementation.

Device Drivers Witawas Srisa-an Embedded Systems Design and Implementation.
Memory Protection: Kernel and User Address Spaces  Background  Address binding  How memory protection is achieved.

Memory Protection: Kernel and User Address Spaces  Background  Address binding  How memory protection is achieved.
Operating System Security : David Phillips A Study of Windows Rootkits.

Operating System Security : David Phillips A Study of Windows Rootkits.
Windows 2000 System Architecture (continued) Computing Department, Lancaster University, UK.

Windows 2000 System Architecture (continued) Computing Department, Lancaster University, UK.
LINUX-WINDOWS INTERACTION. One software allowing interaction between Linux and Windows is WINE. Wine allows Linux users to load Windows programs while.

LINUX-WINDOWS INTERACTION. One software allowing interaction between Linux and Windows is WINE. Wine allows Linux users to load Windows programs while.
计算机系 信息处理实验室 Leture1 concepts and tools 2005 Spring 陈香兰.

计算机系 信息处理实验室 Leture1 concepts and tools 2005 Spring 陈香兰.
The Path to Multi-core Tools Paul Petersen. Multi-coreToolsThePathTo 2 Outline Motivation Where are we now What is easy to do next What is missing.

The Path to Multi-core Tools Paul Petersen. Multi-coreToolsThePathTo 2 Outline Motivation Where are we now What is easy to do next What is missing.
CMPT 300: Final Review Chapters 8 – 12. 2 Memory Management: Ch. 8, 9 Address spaces Logical (virtual): generated by the CPU Physical: seen by the memory.

CMPT 300: Final Review Chapters 8 – Memory Management: Ch. 8, 9 Address spaces Logical (virtual): generated by the CPU Physical: seen by the memory.
Processes CSCI 444/544 Operating Systems Fall 2008.

Processes CSCI 444/544 Operating Systems Fall 2008.
INTRODUCTION OS/2 was initially designed to extend the capabilities of DOS by IBM and Microsoft Corporations. To create a single industry-standard operating.

INTRODUCTION OS/2 was initially designed to extend the capabilities of DOS by IBM and Microsoft Corporations. To create a single industry-standard operating.
Threads 1 CS502 Spring 2006 Threads CS-502 Spring 2006.

Threads 1 CS502 Spring 2006 Threads CS-502 Spring 2006.
Process Management. External View of the OS Hardware fork() CreateProcess() CreateThread() close() CloseHandle() sleep() semctl() signal() SetWaitableTimer()

Process Management. External View of the OS Hardware fork() CreateProcess() CreateThread() close() CloseHandle() sleep() semctl() signal() SetWaitableTimer()
Active X Microsoft’s Answer to Dynamic Content Reference: Using Active X by Brian Farrar QUE

Active X Microsoft’s Answer to Dynamic Content Reference: Using Active X by Brian Farrar QUE
1 CE6130 現代作業系統核心 Modern Operating System Kernels 許 富 皓.

1 CE6130 現代作業系統核心 Modern Operating System Kernels 許 富 皓.
Chapter 6 - Implementing Processes, Threads and Resources Kris Hansen Shelby Davis Jeffery Brass 3/7/05 & 3/9/05 Kris Hansen Shelby Davis Jeffery Brass.

Chapter 6 - Implementing Processes, Threads and Resources Kris Hansen Shelby Davis Jeffery Brass 3/7/05 & 3/9/05 Kris Hansen Shelby Davis Jeffery Brass.
LabVIEW: Tips & Tricks Ihor Korolov March 2011.

LabVIEW: Tips & Tricks Ihor Korolov March 2011.
Ch 11 Managing System Reliability and Availability 1.

Ch 11 Managing System Reliability and Availability 1.
Chapter 8 Windows 2000. 2 Outline Programming Windows 2000 System structure Processes and threads in Windows 2000 Memory management The Windows 2000 file.

Chapter 8 Windows Outline Programming Windows 2000 System structure Processes and threads in Windows 2000 Memory management The Windows 2000 file.
Input/Output Controller (IOC) Overview Andrew Johnson Computer Scientist, AES Controls Group.

Input/Output Controller (IOC) Overview Andrew Johnson Computer Scientist, AES Controls Group.

Similar presentations

Ads by Google