1k likes | 1.21k Views
Process Internals. Outline. Process Internal Flow of CreateProcess Thread Internal Examining Thread Activity. Process Internal – introduction. 每一個 Windows process 都是由一個 executive process (EPROCESS) block 來表示。而一個 process 可能有多個 thread ,這些 thread 則由一個 executive thread (ETHREAD) block 來表示。
E N D
Outline • Process Internal • Flow of CreateProcess • Thread Internal • Examining Thread Activity
Process Internal – introduction • 每一個Windows process都是由一個 executive process (EPROCESS) block來表示。而一個process可能有多個thread,這些thread則由一個executive thread (ETHREAD) block來表示。 • EPROCESS block 以及其相關的資料結構都存放在system space裡,唯一的例外是EPROCESS block 中的process environment block (PEB),它被存放在process address space之中
Process Internal – Contents of the EPROCESS Block • 利用debug tool來看EPROCESS block的格式 • lkd> dt _eprocess • nt!_EPROCESS • +0x000Pcb : _KPROCESS • +0x06cProcessLock : _EX_PUSH_LOCK • +0x070CreateTime : _LARGE_INTEGER • +0x078ExitTime : _LARGE_INTEGER • +0x080RundownProtect : _EX_RUNDOWN_REF +0x084UniqueProcessId : Ptr32Void • +0x088ActiveProcessLinks : _LIST_ENTRY
Process Internal – Contents of the KPROCESS Block • kernel process (KPROCESS) block (也叫做PCB, process control block) 的結構如下圖,其中包含許多Windows kernel實作thread排程時所需要的基本資訊
Process Internal – Contents of the KPROCESS Block • 利用debug tool來看KPROCESS block的格式 • lkd>dt _kprocess • nt!_KPROCESS • +0x000Header : _DISPATCHER_HEADER • +0x010ProfileListHead : _LIST_ENTRY • +0x018DirectoryTableBase : [2]Uint4B • +0x020LdtDescriptor : _KGDTENTRY • +0x028Int21Descriptor : _KIDTENTRY • +0x030IopmOffset : Uint2B • 利用recursive的方式來看KPROCESS block的format • dt _eprocess – r1
Process Internal – Contents of the PEB Block • PEB被存放在使用者的process address space裡,內容包含了許多image loader、heap manager、以及Windows system DLLs所需的資訊。可讓使用者在user mode下進行修改 • lkd> !process • PROCESS 8575f030 • SessionId: 0 Cid: 08d0 • Peb: 7ffdf000 • ParentCid: 0360 • DirBase: 1a81b000 • ObjectTable: e12bd418 • HandleCount: 66. • Image: windbg.exe • lkd> !peb7ffdf000
Process Internal – Kernel Variables • Process 中會用到的kernel global variables
Process Internal – Kernel Variables • Process 中會用到的kernel global variables
Process Internal – Performance Counters • Windows 維護了一些counts,使用者可藉由這些count來追蹤process的執行狀況。
Process Internal – Performance Counters • Windows 維護了一些counts,使用者可藉由這些count來追蹤process的執行狀況。
Process Internal – Relevant Functions • 底下列出一些跟process有關的function。
Process Internal – Relevant Functions • 底下列出一些跟process有關的function。
Process Internal – Relevant Functions • 底下列出一些跟process有關的function。
Process Internal – Relevant Functions • 底下列出一些跟process有關的function。
Stage 1-2 Speaker:謝宇哲
Flow of CreateProcess • How did those processes come into being • How do they exit once they've fulfilled their purpose • How a Windows process comes to life
Process Create • 建立Process可以經由呼叫函式 • CreateProcess • CreateProcessAsUser • CreateProcessWithTokenW • Creating a Windows process consists of several stages carried out in three parts of the operating system • Client-side library Kernel32.dll • Windows executive • Windows subsystem process (Csrss)
Process Create stages • Open the image file • Create Windows executive process object • Create the initial thread • Notify the Windows subsystem of the new process • Start execution • In the context of the new process and thread, complete the initialization of the address space (such as load required DLLs) and begin execution of the program.
