1

Process InternalFlow of CreateProcessThread InternalExamining Thread Activity

2

每一個Windows process 都是由一個 executive process

(EPROCESS) block來表示。而一個 process可能有多個thread，這些 thread則由一個 executive thread (ETHREAD)

block來表示。

EPROCESS block 以及其相關的資料結構都存放在 system

space裡，唯一的例外是 EPROCESS block 中的 process

environment block (PEB)，它被存放在 process address space

之中

3

4

5

6

Element Purpose

Kernel process (KPROCESS) block

包含 process分頁資料的指標、屬於此 process 的 kernel thread列表、process預設的權限以及 process全部的 kernel time 和 user time

Process identification Unique process ID

Quota block 紀錄非分頁記憶體、分頁記憶體的容量與使用狀況。Process可共用這一個資料結構。

Virtual address descriptors (VADs)

描述虛擬記憶體配置狀況的資料結構。

7

Element Purpose

Working set information 描述Working set list的資料結構， working set 用來表示虛擬記憶體對應到實體記憶體的狀況。

Virtual memory information 紀錄虛擬記憶體的大小、分頁檔的使用量以及分頁表。

Exception local procedure call (LPC) port

內部 process的溝通 channel，當某個 process 的 thread產生例外時，可以利用這個 channel發送訊息。

Debugging LPC port 內部 process的溝通 channel，當某個 process 的 thread產生除錯事件時，可以利用這個 channel發送訊息。

8

Element Purpose

Access token (ACCESS_TOKEN)

描述 process 的 security profile

Handle table 紀錄 Handle table 的 address

Device map 用來辨別裝置名稱

Process environment block (PEB) 包含 Image information (base address, version numbers, module list) 、 process 堆疊資訊、以及 thread 的 local storage utilization

Windows subsystem process block (W32PROCESS)

紀錄 windows子系統中 kernel mode所需要的資料。

利用 debug tool來看 EPROCESS block的格式 lkd> dt _eprocess

nt!_EPROCESS

+0x000Pcb : _KPROCESS

+0x06cProcessLock : _EX_PUSH_LOCK

+0x070CreateTime : _LARGE_INTEGER

+0x078ExitTime : _LARGE_INTEGER

+0x080RundownProtect : _EX_RUNDOWN_REF +0x084UniqueProcessId :

Ptr32Void

+0x088ActiveProcessLinks : _LIST_ENTRY

9

kernel process (KPROCESS) block (也叫做 PCB, process control block) 的結構如下圖，其中包含許多Windows kernel實作 thread排程時所需要的基本資訊

10

利用 debug tool來看 KPROCESS block的格式 lkd>dt _kprocess

nt!_KPROCESS

+0x000Header : _DISPATCHER_HEADER

+0x010ProfileListHead : _LIST_ENTRY

+0x018DirectoryTableBase : [2]Uint4B

+0x020LdtDescriptor : _KGDTENTRY

+0x028Int21Descriptor : _KIDTENTRY

+0x030IopmOffset : Uint2B

利用 recursive的方式來看 KPROCESS block 的 format dt _eprocess – r1

11

PEB被存放在使用者的 process address space裡，內容包含了許多image loader 、 heap manager、以及Windows system DLLs所需的資訊。可讓使用者在 user mode下進行修改 lkd> !process

PROCESS 8575f030 SessionId: 0 Cid: 08d0 Peb: 7ffdf000 ParentCid: 0360 DirBase: 1a81b000 ObjectTable: e12bd418 HandleCount: 66. Image: windbg.exe

lkd> !peb7ffdf000

12

Process 中會用到的 kernel global variables

13

Variable Type Description

PsActiveProcessHead Queue header Process block 的 List head。

PsIdleProcess EPROCESS 閒置的 process block。

PsInitialSystemProcess Pointer to EPROCESS 包含系統 thread的初始系統 process。

PspCreateProcessNotifyRoutine

Array of pointers 存放當 process建立與刪除時會使用到的 routine指標，最大可存放八個。

PspCreateProcessNotifyRoutineCount

DWORD 紀錄註冊在PspCreateProcessNotifyRoutine 的 process個數

Process 中會用到的 kernel global variables

14

Variable Type Description

PspLoadImageNotifyRoutine

Array of pointers 存放 Image load時會用到的 routine指標。

PspLoadImageNotifyRoutineCount

DWORD 紀錄註冊在PspLoadImageNotifyRoutine 的 process個數。

PspCidTable Pointer to HANDLE_TABLE

Process 的 Handle table 以及 thread client ID。

Windows 維護了一些 counts，使用者可藉由這些 count來追蹤 process的執行狀況。

15

Object: Counter Function

Process: % Privileged Time 某一特定區間裡， thread 在 kernel mode中執行的時間百分比。

Process: % Processor Time 某一特定區間裡， thread在所使用的 CPU time百分比。這個值為% Privileged Time 及 % User Time的加總。

Process: % User Time 某一特定區間裡， thread 在 user mode中執行的時間百分比。

Process: Elapsed Time 紀錄 process建立後，過了多少時間，單位是秒。

Windows 維護了一些 counts，使用者可藉由這些 count來追蹤 process的執行狀況。

16

Object: Counter Function

Process: ID Process 當 process存在時，回傳 process ID.

