1 / 26

6 장 Process, Thread ( 앞부분 )

6 장 Process, Thread ( 앞부분 ). 발표자 : 김미선. 발표주제. Process 내부 Thread 내부 CreateProcess 흐름 Thread Activity 검사. Simplified Windows Archetecture. Executive

kerri
Download Presentation

6 장 Process, Thread ( 앞부분 )

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 6장 Process, Thread (앞부분) 발표자 : 김미선

  2. 발표주제 • Process 내부 • Thread 내부 • CreateProcess 흐름 • Thread Activity 검사

  3. Simplified Windows Archetecture • Executive • The base operating system services, such as memory management, process and thread management, security, I/O, networking, and interprocess communication. • Kernel • low-level operating system functions, such as thread scheduling, interrupt and exception dispatching, and multiprocessor synchronization. • Ntoskrnl.exe (Executive + Kernel)

  4. Windows Archetecture • Environment Subsystems • 원래 3가지 제공 • OS/2 (Windows2000에서 삭제) • POSIX (Windows XP에서 삭제) • Windows • Windows Subsystem없이는 실행이 안됨. (keyboard, mouse, display..) • Subsystem DLLs • User application은 직접적으로 Windows system service를 호출 할 수 없다. • Such as • Kernel32.dll • Advanapi32.dll • User32.dll • Gdi32.dll

  5. Process 내부 • Process 관련 자료 구조 • EPROCESS(executive process) block 으로 표현 • 그 외 process와 연관된 여러가지 정보들의 포인터들로 구성. • the Windows subsystem process (Csrss) maintains a parallel structure that executes a Windows program. • the kernel-mode part of the Windows subsystem (Win32k.sys) has a per-process data structure. • EPROCESS block • the System Address Space에 존재 • 예외 : EPROCESS의 PEB(Process Environment Block)는 the Process Address Space에 존재 • KPROCESS block 은 커널이 Thread Scheduling 할때 필요한 정보 저장

  6. Process 내부 (cont’d) EPROCESS block KPROCESS block

  7. Process 내부 (cont’d) • PEB (Process Environment Block) • Process object에 관한 추가 정보 저장 • the Process Address Space에 존재 • the image loader, the heap manager, and other Windows system DLLs 에 의해 user-mode에서 수정할때 필요한 정보들 저장 • Cf) EPROCESS, KPROCESS는 kernel-mode에서만 수정됨

  8. Process 내부 (cont’d) • 실습 : Displaying the Format of an EPROCESS Block • 실습 : Using the Kernel Debugger !process Command • 실습 : Examining the PEB

  9. Thread 내부 • Thread 관련 자료 구조 • ETHREAD(executive thread) block 으로 표현 • the Windows subsystem process (Csrss) maintains a parallel structurefor each thread created in a Windows process. • the kernelmode part of the Windows subsystem (Win32k.sys) maintains a per-thread data structure. • ETHREAD block • the System Address Space에 존재 • 예외 : ETHREAD의 TEB(Thread Environment Block)는 the Process Address Space에 존재

  10. Thread 내부 (cont’d) KTHREAD block (Kernel) (스케줄링과 동기화를 위한 정보) ETHREAD block (executive)

  11. Thread 내부 (cont’d) • TEB (Thread Environment Block) • The TEB stores context information for the image loader and various Windows DLLs. (for user-mode)

  12. Thread 내부 (cont’d) • 실습 : Displaying ETHREAD and KTHREAD Structures • 실습 : Using the Kernel Debugger !thread Command • 실습 : Examining the TEB

  13. CreateProcess 흐름 • Windows Process 생성 함수 • CreateProcess, CreateProcessAsUser, CreateProcessWithTokenW, or CreateProcessWithLogonW • O/S 의 세부분에서 몇단계에 걸쳐 만들어짐 • the Windows client-side library Kernel32.dll, the Windows executive, and the Windows subsystem process (Csrss) • CreateProcess 함수 내부의 많은 단계들이 가상주소 공간을 설정하는 것과 관련

  14. CreateProcess 흐름 (cont’d) • Open the image file (.exe). • Create the Windows executive process object. • Create the initial thread (stack, context, and Windows executive thread object). • Notify the Windows subsystem about the new process. • Start execution of the initial thread . • Complete the initialization of the address space and begin execution of the program.

  15. CreateProcess 흐름 (cont’d) • 1단계 : Open the image file (.exe) • 주어진 파일이 Window의 .exe파일이면 직접 로딩하여 사용 • Window의.exe파일이 아니면 Windows Support Image를 찾는다. • 찾아서 그 이름으로 바꾸고 그것을 open. • CreateProcess has opened a valid Windows executable file and created a section object to map it into the new process address space.

