발표주제 1.Process 내부 2.Thread 내부 3.CreateProcess 흐름 4.Thread Activity 검사
Simplified Windows Archetecture Executive The base operating system services, such as memory management, process and thread management, security, I/O, networking, and interprocess communication. Kernel low-level operating system functions, such as thread scheduling, interrupt and exception dispatching, and multiprocessor synchronization. Ntoskrnl.exe (Executive + Kernel)
Windows Archetecture Environment Subsystems 원래 3 가지 제공 OS/2 (Windows2000 에서 삭제 ) POSIX (Windows XP 에서 삭제 ) Windows Windows Subsystem 없이는 실행이 안됨. (keyboard, mouse, display..) Subsystem DLLs User application 은 직접적으로 Windows system service 를 호출 할 수 없다. Such as Kernel32.dll Advanapi32.dll User32.dll Gdi32.dll
Process 내부 Process 관련 자료 구조 EPROCESS(executive process) block 으로 표현 그 외 process 와 연관된 여러가지 정보들의 포인터들로 구성. the Windows subsystem process (Csrss) maintains a parallel structure that executes a Windows program. the kernel-mode part of the Windows subsystem (Win32k.sys) has a per- process data structure. EPROCESS block the System Address Space 에 존재 예외 : EPROCESS 의 PEB(Process Environment Block) 는 the Process Address Space 에 존재 KPROCESS block 은 커널이 Thread Scheduling 할때 필요한 정보 저장
Process 내부 (cont’d) EPROCESS blockKPROCESS block
Process 내부 (cont’d) PEB (Process Environment Block) Process object 에 관한 추가 정보 저장 the Process Address Space 에 존재 the image loader, the heap manager, and other Windows system DLLs 에 의해 user- mode 에서 수정할때 필요한 정보들 저장 Cf) EPROCESS, KPROCESS 는 kernel- mode 에서만 수정됨
Process 내부 (cont’d) 실습 : Displaying the Format of an EPROCESS Block 실습 : Using the Kernel Debugger !process Command 실습 : Examining the PEB
Thread 내부 Thread 관련 자료 구조 ETHREAD(executive thread) block 으로 표현 the Windows subsystem process (Csrss) maintains a parallel structure for each thread created in a Windows process. the kernelmode part of the Windows subsystem (Win32k.sys) maintains a per-thread data structure. ETHREAD block the System Address Space 에 존재 예외 : ETHREAD 의 TEB(Thread Environment Block) 는 the Process Address Space 에 존재
Thread 내부 (cont’d) ETHREAD block (executive) KTHREAD block (Kernel) ( 스케줄링과 동기화를 위한 정보 )
Thread 내부 (cont’d) TEB (Thread Environment Block) The TEB stores context information for the image loader and various Windows DLLs. (for user-mode)
Thread 내부 (cont’d) 실습 : Displaying ETHREAD and KTHREAD Structures 실습 : Using the Kernel Debugger !thread Command 실습 : Examining the TEB
CreateProcess 흐름 Windows Process 생성 함수 CreateProcess, CreateProcessAsUser, CreateProcessWithTokenW, or CreateProcessWithLogonW O/S 의 세부분에서 몇단계에 걸쳐 만들어짐 the Windows client-side library Kernel32.dll, the Windows executive, and the Windows subsystem process (Csrss) CreateProcess 함수 내부의 많은 단계들이 가상주소 공간을 설정하는 것과 관련
CreateProcess 흐름 (cont’d) 1.Open the image file (.exe). 2.Create the Windows executive process object. 3.Create the initial thread (stack, context, and Windows executive thread object). 4.Notify the Windows subsystem about the new process. 5.Start execution of the initial thread. 6.Complete the initialization of the address space and begin execution of the program.
CreateProcess 흐름 (cont’d) 1 단계 : Open the image file (.exe) 주어진 파일이 Window 의.exe 파일이면 직접 로딩하여 사용 Window 의.exe 파일이 아니면 Windows Support Image 를 찾는다. 찾아서 그 이름으로 바꾸고 그것을 open. CreateProcess has opened a valid Windows executable file and created a section object to map it into the new process address space.
