1 / 99

Process Internals

Process Internals. Outline. Process Internal Flow of CreateProcess Thread Internal Examining Thread Activity. Process Internal – introduction. 每一個 Windows process 都是由一個 executive process (EPROCESS) block 來表示。而一個 process 可能有多個 thread ,這些 thread 則由一個 executive thread (ETHREAD) block 來表示。

baka
Download Presentation

Process Internals

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Process Internals

  2. Outline • Process Internal • Flow of CreateProcess • Thread Internal • Examining Thread Activity

  3. Process Internal – introduction • 每一個Windows process都是由一個 executive process (EPROCESS) block來表示。而一個process可能有多個thread,這些thread則由一個executive thread (ETHREAD) block來表示。 • EPROCESS block 以及其相關的資料結構都存放在system space裡,唯一的例外是EPROCESS block 中的process environment block (PEB),它被存放在process address space之中

  4. Process Internal – introduction

  5. Process Internal – introduction

  6. Process Internal – Contents of the EPROCESS Block

  7. Process Internal – Contents of the EPROCESS Block

  8. Process Internal – Contents of the EPROCESS Block

  9. Process Internal – Contents of the EPROCESS Block • 利用debug tool來看EPROCESS block的格式 • lkd> dt _eprocess • nt!_EPROCESS • +0x000Pcb : _KPROCESS • +0x06cProcessLock : _EX_PUSH_LOCK • +0x070CreateTime : _LARGE_INTEGER • +0x078ExitTime : _LARGE_INTEGER • +0x080RundownProtect : _EX_RUNDOWN_REF +0x084UniqueProcessId : Ptr32Void • +0x088ActiveProcessLinks : _LIST_ENTRY

  10. Process Internal – Contents of the KPROCESS Block • kernel process (KPROCESS) block (也叫做PCB, process control block) 的結構如下圖,其中包含許多Windows kernel實作thread排程時所需要的基本資訊

  11. Process Internal – Contents of the KPROCESS Block • 利用debug tool來看KPROCESS block的格式 • lkd>dt _kprocess • nt!_KPROCESS • +0x000Header : _DISPATCHER_HEADER • +0x010ProfileListHead : _LIST_ENTRY • +0x018DirectoryTableBase : [2]Uint4B • +0x020LdtDescriptor : _KGDTENTRY • +0x028Int21Descriptor : _KIDTENTRY • +0x030IopmOffset : Uint2B • 利用recursive的方式來看KPROCESS block的format • dt _eprocess – r1

  12. Process Internal – Contents of the PEB Block • PEB被存放在使用者的process address space裡,內容包含了許多image loader、heap manager、以及Windows system DLLs所需的資訊。可讓使用者在user mode下進行修改 • lkd> !process • PROCESS 8575f030 • SessionId: 0 Cid: 08d0 • Peb: 7ffdf000 • ParentCid: 0360 • DirBase: 1a81b000 • ObjectTable: e12bd418 • HandleCount: 66. • Image: windbg.exe • lkd> !peb7ffdf000

  13. Process Internal – Kernel Variables • Process 中會用到的kernel global variables

  14. Process Internal – Kernel Variables • Process 中會用到的kernel global variables

  15. Process Internal – Performance Counters • Windows 維護了一些counts,使用者可藉由這些count來追蹤process的執行狀況。

  16. Process Internal – Performance Counters • Windows 維護了一些counts,使用者可藉由這些count來追蹤process的執行狀況。

  17. Process Internal – Relevant Functions • 底下列出一些跟process有關的function。

  18. Process Internal – Relevant Functions • 底下列出一些跟process有關的function。

  19. Process Internal – Relevant Functions • 底下列出一些跟process有關的function。

  20. Process Internal – Relevant Functions • 底下列出一些跟process有關的function。

  21. Flow of CreateProcess

  22. Stage 1-2 Speaker:謝宇哲

  23. Flow of CreateProcess • How did those processes come into being • How do they exit once they've fulfilled their purpose • How a Windows process comes to life

  24. Process Create • 建立Process可以經由呼叫函式 • CreateProcess • CreateProcessAsUser • CreateProcessWithTokenW • Creating a Windows process consists of several stages carried out in three parts of the operating system • Client-side library Kernel32.dll • Windows executive • Windows subsystem process (Csrss)

  25. Process Create stages • Open the image file • Create Windows executive process object • Create the initial thread • Notify the Windows subsystem of the new process • Start execution • In the context of the new process and thread, complete the initialization of the address space (such as load required DLLs) and begin execution of the program.

  26. Create process stages

  27. Prepare operation1 • Priority • Specify priority class • 選擇最低優先權 • No priority class is specified • NORMAL_PRIORITY_CLASS • Priority created (calling process) it is Idle or Below Normal • IDLE_PRIORITY_CLASS or BELOW_NORMAL_PRIORITY_CLASS • Same priority as the creating class

  28. Process's priority class value

  29. Prepare operation2 BOOL CreateProcess( LPCTSTR lpApplicationName, LPTSTR lpCommandLine, LPSECURITY_ATTRIBUTES lpProcessAttributes, LPSECURITY_ATTRIBUTES lpThreadAttributes, BOOL bInheritHandles, DWORD dwCreationFlags, LPVOID lpEnvironment, LPCTSTR lpCurrentDirectory, LPSTARTUPINFO lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation ); DWORD GetPriorityClass( HANDLE hProcess );

  30. Prepare operation3 • Real-time priority class is specified • Caller doesn't have the Increase Scheduling Priority privilege • High priority class is used instead • CreateProcess doesn't fail • CreateProcess動作不會失敗,只是會取得High priority • All windows are associated with desktops

