About the process of the Windows creation process

Before hearing someone else's interview question is to ask the system to create the process of the specific process is what, the first thought is CreateProcess, but for the specific process is not very clear, today tidy up.

From the operating system's perspective,

To create a process step:
1. Application Process block
2. Allocating memory resources to processes
3. Initialize the process block
4. Link the process block into the ready queue

The knowledge in the textbook ...

From the specific process of CreateProcess:

CreateProcess It first creates an execution-body process object, the Eprocess object, then creates an initial thread, builds a stack for the initial thread, and sets its initial execution environment. Once this is done, the thread can participate in the thread scheduling of the system. However, processes created through Windows API functions are also subject to the management of the Windows subsystem, in which case only the kernel portion of the work is not enough, and the system needs to deal with the subsystem during the process of creating the process. In addition, a separate memory address space needs to be established.

CreateProcess steps to create a process through the kernel are broadly divided into six phases:

Ntcreateprocess, it simply handles the parameters slightly, then gives the task of creating the process to the Ntcreateprocessex function, so let's look at Ntcreateprocessex's prototype and its flow.

NTSTATUS  ntcreateprocessex (  __out phandle processhandle,  __in access_mask desiredaccess,  __in_opt Pobject_attributes objectattributes,  __in HANDLE parentprocess,  __in ULONG Flags,  __in_opt HANDLE Sectionhandle,  __in_opt HANDLE debugport,  __in_opt HANDLE exceptionport,  __in ULONG jobmemberlevel  

The code of the Ntcreateprocessex function simply checks to see if the ProcessHandle parameter represents a handle that can be written, and then hands the real creation to the pspcreateprocess function, so pspcreateprocess Is the function that really creates the process.

Pscreatesystemprocess can be used to create a system process object that is created by a psinitialsystemprocess child process. Therefore, the Pspcreateprocess function is responsible for creating all the processes in the system, including the systems process. The basic flow of this function is described below.

First stage: Open the target image file

Phase two: Creating process objects in the kernel

Phase three: Creating the initial thread

Stage four: Notifies the Windows subsystem process Csrss.exe process to manage a new process

Fifth stage: Start the initial thread

Phase sixth: Initialization of user space and DLL connection

Specific content:

In Windows, CreateProcess to create a process from the system call Ntcreateprocess, and then immediately create its first thread through the system call Ntcreatethread.

First stage: Open the target image file

First, the specified executable image file is opened with CreateProcess (actually CREATEPROCESSW) and a memory area object is created. Note that the memory area object is not mapped to memory (because the target process is not yet established, it is not possible to complete the memory map), but it does open.


Phase two: Creating process objects in the kernel

is actually to create the related data structure with eprocess as its core, mainly including:

Call the Ntcreateprocessex system service in the kernel, the actual calling procedure is this: CREATEPROCESSW in Kernel32.dll calls the stub function ntcreateprocessex in Ntdll.dll, While Ntdll.dll's Ntcreateprocessex uses the processor's trap mechanism to switch to kernel mode, the system service distribution function KiSystemService gain control in kernel mode, which takes advantage of the system service table specified by the current thread. Call the Ntcreateprocessex function to the execution body layer. The Ntcreateprocessex function of the body layer then executes the process creation logic described earlier, including creating the Eprocess object, initializing the domain in it, creating the initial process address space, creating and initializing the handle table, and setting up eprocess and kprocess. Properties such as process priority, security properties, creation time, and so on. Here, the process object of the execution body layer has been established, the address space of the process has been initialized, and the PEB in Eprocess has been initialized.

Phase Three: Creating the initial thread

This phase is accomplished by calling Ntcreatethread (), which mainly includes:
Now, although the process object has been set up, it has no threads, so it can't do anything by itself. The next step is to create an initial thread, before which a stack is constructed and an environment is available to run. The stack size of the initial thread can be obtained from the image file, while the creation thread can be done by calling the Ntcreatethread function in Ntdll.dll.
Create and set the Ethread data structure of the target thread and handle the relationship with eprocess (for example, the thread count in the process block, and so on).
Creates and sets the target thread's teb in the user space of the target process.
Set the destination thread at the start address of the user space exponentially to BaseProcessStart () or BaseThreadStart () in Kernel32.dll, which is used for the first thread in the process, which is used for the subsequent thread.
The user program also provides a user-level starting function (address) when calling Ntcreatethread (), and BaseProcessStart () and BaseThreadStart () call this starting function when the initialization is complete.
There are two components in the Ethread data structure, which are used to store these two addresses respectively.
Call Keinitthread to set the Kthread data structure for the target thread and assign the stack to it and establish the execution environment.
In particular, the breakpoint (return point) in its context is set to point to a program kithreadstartup in the kernel, so that the thread executes from here once it is scheduled to run.
The system may register some "notification" functions that should be called whenever a thread is created, calling these functions.


Fourth Stage: notifying the Windows Subsystem

Each process notifies the Windows subsystem process Csrss.exe process when it creates/exits because it assumes responsibility for the management of all Windows processes.
Notice here that the caller of the CreateProcess is not the newly created process because it has not yet started running.

At this point, the CreateProcess operation has been completed, but the thread in the child process has not yet started running, and it will run through the fifth and sixth stages.


Fifth stage: Start the initial thread

In the kernel, the startup routine of the new thread is the Kithreadstartup function, which is when Pspcreatethread calls the Keinitthread function, Keinitthread The function calls Kiinitializecontextthread (see Base\ntos\ke\i386\thredini.c file) to set.

The Kithreadstartup function first lowers the IRQL to Apc_level and then calls the system's initial thread function Pspuserthreadstartup. The Pspuserthreadstartup function here is specified when the Pspcreatethread function is called Keinitthread. Note that the initial thread function specified by the Pspcreatethread function when creating a system thread is pspsystemthreadstartup. The thread start function is passed as a parameter to Pspuserthreadstartup, where it should be the BaseProcessStart in Kernel32.dll.

The Pspuserthreadstartup function is called. The logic is not complex, but involves an asynchronous function call (APC) mechanism.

The newly created thread may not be scheduled to run immediately, because the user might set the flag Create_ suspended to 1 at the time of creation;
If that's the case, you'll need to wait for the other process to resume its run through the system call before it can be scheduled to run. Otherwise, it can now be scheduled to run. As to when it will be scheduled to run, it is necessary to look at the priority and so on.


Phase sixth: Initialization of user space and DLL connection

After the Pspuserthreadstartup function returns, the Kithreadstartup function returns to user mode, at which point the Pspuserthreadstartup inserted APC is delivered, and the Ldrinitializethunk function is called , which is the initialization function of the image loader. The Ldrinitializethunk function completes the initialization of the loader, heap manager, and so on, and then loads any necessary DLLs and invokes the entry functions of those DLLs. Finally, when Ldrinitializethunk returns to the user-mode APC dispatcher, the thread starts executing in user mode, invoking the application-specified thread-start function, which has been pressed into the user stack when APC is delivered.

DLL connections are done in user space by Ldrinitializethunk () in Ntdll.dll. Prior to this, Ntdll.dll was not connected to the application, but it has been mapped to user space
The function Ldrinitializethunk () is pre-determined and documented in the image where it was initialized, so there is no need to connect before entering this function.

Knowledge of the Windows kernel is involved, and details are still to be understood ...

Resources:

Http://www.cnblogs.com/csyisong/archive/2010/10/22/1858115.html

Http://www.cnblogs.com/Gotogoo/p/5262536.html

Http://book.51cto.com/art/201011/235767.htm

The principles and implementation of Windows kernel pan Oi

About the process of the Windows creation process