Process Knowledge
____________________________________________________________________________________
When a process (program) is executed in Windows,
Windows creates a structure named EPROCESS in the kernel memory space to manage it,
and the ETHREAD structure is created together as many threads as the process uses.
And create substructures named PCB and TCB, respectively.
EPROCESS - PCB (Process Control Block)
ETHREAD - TCB (Thread Control Block)
Since the above structures exist in the kernel area, they can only be accessed in kernel mode.
A structure called PEB TEB is also created in the user memory space for the purpose of obtaining
information easily in user mode (user program).
PEB: Process Environment Block
TEB: Thread Environment Block
PEB TEB (user memory)
---------------------------------------------------
EPROCESS|PCB ETHREAD|TCB (kernel memory)
You can use WinDbg's dt command to view the contents of the EPROCESS structure.
dt _eprocess
0x000 Pcb : _KPROCESS
0x0?? ProcessLock : _EX_PUSH_LOCK
.
.
.
The first member variable named 'Pcb' of the EPROCESS structure is the KPROCESS (Kernel Process)
structure. (PCB)
KPROCESS = PCB
KPROCESS Structure (PCB)
The Peb member variable is a pointer to a PEB (Process Environment Block) structure.
0x1b0 Peb : Ptr32 _PEB
A structure containing information modified in user mode.
------------------------------------------------
Each Process has its own Handle Table.
Handle is the value returned by the CreateXXX(), OpenXXX()... functions.
ex) CreateFile(), OpenFile(), CreateProcess(), ...
(value returned after creating or open kernel object)
Therefore, threads within the same process access the same kernel object with the corresponding
Handle value.
(Handle is the index value of the Handle table)
------------------------------------------------
Kernal Object & Handle given to usermode
Kernel object are block of memory in kernel space.
Therefore, it cannot be accessed from the user area, and the corresponding Handle value is given
to the user area, not the kernel object pointer.
In the user area, the kernel object is referred to and controlled through the Handle value.
Kernel objects are defined with a common header and their own individual body,
Major members of the common header
Kernel Object Name, Security Descriptor, Usage Count, ...
------------------------------------------------
API for kernel object control
Create
APIs for creating kernel objects are usually in the form of CreateXXX().
ex) CreateThread() CreateProcess() CreateFile() CreateEvent() ...
Open
OpenXXX()
Each time OpenXXX() call succeeds, the usage count of the object increases by 1.
Close
CloseHandle()
Whenever CloseHandle() is called successfully, the object's usage count is reduced by 1, and
discarded when it reaches 0.
------------------------------------------------
HANDLE Type is redefined as follows.
typedef void* HANDLE;
That is, HANDLE is void*
_____________________________________________________________________________________
easy explanation
Multiple programs are running on the computer at the same time. It must be managed by the operating
system. Managing this process, along with memory management, is one of the main tasks an operating
system must perform.
In order for the operating system to manage processes, it must create, store, and handle a lot of
information necessary for management.
A process has various information related to the process, and the operating system maintains
information blocks that record detailed information for each process in the kernel memory.
(kernel object).
One process has one or more execution blocks (or execution routines, execution units..) (Thread).
It can also be understood that several threads included in a program are grouped together and called
a 'process'.
______________________________________________________________________________
System Internals (developer edition)
🢝🢝