  31. Stage 1:Opening the Image to Be Executed1 • Two things to do: • Find the appropriate Windows image • Run the executable file specified by the caller • Create a section object • Later map it into the address space of the new process • No image name is specified • First token of the command line is used as the image filename

  32. Stage 1:Opening the Image to Be Executed2 • What kind of file? • Executable file specified is a Windows .exe • Used directly • MS-DOS, Win16, or a POSIX application • Find a Windows support image • POSIX application - Posix.exe • MS-DOS or a Win16 executable - Ntvdm.exe

  33. Stage 1:Opening the Image to Be Executed3

  34. Stage 1:Opening the Image to Be Executed4 • CreateProcess run an image decision tree • MS-DOS application • A message sent to the Windows subsystem • A support process has already been created for this session? • Ntvdm.exe • HKLM\SYSTEM\CurrentControlSet\Control\WOW\ cmdline • Has been created • It is used to run the MS-DOS application, CreateProcess returns • Hasn't been created • Image changes to Ntvdm.exe, restarts

  35. Stage 1:Opening the Image to Be Executed5 • .bat • Image to be run becomes Cmd.exe, restarts • Name of the batch file passed as the first parameter • Win16 (windows 3.1) • CREATE_SEPARATE_WOW_VDM and CREATE_SHARED_WOW_VDM control this decision • Not specifid, HKLM\SYSTEM\CurrentControlSet\Control\WOW\ DefaultSeparateVDM • New VDM process or shared VDM process

  36. Stage 1:Opening the Image to Be Executed6 • New VDM process • HKLM\SYSTEM\CurrentControlSet\Control\WOW\wowcmdline - (Ntvdm.exe) • Restarts • Use default sessionwide shared VDM process • Sends a message to see • Running on a different desktop or isn't running under the same security as the caller • New VDM process • Can be used • Sends a message to it to run the new image • CreateProcess returns

  37. Stage 1:Opening the Image to Be Executed7 • Hasn't yet been created or can not be use • Image to be run changes to the VDM support image, restart

  38. Stage 1:Opening the Image to Be Executed8 • Decision Tree for Stage 1 of CreateProcess

  39. Stage 1:Opening the Image to Be Executed9 • Valid Windows executable file, created a section object for it • Doesn't mean that the file is a valid Windows image • It isn't mapped into memory yet, but it is open • DLL or a POSIX executable • POSIX • changes to Posix.exe • CreateProcess restarts • DLL • CreateProcess fails

  40. Stage 1:Opening the Image to Be Executed10 • CreateProcess looks for • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options • Subkey with the filename and extension of the executable image • Not exists, CreateProcess looks for a value named Debugger for that key • If this is present, the image to be run becomes the string in that value • And CreateProcess restart

  41. Stage 2: Creating the Windows Executive Process Object1 • Has been done • Valid Windows executable file • Section object • Create Windows executive process object • By call NtCreateProcess

  42. Stage 2: Creating the Windows Executive Process Object2 • Creating the executive process object substages: • Setting up the EPROCESS block • Creating the initial process address space • Initializing the kernel process block (KPROCESS) • Concluding the setup of the process address space • Completing the setup of the executive process object

  43. Stage 2A: Setting Up the EPROCESS Block1 • Allocate and initialize the Windows EPROCESS block. • 配置以及初始化EPROCESS block • Inherit the process affinity mask from the parent process. • 繼承affinity mask(與多CPU或多核心有關的設定) • Set minimum and maximum working set size • PsMinimumWorkingSet and PsMaximumWorkingSet • Set the new process's quota block to the address of its parent process's quota block, and increment the reference count for the parent's quota block. • 設定quota block到parent process

  44. Stage 2A: Setting Up the EPROCESS Block2 • Inherit the Windows device name space • 繼承device name space • 包含各種名稱的定義 • Store the parent process‘s process ID in the InheritedFromUniqueProcessId field in the new process object. • 將parent process的process ID儲存起來

  45. Stage 2A: Setting Up the EPROCESS Block3 • Create the process's primary access token • 建立process的primary access token(使用者資訊) • 與parent process的primary token完全相同(繼承、複製) • 如果呼叫的是CreateProcessAsUser 並指定了特定的access token • Access token會在這個階段改變

  46. Stage 2A: Setting Up the EPROCESS Block4 • The process handle table is initialized • 新process的Handle table接著被初始化 • 若Inherit handles flag有被指定,parent process可以被繼承的handle會複製到新process的table內 • Set the new process's exit status • To STATUS_PENDING

  47. Stage 2B: Creating the Initial Process Address Space • Initial process address space pages • Page directory • Hyperspace page • Working set list • Creating Steps • Page table entries會建立在對應的page table上,並且指向一些對應的Initial pages • Kernel變數MmTotalCommittedPages會減少,並且增加到MmProcessCommit • 系統預設最小process working set size 會從變數MmResidentAvailablePages中扣掉 • Page table的page以及系統Cache會對應到process

  48. Stage 2C: Creating the Kernel Process Block • Initialization of the KPROCESS block • A pointer to a list of kernel threads • Also points to: • Process's page table directory • Total time the process's threads have executed • Process's default base-scheduling priority • Default processor affinity for the threads in the process • Initial value of the process default quantum • First entry in the systemwide quantum array

  49. Stage 2D: Concluding the Setup of the Process Address Space1 • Virtual memory manager • Set process's last trim time to the current time • Working set manager • Uses this value to determine when to initiate working set trimming • Memory manager • Initializes the process's working set list • Page fault can now be taken

  50. Stage 2D: Concluding the Setup of the Process Address Space2 • Section object • Mapped into the new process's address space • Process section base address is set to the base address of the image • Ntdll.dll is mapped into the process • The systemwide national language support (NLS) tables are mapped into the process's address space

More Related