The handle table of the Win32 process concept, and the kernel object.

Handle table with kernel object One, what is a handle table what is a kernel object. 1. Handle Table Generation

We know. When we use CreateProcess, we return a process handle. and the thread handle. In fact, when calling CreateProcess. A new eprocess structure is created in the kernel to store our process information.

such as:

　　

But there is one problem. How to use the third ring. Do you return directly to Eprocess?

It's not really like that. The first eprocess is two G high. The third ring program is not accessible. So the address returned is two G high so it cannot be used. But to solve the problem.

Windows has created a table. Returns the index of this table. And that's the index we're using.

2. What is a kernel object.

The kernel object is what we said above Eprocess. There are many kernel objects. You can see the CloseHandle. This API indicates what kernel objects he can shut down.

• Access token
• Communications Device
• Console input
• Console Screen Buffer
• Event
• File
• File Mapping
• I/O completion port
• