Open System--double-click the program you want to run--exe to start execution
Step One:
When the system starts, create a process: Explorer.exe (that is, the desktop process)
Step Two:
When the user double-clicks on an EXE, the Explorer process uses the CreateProcess function to create the EXE that is double-clicked, that is, we on the desktop double
The processes created by the Click are child processes of the explorer process.
CreateProcess1 Creating a Kernel object 2 allocating 4GB of virtual space (Windows 32-bit) 3 The main thread of the creation processBOOL CreateProcess( LPCTSTR lpApplicationName, // name of executable module LPTSTR lpCommandLine, // command line string LPSECURITY_ATTRIBUTES lpProcessAttributes, // SD LPSECURITY_ATTRIBUTES lpThreadAttributes, // SD BOOL bInheritHandles, // handle inheritance option DWORD dwCreationFlags, // creation flags LPVOID lpEnvironment, // new environment block LPCTSTR lpCurrentDirectory, // current directory name LPSTARTUPINFO lpStartupInfo, // startup information LPPROCESS_INFORMATION lpProcessInformation // process information);
When the process space is created, the EXE and the DLLs in the import table are loaded correctly, and a thread is created.
When the thread gets the CPU, the program is pointing at the beginning, and the EIP's initial value is set to: Imagebase+oep.
HANDLE CreateThread( PSECURITY_ATTRIBUTES psa, DWORD cbStack, PTHREAD_START_ROUTINE pfnStartAddr, PVOID pvParam, DWORD fdwCreate, PDWORD pdwThreadID);
When the process is created successfully, the process handle, the main thread handle, the process ID, and the main thread ID are stored in the following structure:
typedef struct _PROCESS_INFORMATION{ HANDLE hProcess; //进程句柄 HANDLE hThread; //主线程句柄 DWORD dwProcessId; //进程ID DWORD dwThreadId; //线程ID} PROCESS_INFORMATION;
That is, the last out parameter of CreateProcess
By this, the entire process creation is over.
About handles and IDs1, is a system allocation of a number, handle is the client program using the ID is mainly used when the system is scheduled.
2, call CloseHandle shutdown process or thread handle, just let the kernel counter to reduce one, not terminate the process or thread. The process or thread will continue to run until it terminates itself.
3, process ID and thread ID are not the same. But do not manipulate processes or threads through the process or thread ID, because this number is reused, that is, when you access a process by id=100 this number, it is over, and the system assigns the number to another process or thread.
2.2 Get the exit code for the process:VOID ExitProcess(UINT fuExitCode) //进程自己调用BOOL TerminateProcess(HANDLE hProcess, UINT fuExitCode); //终止其他进程ExitThread //终止进程中的所有线程,进程也会终止
BOOL GetExitCodeProcess(HANDLE hProcess,PDWORD pdwExitCode);
Related actions when the process terminates:
1. All remaining threads in the process are terminated.
2. All user objects specified by the process are freed and all kernel objects are closed
3. The status of the process kernel object becomes the status of receiving notification
4, the process kernel object usage count decrements 1
3.2 Inheritance of handleschar szBuffer[256] = {0};memcpy(szBuffer,argv[1],8);DWORD dwHandle = 0;sscanf(szBuffer,"%x",&dwHandle);printf("%s\n",argv[0]);printf("%x\n",dwHandle);getchar();
Code in Process a:
char szBuffer[256] = {0};char szHandle[8] = {0};//若要创建能继承的句柄,父进程必须指定一个SECURITY_ATTRIBUTES结构并对它进行初始化//三个成员的意义:大小、默认安全属性、是否可以继承SECURITY_ATTRIBUTES sa;sa.nLength = sizeof(sa);sa.lpSecurityDescriptor = NULL;sa.bInheritHandle = TRUE;//创建一个可以被继承的内核对象HANDLE g_hEvent = CreateEvent(&sa, TRUE, FALSE, NULL);//组织命令行参数sprintf(szHandle,"%x",g_hEvent);sprintf(szBuffer,"C:/z2.exe %s",szHandle);//定义创建进程需要用的结构体STARTUPINFO si = {0};PROCESS_INFORMATION pi;si.cb = sizeof(si);//创建子进程BOOL res = CreateProcess( NULL, szBuffer, NULL, NULL, TRUE, CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi);//设置事件为已通知SetEvent(g_hEvent);//关闭句柄 内核对象是否会被销毁?CloseHandle(g_hEvent);
Code in Process B:
4 Create a process in a pending fashion by creating a process 4.1 in a suspended manner, observing the result after creationchar szBuffer[256] = {0};memcpy(szBuffer,argv[1],8);DWORD dwHandle = 0;sscanf(szBuffer,"%x",&dwHandle);printf("%s\n",argv[0]);printf("%x\n",dwHandle);HANDLE g_hEvent = (HANDLE)dwHandle;printf("开始等待.....\n");WaitForSingleObject(g_hEvent, INFINITE); //当事件变成已通知时DWORD dwCode = GetLastError();printf("等到消息.....%x\n",dwCode);getchar();
4.2 Create a process in a pending way to get the imagebase and addressofentrypoint of the processSTARTUPINFO ie_si = {0}; PROCESS_INFORMATION ie_pi; ie_si.cb = sizeof(ie_si); TCHAR szBuffer[256] = "C:\\notepad.exe"; CreateProcess( NULL, szBuffer, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &ie_si, &ie_pi );//恢复执行ResumeThread(ie_pi.hThread);
Startupinfo Ie_si = {0}; Process_information Ie_pi; IE_SI.CB = sizeof (IE_SI); Create a process in a suspended manner TCHAR szbuffer[256] = "C:\\ipmsg.exe"; CreateProcess (NULL,//Name of executable module szbuffer,//Command Li NE string null, NULL, FALSE,//Handle inheritance option create_suspended, Creation flags NULL,//new environment block NULL,//Current Direct Ory name &ie_si,//Startup information &IE_PI//process information ); CONTEXT Contx; Contx. Contextflags = Context_full; GetThreadContext (Ie_pi.hthread, &contx); Gets the entry point DWORD Dwentrypoint = Contx. Eax; Gets imagebase char* baseaddress = (char *) contx. Ebx+8; memset (szbuffer,0,256); ReadProcessMemory (IE_PI.Hprocess,baseaddress,szbuffer,4,null); ResumeThread (Ie_pi.hthread);0 Base Reverse engineering 39_win32_13_ process Creation _ Handle Table _ Suspend method creation process
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
