Decryption of the story behind the Hello World Program (2) -- the birth of the program

 

I 've been too busy in recent months. I accidentally thought about my Blog reading. I 've been writing an article for more than two months. So I tried to work hard, and I tried to code some technical documents. ^_^

 

This series aims to discover the complexity of a simple Hello World Program hidden under the CRT. Therefore, after analyzing the "compiler options and CRT" last time, today, I want to give a brief analysis of what happened from the establishment of the program process to the execution of the program to the C/C ++ entry function.

 

We know that the next process in Windows is created using the CreateProcess function. The success of this function indicates that a program is loaded into the memory and ready to run. When a process is created, the system will allocate resources to the process, initialize the memory space of the Process, initialize the process kernel object, initialize the process environment quickly (PEB), and load the PE image file, initialize the global heap, load the DLL, and so on. However, after these operations are completed, it does not mean that our program has started to execute. This is because the process itself is "inert" and does not actively execute code, so the operating system will establish the first thread of our program at this time, our code will be executed from this thread.

 

Since we are discussing "Starting execution", this article will not involve the principles of CreateProcess and the details of system creation processes. We will start from the establishment of the thread to discuss our topic.

 

Instead of the CreateThread and other functions provided by the system, we need to know that the establishment of a thread is actually implemented by the NtCreateThreadEx function, this function is to pass 58 as the call number to EAX and then directly use the sysenter command into the kernel, so that the thread can be finally established. NtCreateThreadEx is a function not published by Microsoft and exported from the ntdll. dll file. If you are interested, you can search for the prototype of the function on the Internet, but note that the prototype described on the Internet is not necessarily correct because it is not a public function, and Microsoft will not guarantee that this interface will not change in the future.

 

After the kernel receives the request for a new thread, it will create a new thread for us and initialize some parameters (including TEB) for the thread ), finally, set the thread entry to the RtlUserThreadStart function, which is composed of ntdll. dll export. The main task of RtlUserThreadStart is to establish the SHE exception handling function chain. It has two parameters: one is the thread entry function specified by the user, and the other is the parameter passed to the entry. Note that although RtlUserThreadStart has two parameters, this does not mean that someone has called it and passed the parameters to it. These two parameters are actually two hard-written values by the operating system. We must know that, in fact, RtlUserThreadStart is executed only because the operating system sets the thread EIP to the entrance of RtlUserThreadStart.

 

RtlUserThreadStart will call the BaseThreadInitThunk function. This function is exported by kernel. dll. It mainly applies the user-specified parameter to the stack, and then directly calls the user-specified Thread entry function.

 

So far, a thread is fully established!

 

Of course, if this thread is the main thread, the situation is somewhat different. At this time, BaseThreadInitThunk will not call your main or WinMain function. It will call the entry function specified in the PE file. If it is a VC-compiled program, the entry will be the mainCRTStartup function.

 

The flying death of the author