6 장 process, thread ( 앞부분 ) 발표자 : 김미선. 발표주제 1.process 내부 2.thread...

6 장 Process, Thread ( 앞부분 )6 장 Process, Thread ( 앞부분 )

발표자 : 김미선

발표주제발표주제

1. Process 내부2. Thread 내부3. CreateProcess 흐름4. Thread Activity 검사

Simplified Windows ArchetectureSimplified Windows Archetecture

ExecutiveThe base operating system services, such as memory management, process and thread management, security, I/O, networking, and interprocess communication.

Kernellow-level operating system functions, such as thread scheduling, interrupt and exception dispatching, and multiprocessor synchronization.

Ntoskrnl.exe (Executive + Kernel)

Windows ArchetectureWindows Archetecture

Environment Subsystems원래 3 가지 제공

OS/2 (Windows2000 에서 삭제 )POSIX (Windows XP 에서 삭제 )Windows

Windows Subsystem 없이는 실행이 안됨 . (keyboard, mouse, display..)

Subsystem DLLsUser application 은 직접적으로 Windows system service 를 호출 할 수 없다 . Such as

Kernel32.dllAdvanapi32.dllUser32.dllGdi32.dll

Process 내부Process 내부

Process 관련 자료 구조EPROCESS(executive process) block 으로 표현그 외 process 와 연관된 여러가지 정보들의 포인터들로 구성 .the Windows subsystem process (Csrss) maintains a parallel structure that executes a Windows program. the kernel-mode part of the Windows subsystem (Win32k.sys) has a per-process data structure.

EPROCESS blockthe System Address Space 에 존재

예외 : EPROCESS 의 PEB(Process Environment Block) 는 the Process Address Space 에 존재

KPROCESS block 은 커널이 Thread Scheduling 할때 필요한 정보 저장

Process 내부 (cont’d)Process 내부 (cont’d)

EPROCESS block

KPROCESS block


PEB (Process Environment Block)

Process object 에 관한 추가 정보 저장the Process Address Space에 존재the image loader, the heap manager, and other Windows system DLLs 에 의해 user-mode 에서 수정할때 필요한 정보들 저장

Cf) EPROCESS, KPROCESS 는 kernel-mode 에서만 수정됨


실습 : Displaying the Format of an EPROCESS Block 실습 : Using the Kernel Debugger !process Command 실습 : Examining the PEB

Thread 내부Thread 내부

Thread 관련 자료 구조ETHREAD(executive thread) block 으로 표현the Windows subsystem process (Csrss) maintains a parallel structure for each thread created in a Windows process.the kernelmode part of the Windows subsystem (Win32k.sys) maintains a per-thread data structure.

ETHREAD blockthe System Address Space 에 존재

예외 : ETHREAD 의 TEB(Thread Environment Block) 는 the Process Address Space 에 존재

Thread 내부 (cont’d)Thread 내부 (cont’d)

ETHREAD block (executive) KTHREAD block (Kernel)( 스케줄링과 동기화를 위한 정

보 )


TEB (Thread Environment Block)

The TEB stores context information for the image loader and various Windows DLLs. (for user-mode)


실습 : Displaying ETHREAD and KTHREAD Structures 실습 : Using the Kernel Debugger !thread Command 실습 : Examining the TEB

CreateProcess 흐름CreateProcess 흐름

Windows Process 생성 함수CreateProcess, CreateProcessAsUser, CreateProcessWithTokenW, or CreateProcessWithLogonW

O/S 의 세부분에서 몇단계에 걸쳐 만들어짐the Windows client-side library Kernel32.dll, the Windows executive, and the Windows subsystem process (Csrss)

CreateProcess 함수 내부의 많은 단계들이 가상주소 공간을 설정하는 것과 관련

CreateProcess 흐름 (cont’d)CreateProcess 흐름 (cont’d)

1. Open the image file (.exe).2. Create the Windows executive process

object.3. Create the initial thread (stack, context, and

Windows executive thread object).4. Notify the Windows subsystem about the

new process.5. Start execution of the initial thread .6. Complete the initialization of the address

space and begin execution of the program.


1 단계 : Open the image file (.exe)주어진 파일이 Window 의 .exe 파일이면 직접 로딩하여 사용 Window 의 .exe 파일이 아니면 Windows Support Image 를 찾는다 .

찾아서 그 이름으로 바꾸고 그것을 open.CreateProcess has opened a valid Windows executable file and created a section object to map it into the new process address space.