Process: Creating Process ID 回傳 creating process ID，當 creating process存在時，此值不變。

Process: Thread Count 回傳 process中有多少個 threads。

Process: Handle Count 回傳 process中總共開了幾個 handles。

底下列出一些跟 process有關的 function。

17

Function Description

CreateProcess 建立一個新的 process 及 thread。

CreateProcessAsUser 利用特定的 security token來建立新的 process及 thread。

CreateProcessWithLogonW 利用特定的 username及密碼來建立新的process 及 thread。

CreateProcessWithTokenW 利用特定的 security token來建立新的 process及 thread。

底下列出一些跟 process有關的 function。

18

Function Description

OpenProcess 回傳 process 的 handle object。

ExitProcess 關閉 process，並且通告所有 attached 的DLLs。

TerminateProcess 關閉 process，但不通告 DLLs。

FlushInstructionCache 清空 process 的 instruction cache。

GetProcessTimes 取得 process的時間資訊，主要描述該 process在 user mode 及 kernel mode的執行時間。

底下列出一些跟 process有關的 function。

19

Function Description

GetExitCodeProcess 回傳 process 的 exit code。用來說明該process為何被關閉。

GetCommandLine 回傳 pass給目前 process 的 command-line string。

GetCurrentProcess 回傳一個目前 process的虛擬 handle。

GetCurrentProcessId 回傳目前 process 的 ID。

GetProcessVersion 回傳Windows的主要與次要版本號碼。

底下列出一些跟 process有關的 function。

20

Function Description

GetStartupInfo 回傳 Create process時所初始化的STARTUPINFO結構。

GetEnvironmentStrings 回傳 environment block的位址。

GetEnvironmentVariable 回傳指定的 environment variable。

Get/SetProcessShutdownParameters

定義目前 process shutdown時的 priority 及number。

GetGuiResources 回傳 user 及 GDI handle的個數。

Speaker:謝宇哲

How did those processes come into beingHow do they exit once they've fulfilled

their purposeHow a Windows process comes to life

建立 Process可以經由呼叫函式CreateProcessCreateProcessAsUserCreateProcessWithTokenW

Creating a Windows process consists of several stages carried out in three parts of the operating systemClient-side library Kernel32.dllWindows executiveWindows subsystem process (Csrss)

1. Open the image file2. Create Windows executive process object3. Create the initial thread4. Notify the Windows subsystem of the new

process5. Start execution6. In the context of the new process and

thread, complete the initialization of the address space (such as load required DLLs) and begin execution of the program.

PrioritySpecify priority class

選擇最低優先權No priority class is specified

NORMAL_PRIORITY_CLASSPriority created (calling process) it is Idle or Below

NormalIDLE_PRIORITY_CLASS or

BELOW_NORMAL_PRIORITY_CLASSSame priority as the creating class

code Value

ABOVE_NORMAL_PRIORITY_CLASS

0x00008000

BELOW_NORMAL_PRIORITY_CLASS

0x00004000

HIGH_PRIORITY_CLASS 0x00000080

IDLE_PRIORITY_CLASS 0x00000040

NORMAL_PRIORITY_CLASS 0x00000020

REALTIME_PRIORITY_CLASS 0x00000100

BOOL CreateProcess( LPCTSTR lpApplicationName, LPTSTR lpCommandLine, LPSECURITY_ATTRIBUTES lpProcessAttributes, LPSECURITY_ATTRIBUTES lpThreadAttributes, BOOL bInheritHandles, DWORD dwCreationFlags, LPVOID lpEnvironment, LPCTSTR lpCurrentDirectory, LPSTARTUPINFO lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation);

DWORD GetPriorityClass( HANDLE hProcess);