CreateProcess 흐름 (cont’d) 2 단계 : Create the Windows executive process object 1 단계에서 열린 image 를 run 하기 위해 생성. NtCreateProcess 호출 과정 1.Setting up the EPROCESS block 2.Creating the initial process address space 3.Initializing the kernel process block (KPROCESS) 4.Concluding the setup of the process address space 5.Setting up the PEB 6.Completing the setup of the executive process object
CreateProcess 흐름 (cont’d) 3 단계 : Create the initial thread (stack, context, and Windows executive thread object) Thread 가 실행될 stack 과 context 가 필요. Initial Thread 가 사용할 Thread 의 크기는 image 에서 가져온다. NtCreateThread 함수 호출 parameter 는 PEB 주소이다. (This parameter will be used by the initialization code that runs in the context of this new thread (as described in Stage 6) ) 생성되었지만 suspend 된 상태. (5 단계 프로세스 초기화가 마치기 전까지는 resume 되지 않는다.
CreateProcess 흐름 (cont’d) 4 단계 : Notify the Windows subsystem about the new process. At this point, all the necessary executive process and thread objects have been created. Kernel32.dll next sends a message to the Windows subsystem. Process and thread handles Entries in the creation flags ID of the process's creator Flag indicating whether the process belongs to a Windows application (so that Csrss can determine whether or not to show the startup cursor)
CreateProcess 흐름 (cont’d) 4 단계 : Notify the Windows subsystem about the new process. (cont’d) The Windows subsystem performs the following steps when it receives this message: CreateProcess duplicates a handle for the process and thread. The Csrss process block is allocated. The Csrss thread block is allocated and initialized. CreateProcess inserts the thread in the list of threads for the process. The count of processes in this session is incremented. The new process block is inserted into the list of Windows subsystemwide processes. The per-process data structure used by the kernel-mode part of the Windows subsystem (W32PROCESS structure) is allocated and initialized. The application start cursor is displayed.
CreateProcess 흐름 (cont’d) 5 단계 : Start execution of the Initial Thread. At this point.. the process environment has been determined. (1 단계 ) resources for its threads to use have been allocated. (2 단계 ) process has a thread. (3 단계 ) the Windows subsystem knows about the new process.(4 단계 ) the initial thread is now resumed so that it can start running and perform the remainder of the process initialization work
CreateProcess 흐름 (cont’d) 6 단계 : Complete the initialization of the address space and begin execution of the program. The new thread begins life running the kernel-mode thread startup routine. (KiThreadStartup) Loads any required DLLs and calls the DLL entry points with the DLL_PROCESS_ ATTACH function code. Finally, the image begins execution in user mode when the loader initialization returns to the user mode APC dispatcher, which then calls the thread's start function that was pushed on the user stack.
Thread Activity 검사 Process Explorer 를 사용하여 검사 무엇을 ? Process Explorer 에서 설정한 Refresh Time 동안 Thread 가 몇번이나 실행이 시작되었는지를 표시 Thread Stack 실습 : Process Explorer 사용
Glossary Process Working Set The subset of a process's virtual address space that is resident and owned by the running process. System Working Set The physical memory being used by the system cache, paged pool, pageable code in Ntoskrnl.exe, and pageable code in device drivers. Process The virtual address space and control information necessary for the execution of a set of thread objects. Thread An entity within a process that Windows schedules for execution. A thread includes the contents of a set of volatile registers representing the state of the processor; two stacks, one for the thread to use while executing in kernel mode and one for executing in user mode; a private storage area for use by subsystems, run-time libraries, and DLLs; and a unique identifier called a thread ID (also internally called a client ID). Process Affinity The set of processors a thread is permitted to run on.
Glossary (cont’d) Section Object An object that represents a block of memory that two or more processes can share. A section object can be mapped to the paging file or to another file on disk. The executive uses section objects to load executable images into memory, and the cache manager uses them to access data in a cached file. In the Windows subsystem, a section object is called a file-mapping object. Page Table Entry (PTE) An entry in a process's page table that contains the address to which the virtual address is mapped. The page can be in physical memory or it can be on disk. Page Table A page of mapping information (made up of an array of page table entries) the operating system constructs that describes the location of the virtual pages in a process address space. Because Windows provides a private address space for each process, each process has its own set of process page tables to map that private address space because the mappings will be different for each process. The page tables that describe system space are shared among all processes. Page Directory A page the memory manager creates to map the location of all page tables for that process. Each process has a single page directory.
Glossary (cont’d) Hyperspace A special region used to map the process working set list and to temporarily map other physical pages for such operations as zeroing a page on the free list (when the zero list is empty and a zero page is needed), invalidating page table entries in other page tables (such as when a page is removed from the standby list), and on process creation setting up a new process's address space.