Process Knowledge

-

____________________________________________________________________________________

 

When a process (program) is executed in Windows,

 

Windows creates a structure named EPROCESS in the kernel memory space to manage it,

 

and the ETHREAD structure is created together as many threads as the process uses.

 

 

And create substructures named PCB and TCB, respectively.

 

 

EPROCESS - PCB (Process Control Block)

ETHREAD  - TCB (Thread Control Block)

 

 

Since the above structures exist in the kernel area, they can only be accessed in kernel mode.

 

 

A structure called PEB TEB is also created in the user memory space for the purpose of obtaining

information easily in user mode (user program).

 

 

PEB: Process Environment Block

TEB: Thread Environment Block

 

 

 

PEB           TEB               (user memory)

---------------------------------------------------

EPROCESS|PCB  ETHREAD|TCB       (kernel memory)

 

 

 

 

 

You can use WinDbg's dt command to view the contents of the EPROCESS structure.

 

dt _eprocess

 

0x000 Pcb                        : _KPROCESS

0x0?? ProcessLock                : _EX_PUSH_LOCK

.

.

.

 

 

 

The first member variable named 'Pcb' of the EPROCESS structure is the KPROCESS (Kernel Process)

structure. (PCB)

 

KPROCESS = PCB

 

 

 

 

KPROCESS Structure (PCB)

 

The Peb member variable is a pointer to a PEB (Process Environment Block) structure.

 

0x1b0 Peb                    : Ptr32 _PEB

 

 

A structure containing information modified in user mode.

 

 

 

 

------------------------------------------------

 

Each Process has its own Handle Table.

 

Handle is the value returned by the CreateXXX(), OpenXXX()... functions.

 ex) CreateFile(), OpenFile(), CreateProcess(), ...

(value returned after creating or open kernel object)

 

Therefore, threads within the same process access the same kernel object with the corresponding

Handle value.

 

(Handle is the index value of the Handle table)

 

 

 

 

------------------------------------------------

 

Kernal Object & Handle given to usermode

 

Kernel object are block of memory in kernel space.

 

Therefore, it cannot be accessed from the user area, and the corresponding Handle value is given

to the user area, not the kernel object pointer.

 

In the user area, the kernel object is referred to and controlled through the Handle value.

 

Kernel objects are defined with a common header and their own individual body,

 

Major members of the common header

Kernel Object Name, Security Descriptor, Usage Count, ...

 

 

 

 

------------------------------------------------

 

API for kernel object control

 

 

Create

 

APIs for creating kernel objects are usually in the form of CreateXXX().

 

  ex) CreateThread()  CreateProcess()  CreateFile()  CreateEvent() ...

 

 

Open

 

OpenXXX()

 

Each time OpenXXX() call succeeds, the usage count of the object increases by 1.

 

 

Close

 

CloseHandle()

 

Whenever CloseHandle() is called successfully, the object's usage count is reduced by 1, and

discarded when it reaches 0.

 

 

 

 

------------------------------------------------

 

HANDLE Type is redefined as follows.

 

typedef void* HANDLE;

 

That is, HANDLE is void*

 

 

 

 

 

 

 

_____________________________________________________________________________________

easy explanation

 

 

Multiple programs are running on the computer at the same time. It must be managed by the operating

system. Managing this process, along with memory management, is one of the main tasks an operating

system must perform.

 

In order for the operating system to manage processes, it must create, store, and handle a lot of

information necessary for management.

 

A process has various information related to the process, and the operating system maintains

information blocks that record detailed information for each process in the kernel memory.

(kernel object).

 

One process has one or more execution blocks (or execution routines, execution units..) (Thread).

 

It can also be understood that several threads included in a program are grouped together and called

a 'process'.

 

 

 

 

 

 

______________________________________________________________________________

 

System Internals

System Internals (developer edition)

 

 

 

 

🢝🢝

 

 

Popular posts from this blog

CPU Architecture & Authority Control

-
Image
  General register designations.       ______________________________________________________________________________________________ Till physical address & authority control   ___________________________________________________________________________________________________   Segment Descriptor : 8 Byte size       Content      ___________________________________________________________________________________________________ Segment Descriptor Table       _asm  lgdt  [GDT]       GDTR       __________________________________________________________________________________________ x64    __________________________________________________________________________________________                     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ explains     Till RAM  & Authority control (of Intel Processor)             --------------------------------------------------------------------------------------------    Process  →   Segment Descriptor   →   Paging   →   RAM (physical address)          
Read more

Known DLLs

-
Image
Certain operating system-supplied DLLs get special treatment. These are called Known DLLs. Operating system always looks for them in the same directory HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs _____________________________________________________________________ LoadLibrary(“abc”)      : search “abc.dll” (normal search rules) LoadLibrary(“abc.dll”)  : search KnownDLLs Registry, ValueName “abc”     LoadLibrary() and LoadLibraryEx(), If you are passing a DLL name that includes the .dll extension like "abc.dll", search KnownDLLS Registry ValueName "abc" If you are passing a DLL name without the .dll extension like "abc", search "abc.dll" using the normal search rule. Known DLLs     Shows the values in the registry key below   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\ KnownDLLs     __________________________________________________________________________________________________________
Read more

lua command (EnableLUA)

-
Image
Windows actually only grants limited privileges to administrator permission accounts.  You can remove these restrictions by opening the registry editor and specifying the EnableLUA value to 0. Even so, it doesn't seem like you're getting all the privileges  like a  Linux root account, but you can still use most of them. EnableLUA HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System       If you type 'lua' in the System Internals command line, it shows the current value, If the current value is 1, you can enter 'lua off' to change it to 0. System Internals must be run with administrator privileges, and if the value changes, a reboot is requested. _____________________________________________________________________ lua off (0, false) :  set EnableLUA value to 0 lua on (1, true) :  set EnableLUA value to 1 lua code  :    code used lua kn  :    knowledge _____________________________________________________________________ cf) User Account C
Read more