Real-time priority class is specifiedCaller doesn't have the Increase Scheduling

Priority privilegeHigh priority class is used insteadCreateProcess doesn't fail

CreateProcess動作不會失敗，只是會取得High priority

All windows are associated with desktops

Two things to do:Find the appropriate Windows image

Run the executable file specified by the callerCreate a section object

Later map it into the address space of the new process

No image name is specifiedFirst token of the command line is used as the

image filename

What kind of file?Executable file specified is a Windows .exe

Used directlyMS-DOS, Win16, or a POSIX application

Find a Windows support imagePOSIX application - Posix.exeMS-DOS or a Win16 executable - Ntvdm.exe

CreateProcess run an image decision treeMS-DOS application

A message sent to the Windows subsystemA support process has already been created for this

session?Ntvdm.exe

HKLM\SYSTEM\CurrentControlSet\Control\WOW\ cmdline

Has been createdIt is used to run the MS-DOS application,

CreateProcess returnsHasn't been created

Image changes to Ntvdm.exe, restarts

.batImage to be run becomes Cmd.exe, restartsName of the batch file passed as the first

parameterWin16 (windows 3.1)

CREATE_SEPARATE_WOW_VDM and CREATE_SHARED_WOW_VDM control this decisionNot specifid, HKLM\SYSTEM\CurrentControlSet\

Control\WOW\ DefaultSeparateVDMNew VDM process or shared VDM process

New VDM processHKLM\SYSTEM\CurrentControlSet\Control\WOW\

wowcmdline - (Ntvdm.exe)Restarts

Use default sessionwide shared VDM processSends a message to seeRunning on a different desktop or isn't running

under the same security as the callerNew VDM process

Can be usedSends a message to it to run the new imageCreateProcess returns

Hasn't yet been created or can not be useImage to be run changes to the VDM support image,

restart

Decision Tree for Stage 1 of CreateProcess

If the image is a/an And this will happen

This image will run

POSIX executable file Posix.exe restarts Stage 1.

MS-DOS application with an .exe, a .com, or a .pif extension

Ntvdm.exe restarts Stage 1.

Win16 application Ntvdm.exe restarts Stage 1.

Command procedure (application with a .bat or a .cmd extension)

Cmd.exe restarts Stage 1.

Valid Windows executable file, created a section object for itDoesn't mean that the file is a valid Windows

imageIt isn't mapped into memory yet, but it is open

DLL or a POSIX executablePOSIX

changes to Posix.exeCreateProcess restarts

DLLCreateProcess fails

CreateProcess looks forHKLM\SOFTWARE\Microsoft\Windows NT\

CurrentVersion\Image File Execution OptionsSubkey with the filename and extension of the

executable imageNot exists, CreateProcess looks for a value

named Debugger for that keyIf this is present, the image to be run becomes

the string in that valueAnd CreateProcess restart

Has been doneValid Windows executable fileSection object

Create Windows executive process objectBy call NtCreateProcess

Creating the executive process object substages:Setting up the EPROCESS blockCreating the initial process address spaceInitializing the kernel process block

(KPROCESS)Concluding the setup of the process address

spaceCompleting the setup of the executive process

object

1. Allocate and initialize the Windows EPROCESS block.

配置以及初始化 EPROCESS block

2. Inherit the process affinity mask from the parent process.

繼承 affinity mask(與多CPU或多核心有關的設定 )

3. Set minimum and maximum working set size PsMinimumWorkingSet and PsMaximumWorkingSet

4. Set the new process's quota block to the address of its parent process's quota block, and increment the reference count for the parent's quota block.

設定 quota block 到 parent process

5. Inherit the Windows device name space 繼承 device name space 包含各種名稱的定義

6. Store the parent process‘s process ID in the InheritedFromUniqueProcessId field in the new process object.

將 parent process 的 process ID儲存起來

7. Create the process's primary access token

建立 process 的 primary access token(使用者資訊 )

與 parent process 的 primary token完全相同 (繼承、複製 )

如果呼叫的是 CreateProcessAsUser 並指定了特定的 access token

Access token會在這個階段改變

8. The process handle table is initialized新 process 的 Handle table接著被初始化若 Inherit handles flag有被指定， parent process可以被繼承的 handle會複製到新 process 的 table內

9. Set the new process's exit statusTo STATUS_PENDING

Initial process address space pagesPage directoryHyperspace pageWorking set list

Creating StepsPage table entries會建立在對應的 page table上，並且指向一些對應的 Initial pagesKernel變數MmTotalCommittedPages會減少，並且增加到MmProcessCommit

系統預設最小 process working set size 會從變數MmResidentAvailablePages中扣掉

Page table 的 page以及系統 Cache會對應到process

Initialization of the KPROCESS blockA pointer to a list of kernel threads

Also points to:Process's page table directoryTotal time the process's threads have executedProcess's default base-scheduling priorityDefault processor affinity for the threads in the

processInitial value of the process default quantumFirst entry in the systemwide quantum array

