Windows Internals covering windows server 2008 and windows vista- P8

Windows Internals covering windows server 2008 and windows vista- P8: In this chapter, we’ll introduce the key Microsoft Windows operating system concepts andterms we’ll be using throughout this book, such as the Windows API, processes, threads, virtualmemory, kernel mode and user mode, objects, handles, security, and the registry.
Nội dung trích xuất từ tài liệu:
Windows Internals covering windows server 2008 and windows vista- P8 NtCreateUserProcess calls MmCreatePeb, which first maps the systemwide national language support (NLS) tables into the process’s address space. It next calls MiCreatePebOrTeb to allocate a page for the PEB and then initializes a number of fields, which are described in Table 5-7. However, if the image fi le specifi es explicit Windows version or affi nity values, this information replaces the initial values shown in Table 5-7. The mapping from image information fi elds to PEB fi elds is described in Table 5-8. If the image header characteristics IMAGE_FILE_UP_SYSTEM_ONLY fl ag is set (indicating that the image can run only on a uniprocessor system), a single CPU is chosen for all the threads in this new process to run on. The selection process is performed by simply cycling through the available processors—each time this type of image is run, the next processor is used. In this way, these types of images are spread evenly across the processors. 340Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. If the image specifi es an explicit processor affi nity mask (for example, a fi eld in the confi guration header), this value is copied to the PEB and later set as the default process affi nity mask . Stage 3F: Completing the Setup of the Executive Process Object (PspInsertProcess) Before the handle to the new process can be returned, a few final setup steps must be completed, which are performed by PspInsertProcess and its helper functions: 1. If systemwide auditing of processes is enabled (either as a result of local policy settings or group policy settings from a domain controller), the process’s creation is written to the Security event log. 2. If the parent process was contained in a job, the job is recovered from the job level set of the parent and then bound to the session of the newly created process. Finally, the new process is added to the job. 3. PspInsertProcess inserts the new process block at the end of the Windows list of active processes (PsActiveProcessHead). 4. The process debug port of the parent process is copied to the new child process, unless the NoDebugInherit flag is set (which can be requested when creating the process). If a debug port was specified, it is attached to the new process at this time. 5. Finally, PspInsertProcess notifies any registered callback routines, creates a handle for the new process by calling ObOpenObjectByPointer, and then returns this handle to the caller. 5.3.4 Stage 4: Creating the Initial Thread and Its Stack and Context At this point, the Windows executive process object is completely set up. It still has no thread, however, so it can’t do anything yet. It’s now time to start that work. Normally, the PspCreateThread routine is responsible for all aspects of thread creation and is called by NtCreateThread when a new thread is being created. However, because the initial thread is created internally by the kernel without user-mode input, the two helper routines that PspCreateThread relies on are used instead: PspAllocateThread and PspInsertThread. PspAllocateThread handles the actual creation and initialization of the executive thread object itself, while PspInsertThread handles the creation of the thread handle and security attributes and the call to KeStartThread to turn the executive object into a schedulable thread on the system. However, the thread won’t do anything yet—it is created in a suspended state and isn’t resumed until the process is completely initialized (as described in Stage 5). Note The thread parameter (which can’t be specified in CreateProcess but can be specified in CreateThread) is the address of the PEB. This parameter will be used by the initialization code that runs in the context of this new thread (as described in Stage 6). PspAllocateThread performs the following steps: 341Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 1 ...