  16. CreateProcess 흐름 (cont’d) • 2단계 : Create the Windows executive process object • 1단계에서 열린 image를 run 하기 위해 생성. • NtCreateProcess 호출 • 과정 • Setting up the EPROCESS block • Creating the initial process address space • Initializing the kernel process block (KPROCESS) • Concluding the setup of the process address space • Setting up the PEB • Completing the setup of the executive process object

  17. CreateProcess 흐름 (cont’d) • 3단계 : Create the initial thread (stack, context, and Windows executive thread object) • Thread가 실행될 stack과 context가 필요. • Initial Thread가 사용할 Thread의 크기는 image에서 가져온다. • NtCreateThread 함수 호출 • parameter는 PEB 주소이다. (This parameter will be used by the initialization code that runs in the context of this new thread (as described in Stage 6) ) • 생성되었지만 suspend 된 상태. (5단계 프로세스 초기화가 마치기 전까지는 resume되지 않는다.

  18. CreateProcess 흐름 (cont’d) • 4단계 : Notify the Windows subsystem about the new process. • At this point, all the necessary executive process and thread objects have been created. • Kernel32.dll next sends a message to the Windows subsystem. • Process and thread handles • Entries in the creation flags • ID of the process's creator • Flag indicating whether the process belongs to a Windows application (so that Csrss can determine whether or not to show the startup cursor)

  19. CreateProcess 흐름 (cont’d) • 4단계 : Notify the Windows subsystem about the new process. (cont’d) • The Windows subsystem performs the following steps when it receives this message: • CreateProcess duplicates a handle for the process and thread. • The Csrss process block is allocated. • The Csrss thread block is allocated and initialized. • CreateProcess inserts the thread in the list of threads for the process. • The count of processes in this session is incremented. • The new process block is inserted into the list of Windows subsystemwide processes. • The per-process data structure used by the kernel-mode part of the Windows subsystem (W32PROCESS structure) is allocated and initialized. • The application start cursor is displayed.

  20. CreateProcess 흐름 (cont’d) • 5단계 : Start execution of the Initial Thread. • At this point.. • the process environment has been determined. (1단계) • resources for its threads to use have been allocated. (2단계) • process has a thread. (3단계) • the Windows subsystem knows about the new process.(4단계) • the initial thread is now resumed so that it can start running and perform the remainder of the process initialization work

  21. CreateProcess 흐름 (cont’d) • 6단계 : Complete the initialization of the address space and begin execution of the program. • The new thread begins life running the kernel-mode thread startup routine. (KiThreadStartup) • Loads any required DLLs and calls the DLL entry points with the DLL_PROCESS_ ATTACH function code. • Finally, the image begins execution in user mode when the loader initialization returns to the user mode APC dispatcher, which then calls the thread's start function that was pushed on the user stack.

  22. CreateProcess 흐름 (cont’d)

  23. Thread Activity 검사 • Process Explorer를 사용하여 검사 • 무엇을? • Process Explorer에서 설정한 Refresh Time동안 Thread가 몇번이나 실행이 시작되었는지를 표시 • Thread Stack • 실습 : Process Explorer 사용

  24. Glossary • Process Working Set • The subset of a process's virtual address space that is resident and owned by the running process. • System Working Set • The physical memory being used by the system cache, paged pool, pageable code in Ntoskrnl.exe, and pageable code in device drivers. • Process • The virtual address space and control information necessary for the execution of a set of thread objects. • Thread • An entity within a process that Windows schedules for execution. A thread includes the contents of a set of volatile registers representing the state of the processor; two stacks, one for the thread to use while executing in kernel mode and one for executing in user mode; a private storage area for use by subsystems, run-time libraries, and DLLs; and a unique identifier called a thread ID (also internally called a client ID). • Process Affinity • The set of processors a thread is permitted to run on.

  25. Glossary (cont’d) • Section Object • An object that represents a block of memory that two or more processes can share. A section object can be mapped to the paging file or to another file on disk. The executive uses section objects to load executable images into memory, and the cache manager uses them to access data in a cached file. In the Windows subsystem, a section object is called a file-mapping object. • Page Table Entry (PTE) • An entry in a process's page table that contains the address to which the virtual address is mapped. The page can be in physical memory or it can be on disk. • Page Table • A page of mapping information (made up of an array of page table entries) the operating system constructs that describes the location of the virtual pages in a process address space. Because Windows provides a private address space for each process, each process has its own set of process page tables to map that private address space because the mappings will be different for each process. The page tables that describe system space are shared among all processes. • Page Directory • A page the memory manager creates to map the location of all page tables for that process. Each process has a single page directory.

  26. Glossary (cont’d) • Hyperspace • A special region used to map the process working set list and to temporarily map other physical pages for such operations as zeroing a page on the free list (when the zero list is empty and a zero page is needed), invalidating page table entries in other page tables (such as when a page is removed from the standby list), and on process creation setting up a new process's address space.

More Related