Virtual memory managerSet process's last trim time to the current

time

Working set managerUses this value to determine when to initiate

working set trimming

Memory managerInitializes the process's working set listPage fault can now be taken

Section objectMapped into the new process's address spaceProcess section base address is set to the base

address of the image

Ntdll.dll is mapped into the process

The systemwide national language support (NLS) tables are mapped into the process's address space

Initial Values of the Fields of the PEBField Initial Value

ImageBaseAddress Base address of section

NumberOfProcessors KeNumberProcessors kernel variable

NtGlobalFlag NtGlobalFlag kernel variable

CriticalSectionTimeout MmCriticalSectionTimeout kernel variable

HeapSegmentReserve MmHeapSegmentReserve kernel variable

HeapSegmentCommit MmHeapSegmentCommit kernel variable

Initial Values of the Fields of the PEBField Initial Value

HeapDeCommitTotalFreeThreshold

MmHeapDeCommitTotalFreeThreshold kernel variable

HeapDeCommitFreeBlockThreshold

MmHeapDeCommitFreeBlockThreshold kernel variable

NumberOfHeaps 0

MaximumNumberOfHeaps (Size of a page - size of a PEB) / 4

ProcessHeaps First byte after PEB

Initial Values of the Fields of the PEB

Field Initial Value

OSMajorVersion NtMajorVersion kernel variable

OSMinorVersion NtMinorVersion kernel variable

OSBuildNumber NtBuildNumber kernel variable & 0x3FFF

OSPlatformId 2

Windows Replacements for Initial PEB Values

Field Name Value Taken from Image Header

OSMajorVersion OptionalHeader.Win32VersionValue & 0xFF

OSMinorVersion (OptionalHeader.Win32VersionValue >> 8) & 0xFF

OSBuildNumber (OptionalHeader.Win32VersionValue >> 16) & 0x3FFF

OSPlatformId (OptionalHeader.Win32VersionValue >> 30) ^ 0x2

If systemwide auditing of processes is enabledProcess's creation is written to the Security event

logIf the parent process was contained in a job

New process is added to the jobIf Image header IMAGE_FILE_UP_SYSTEM_

ONLY flag is setA single CPU is chosen for all the threads in this

new process

If the image specifies an explicit processor affinity maskValue is copied to the PEBSet as the default process affinity mask

CreateProcess inserts the new process block at the end of the Windows list of active processes PsActiveProcessHead

The process's creation time is set, the handle to the new process is returned to the callerCreateProcess in Kernel32.dll

Presenter: 彭冠儒

Creating the Initial Thread and Its

Stack and Context

Sets up context and stackThe stack size for the initial thread is taken

from the image—there's no way to specify another size.

Initialize Thread1.NtCreateThread2.PspCreateThread

Referencehttp://undocumented.ntinternals.net/

建立、設定 ETHREAD(executive thread block)，並更新 EPROCESS內的設定Ex: increment the thread count 、 generate thread id

在 user-mode address space建立、設定 TEB設定 ETHREAD結構中的 user-mode theard起始位置

Kernel32.dll – system supplied thread startup functionBaseProcessStartBaseThreadStart

呼叫 KeInitThread 設定 KTHREADEx: allocates a kernel stack , initializes the machine-

dependent hardware context 呼叫” notification routine”

Notifying the Windows Subsystem

about the New Process

目標在 User Mode可以執行其他OS 的 System API。

Kernel Mode骨子裡都是Windows System APINT帶入 Subsystem的概念

底層Windows System API 的 Wrapper不同的Wrapper，就可以造出不同OS System API的假象

隨著Windows OS的成功，現在已經沒有必要支援其他OS 的 System API所以Windows只有一個SubSystem，就是他自己。

平時 SubSystem 以 process的方式存在，就像Server一樣等待 User Mode的程式發出request 。

Local Procedure CallWin32 的 PE檔案格式中就有提供一個“ SUBSYSTEM”的欄位。告訴作業系統如何執行檔案

Depends.exe

子系統行程 csrss.exe(C/S Run-time System)視窗操作 (放大、縮小 )、 process & thread 管理、執行 dos or windows 16 bit, 32 bit 之程式

圖形設備驅動Win32.sys視窗管理、接收設備（鍵盤、滑鼠）

系統 DLLKernel32.dll, Advapi32.dll, User32.dll, 以及

Gdi32.dll

Services.exe      Service Controller ProcessWinlogon.exe     Logon ProcessSmss.exe         Session Manager ProcessPsxss.exe         POSIX Subsystem ProcessOS2ss.exe        OS/2 Subsystem Process Csrss.exe         Win32 Subsystem Process

