Skip to main content

Processes, Threads And Jobs [Part-1]

More
18 years 1 month ago #15820 by FallenZer0
Hello All,

Program-X: Process-Y:

q:] What Creates the Process-Y?

q:] How does the Process-Y know what set of resources are used by Program-X while executing the instance of the Program-X?

I would appreciate if you could describe your understandings of the above?


/Edit:

From what I've been reading about Processes, Threads and Jobs, this is a small update:

Each Windows Process is represented by Executive Process Block aka EPROCESS.

EPROCESS Block has the " Attributes " of the Process and other related Data Structures, like Kernel Process Block [KPROCESS], Process Environment Block [PEB], etc:

I wanted to see how the EPROCESS Block, KPROCESS Block and Process Environment Block Data Structures Look:

I downloaded Debugging Tools For Windows and started WinDbg.exe, in the Kernel Debugging Mode with my Symbol Path pointing to Microsoft's Symbol Server.

dt _EPROCESS Command dumps the EPROCESS data structure, dt _KPROCESS command dumps the Kernel Process Block and !process gives the address of the PEB.

So, I've seen the data structures of the above blocks. When I was looking at the Kernel Process Block, there were fields, for which I've no clue what they mean. So here I go:

q:] What is a Dispatcher?

q:] What is Resident Kernel Stack Count?

q:] What is a Default Thread Quantum?

q:] What is a Thread Seed?

In the Process Environment Block [PEB], the questions are:

q:] What is a Heap?


Pardon, for my lack of knowledge when it comes to Processes, Threads and Jobs. Someone might be thinking, why can't this guy/girl do a Google search. Yes, I can. But, I'm interested in *YOUR* understanding of these concepts, and sometimes it is easier when someone explains it to you, rather than looking at a screen and reading it.


Thanks
FallenZer0

-There Is A Foolish Corner In The Brain Of The Wisest Man- Aristotle
More
18 years 1 month ago #15904 by FallenZer0
Hello All,

Updates:

q:] What Creates the Process-Y?

a:] Windows API Functions

'CreateProcess', 'CreateProcessAsUser', 'CreateProcessWithTokenW', and 'CreateProcessWithLogonW' are responsible for Process Creation.

'CreateProcess', creates a Process with the security context of the current logged on user.

'CreateProcessAsUser', aka RunAs, creates a Process with the security context of the user, you choose to run the application.

'CreateProcessWithTokenW' & 'CreateProcessWithLogonW', I'm yet to find out.


q:] How does the Process-Y know what set of resources are used by Program-X while executing the instance of the Program-X?

a:] Image FileName & Image Base Address are two Attribute Fields in the EPROCESS Block which would help the Process to know what set of resources are used by the Program.

Below are the stages in Process Creation:

Stage-1] Open EXE and Create Section Object:

Stage-2] Create Windows Process Object:

Stage-3] Create Windows Thread Object:

Stage-4] Notify Windows SubSystem:-->Windows SubSystem [Csrss]----> SetUp New Process And Thread

Stage-5] Start Execution Of The Initial Thread

Stage-6] Final Process/Image Initialization
>Start Execution At Entry To Image

In Stage-1, what I didn't understand was, What is a Section Object?

In Stage-2, What is a Windows Process Object?

As I read more, I'll update this thread. If anyone finds more information of this topic, I'll be glad if you could provide it here.

Thanks
FallenZer0

-There Is A Foolish Corner In The Brain Of The Wisest Man- Aristotle
More
18 years 1 month ago #15927 by TheBishop
Replied by TheBishop on topic Processes
This is useful stuff FallenZer0; I'm reading with interest
More
18 years 1 month ago #15930 by Rockape
Ouch! my head hurts :shock:
More
18 years 1 month ago #15945 by FallenZer0
Replied by FallenZer0 on topic Re: Processes

This is useful stuff FallenZer0; I'm reading with interest


Hi TheBishop:

The reason I started this thread was the details of this topic was a mystery to me. As I'm reading more, I'm learning, and finding how much depth there is to it.

Updates:

Stage-1:] Open EXE And Create Section Object:

If the executable file is a windows '.exe', it is directly used in the 'createprocess'. However, if the Image is a non-Windows program such as POSIX, MS-DOS [.exe, .com or .pif extension], MS-DOS [.bat, .cmd extensions], Win16 Applications, 'createprocess' goes through a series of steps to find a Windows Support Image to run it.

If the Image is/an POSIX executable file then, 'Posix.exe' Image will run and 'createprocess' restarts at Stage-1

If the Image is an MS-DOS [.exe, .com, .pif], then 'Ntvdm.exe' Image will run and 'createprocess' restarts at Stage-1

If the Image is an MS-DOS [.bat, .cmd], then 'Cmd.exe' Image will run and 'createprocess' restarts at Stage-1

If the Image is an Win16 Application, 'Ntvdm.exe' Image will run and 'createprocess' restarts at stage-1

I was wondering if anyone knows how to find the Virtual Address Space for a Process? I tried to attach to one of the Processes running on my machine using WinDbg.exe, but I couldn't find it. The reason I'm looking for the Virtual Address of the Process is I would like to do Virtual Address Translation to the Physical Memory. This would be for a non-PAE x86 machine.

I'll post the answers to the questions in this thread as I move forward. I did not forget about them.

Any help would be greatly appreciated & I'll post the updates.



Thanks
FallenZer0

-There Is A Foolish Corner In The Brain Of The Wisest Man- Aristotle
More
18 years 1 month ago #15949 by Phruis
Good stuff.
Time to create page: 0.145 seconds