2 단계 : Create the Windows executive process object

1 단계에서 열린 image 를 run 하기 위해 생성 .NtCreateProcess 호출

과정1. Setting up the EPROCESS block2. Creating the initial process address space3. Initializing the kernel process block (KPROCESS)4. Concluding the setup of the process address space 5. Setting up the PEB6. Completing the setup of the executive process object


3 단계 : Create the initial thread (stack, context, and Windows executive thread object)

Thread 가 실행될 stack 과 context 가 필요 .Initial Thread 가 사용할 Thread 의 크기는 image 에서 가져온다 .NtCreateThread 함수 호출parameter 는 PEB 주소이다 . (This parameter will be used by the initialization code that runs in the context of this new thread (as described in Stage 6) )생성되었지만 suspend 된 상태 . (5 단계 프로세스 초기화가 마치기 전까지는 resume 되지 않는다 .


4 단계 : Notify the Windows subsystem about the new process.

At this point, all the necessary executive process and thread objects have been created. Kernel32.dll next sends a message to the Windows subsystem.

Process and thread handlesEntries in the creation flagsID of the process's creatorFlag indicating whether the process belongs to a Windows application (so that Csrss can determine whether or not to show the startup cursor)


4 단계 : Notify the Windows subsystem about the new process. (cont’d)

The Windows subsystem performs the following steps when it receives this message:

CreateProcess duplicates a handle for the process and thread.The Csrss process block is allocated.The Csrss thread block is allocated and initialized.CreateProcess inserts the thread in the list of threads for the process.The count of processes in this session is incremented.The new process block is inserted into the list of Windows subsystemwide processes.The per-process data structure used by the kernel-mode part of the Windows subsystem (W32PROCESS structure) is allocated and initialized.The application start cursor is displayed.


5 단계 : Start execution of the Initial Thread.At this point..

the process environment has been determined. (1단계 )resources for its threads to use have been allocated. (2 단계 )process has a thread. (3 단계 )the Windows subsystem knows about the new process.(4 단계 )

the initial thread is now resumed so that it can start running and perform the remainder of the process initialization work


6 단계 : Complete the initialization of the address space and begin execution of the program.

The new thread begins life running the kernel-mode thread startup routine. (KiThreadStartup)Loads any required DLLs and calls the DLL entry points with the DLL_PROCESS_ ATTACH function code. Finally, the image begins execution in user mode when the loader initialization returns to the user mode APC dispatcher, which then calls the thread's start function that was pushed on the user stack.

Thread Activity 검사Thread Activity 검사

Process Explorer 를 사용하여 검사무엇을 ?

Process Explorer 에서 설정한 Refresh Time 동안 Thread 가 몇번이나 실행이 시작되었는지를 표시

Thread Stack

실습 : Process Explorer 사용

GlossaryGlossaryProcess Working Set

The subset of a process's virtual address space that is resident and owned by the running process.

System Working SetThe physical memory being used by the system cache, paged pool, pageable code in Ntoskrnl.exe, and pageable code in device drivers.

Process The virtual address space and control information necessary for the execution of a set of thread objects.

ThreadAn entity within a process that Windows schedules for execution. A thread includes the contents of a set of volatile registers representing the state of the processor; two stacks, one for the thread to use while executing in kernel mode and one for executing in user mode; a private storage area for use by subsystems, run-time libraries, and DLLs; and a unique identifier called a thread ID (also internally called a client ID).

Process AffinityThe set of processors a thread is permitted to run on.

Glossary (cont’d)Glossary (cont’d)

Section ObjectAn object that represents a block of memory that two or more processes can share. A section object can be mapped to the paging file or to another file on disk. The executive uses section objects to load executable images into memory, and the cache manager uses them to access data in a cached file. In the Windows subsystem, a section object is called a file-mapping object.

Page Table Entry (PTE)An entry in a process's page table that contains the address to which the virtual address is mapped. The page can be in physical memory or it can be on disk.

Page TableA page of mapping information (made up of an array of page table entries) the operating system constructs that describes the location of the virtual pages in a process address space. Because Windows provides a private address space for each process, each process has its own set of process page tables to map that private address space because the mappings will be different for each process. The page tables that describe system space are shared among all processes.

Page DirectoryA page the memory manager creates to map the location of all page tables for that process. Each process has a single page directory.

Glossary (cont’d)Glossary (cont’d)

HyperspaceA special region used to map the process working set list and to temporarily map other physical pages for such operations as zeroing a page on the free list (when the zero list is empty and a zero page is needed), invalidating page table entries in other page tables (such as when a page is removed from the standby list), and on process creation setting up a new process's address space.

6 장 process, thread ( 앞부분 ) 발표자 : 김미선. 발표주제 1.process 내부 2.thread...

Documents