Ntdll.dll    Internal Support Functions and

System Service                Dispatch stubs to Executive

FunctionsKernel32.dll       Win32 Subsystem DLLsUser32.dllGDI32.dllPsxdll.dll          POSIX Subsystem DLLNTOSKRNL.EXE   Executive and KernelHal.dll           Hardware Abstraction LayerWin32k.sys       Win32 User and GDI Kernel-

mode Components

利用 Kernel32.dll 送 message 給 Windows子系統

Message包含Process 和 Thread 的 handlesEntries in the creation flags父行程的 Process IDFlag

To indicate whether the process belongs to a Windows application

1. 複製 Process 和 Thread 的 handle.2. Process 和 Thread的計數加一3. 設定 Process的優先權 (如果沒有指定的話 )4. 建立 Csrss中的 process block5. 設定 ports. (exception port, debug port)6. 建立 Csrss中的 thread block7. 在 Process 的 thread list中加入此 thread8. 設定關閉等級為

0x280(SetProcessShutdownParameters)

10.在子系統的 process list中加入此 process11.建立並初始W32PROCESS structure(子系統在 kernel-mode執行 process時會用到的結構 )

12.顯示游標

Starting Execution of the Initial Thread

If caller not specified CREATE_SUSPENDED flag.Start running and perform the remainder of the

process initialization work.

Performing Process Initialization in

the Context of the New Process

『 Interrupt執行的優先等級』。 較高優先權的 Interrupt會中斷較低優先權

Interrupt。當這個狀況發生時，所有其他等於或是低於這個 IRQL的中斷都將成為等待狀態。

IRQLnew <= IRQLcurrent

不會影響目前程式執行。IRQLnew > IRQLcurrent

中斷目前的工作，執行 Interrupt的工作。數值越大代表其 IRQL的優先權越高。 透過 KeGetCurrentIRQL()這個 System

routine可以得到目前 Processor 的 IRQL 。

KiThreadStartupIRQL

DPC -> APC

PspUserThreadStartupqueues a user-mode APC

use LdrInitializeThunk() in “ntdll.dll” initializes the loader, heap manager, NLS tables,

thread-local storage (TLS) array, and critical section structures

link dlls

DLL hellyou install an application that replaces one or

more core system DLLs, but incompatibilities with other already-installed applications.

Windows 2000allowing applications to use private copies

Application.exe.local

ProblemSharingKnownDLLs

cannot be redirected using this mechanism

16 bit dllHKEY_LOCAL_MACHINE\System\

CurrentControlSet\Control\Wow32 bit dll

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager

Windows XP shared assembliesgroup of resources

DLLs + XML manifest

application.exe.manifestdescribes the application and its dependence

on assembliesPrivate assembliesShared assemblies

digitally signed

http://loda.zhupiter.com/WindowsNTSubSystem.htm

http://bbs.pediy.com/showthread.php?t=56230

http://support.microsoft.com/kb/164501/zh-twhttp://linux.insigma.com.cn/jszl.asp?docid=13

6564375http://www.mbs3.org/wdmproject/intspri.html

Speaker : 姜怡楷

84

Data StructureETHREADKTHREADTEB

Kernel VariablePerformance CountersRelevant FunctionsBirth of a Thread

85

What is ETHREAD ?Windows thread is represented by an executive

thread

Where is ETHREAD(KTHREAD) ?ETHREAD block that the structures it point to

exists in the system address space

Where is Thread environment block (TEB) ?Thread environment block (TEB) exist in the

process address space

86

The Windows subsystem process(Csrss) maintain a parallel structure for each thread create in a Windows process

The Kernel mode portion of the Windows subsystem( Win32K.sys) maintain a per-thread data structure ( W32THREAD structure )

87

88

89

90

91

92

Displaying ETHREAD and KTHREAD Structureslkd> dt nt!_ethread lkd> dt nt!_kthread

Using the Kernel Debugger !thread Commandlkd> !thread

Viewing Thread Information

Examining the TEB

93

Lkd> !process 0 0

Lkd>!process 8590f020 3

Thread Infomation

Address of ETHREAD Address of TEBThread ID

Address of EPROCESS for owing process

Address of user thread function

Actual thread start address

Using Tlist

The TEB stores context information for the image loader and various Windows DLLs. (for user-mode)

.

Introduction to NT Internalshttp://www.alex-ionescu.com/part1.pdf

TIBhttp://en.wikipedia.org/wiki/Win32_Thread_Info

rmation_Block

TLS ( Thread Local Storage )http://en.wikipedia.org/wiki/Thread-local_stora

ge

99