Prepare operation1 • Priority • Specify priority class • 選擇最低優先權 • No priority class is specified • NORMAL_PRIORITY_CLASS • Priority created (calling process) it is Idle or Below Normal • IDLE_PRIORITY_CLASS or BELOW_NORMAL_PRIORITY_CLASS • Same priority as the creating class
Prepare operation2 BOOL CreateProcess( LPCTSTR lpApplicationName, LPTSTR lpCommandLine, LPSECURITY_ATTRIBUTES lpProcessAttributes, LPSECURITY_ATTRIBUTES lpThreadAttributes, BOOL bInheritHandles, DWORD dwCreationFlags, LPVOID lpEnvironment, LPCTSTR lpCurrentDirectory, LPSTARTUPINFO lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation ); DWORD GetPriorityClass( HANDLE hProcess );
Prepare operation3 • Real-time priority class is specified • Caller doesn't have the Increase Scheduling Priority privilege • High priority class is used instead • CreateProcess doesn't fail • CreateProcess動作不會失敗,只是會取得High priority • All windows are associated with desktops
Stage 1:Opening the Image to Be Executed1 • Two things to do: • Find the appropriate Windows image • Run the executable file specified by the caller • Create a section object • Later map it into the address space of the new process • No image name is specified • First token of the command line is used as the image filename
Stage 1:Opening the Image to Be Executed2 • What kind of file? • Executable file specified is a Windows .exe • Used directly • MS-DOS, Win16, or a POSIX application • Find a Windows support image • POSIX application - Posix.exe • MS-DOS or a Win16 executable - Ntvdm.exe
Stage 1:Opening the Image to Be Executed4 • CreateProcess run an image decision tree • MS-DOS application • A message sent to the Windows subsystem • A support process has already been created for this session? • Ntvdm.exe • HKLM\SYSTEM\CurrentControlSet\Control\WOW\ cmdline • Has been created • It is used to run the MS-DOS application, CreateProcess returns • Hasn't been created • Image changes to Ntvdm.exe, restarts
Stage 1:Opening the Image to Be Executed5 • .bat • Image to be run becomes Cmd.exe, restarts • Name of the batch file passed as the first parameter • Win16 (windows 3.1) • CREATE_SEPARATE_WOW_VDM and CREATE_SHARED_WOW_VDM control this decision • Not specifid, HKLM\SYSTEM\CurrentControlSet\Control\WOW\ DefaultSeparateVDM • New VDM process or shared VDM process
Stage 1:Opening the Image to Be Executed6 • New VDM process • HKLM\SYSTEM\CurrentControlSet\Control\WOW\wowcmdline - (Ntvdm.exe) • Restarts • Use default sessionwide shared VDM process • Sends a message to see • Running on a different desktop or isn't running under the same security as the caller • New VDM process • Can be used • Sends a message to it to run the new image • CreateProcess returns
Stage 1:Opening the Image to Be Executed7 • Hasn't yet been created or can not be use • Image to be run changes to the VDM support image, restart
Stage 1:Opening the Image to Be Executed8 • Decision Tree for Stage 1 of CreateProcess
Stage 1:Opening the Image to Be Executed9 • Valid Windows executable file, created a section object for it • Doesn't mean that the file is a valid Windows image • It isn't mapped into memory yet, but it is open • DLL or a POSIX executable • POSIX • changes to Posix.exe • CreateProcess restarts • DLL • CreateProcess fails
Stage 1:Opening the Image to Be Executed10 • CreateProcess looks for • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options • Subkey with the filename and extension of the executable image • Not exists, CreateProcess looks for a value named Debugger for that key • If this is present, the image to be run becomes the string in that value • And CreateProcess restart
Stage 2: Creating the Windows Executive Process Object1 • Has been done • Valid Windows executable file • Section object • Create Windows executive process object • By call NtCreateProcess
Stage 2: Creating the Windows Executive Process Object2 • Creating the executive process object substages: • Setting up the EPROCESS block • Creating the initial process address space • Initializing the kernel process block (KPROCESS) • Concluding the setup of the process address space • Completing the setup of the executive process object
Stage 2A: Setting Up the EPROCESS Block1 • Allocate and initialize the Windows EPROCESS block. • 配置以及初始化EPROCESS block • Inherit the process affinity mask from the parent process. • 繼承affinity mask(與多CPU或多核心有關的設定) • Set minimum and maximum working set size • PsMinimumWorkingSet and PsMaximumWorkingSet • Set the new process's quota block to the address of its parent process's quota block, and increment the reference count for the parent's quota block. • 設定quota block到parent process
Stage 2A: Setting Up the EPROCESS Block2 • Inherit the Windows device name space • 繼承device name space • 包含各種名稱的定義 • Store the parent process‘s process ID in the InheritedFromUniqueProcessId field in the new process object. • 將parent process的process ID儲存起來
Stage 2A: Setting Up the EPROCESS Block3 • Create the process's primary access token • 建立process的primary access token(使用者資訊) • 與parent process的primary token完全相同(繼承、複製) • 如果呼叫的是CreateProcessAsUser 並指定了特定的access token • Access token會在這個階段改變
Stage 2A: Setting Up the EPROCESS Block4 • The process handle table is initialized • 新process的Handle table接著被初始化 • 若Inherit handles flag有被指定,parent process可以被繼承的handle會複製到新process的table內 • Set the new process's exit status • To STATUS_PENDING
Stage 2B: Creating the Initial Process Address Space • Initial process address space pages • Page directory • Hyperspace page • Working set list • Creating Steps • Page table entries會建立在對應的page table上,並且指向一些對應的Initial pages • Kernel變數MmTotalCommittedPages會減少,並且增加到MmProcessCommit • 系統預設最小process working set size 會從變數MmResidentAvailablePages中扣掉 • Page table的page以及系統Cache會對應到process
Stage 2C: Creating the Kernel Process Block • Initialization of the KPROCESS block • A pointer to a list of kernel threads • Also points to: • Process's page table directory • Total time the process's threads have executed • Process's default base-scheduling priority • Default processor affinity for the threads in the process • Initial value of the process default quantum • First entry in the systemwide quantum array
Stage 2D: Concluding the Setup of the Process Address Space1 • Virtual memory manager • Set process's last trim time to the current time • Working set manager • Uses this value to determine when to initiate working set trimming • Memory manager • Initializes the process's working set list • Page fault can now be taken
Stage 2D: Concluding the Setup of the Process Address Space2 • Section object • Mapped into the new process's address space • Process section base address is set to the base address of the image • Ntdll.dll is mapped into the process • The systemwide national language support (NLS) tables are mapped into the process's address space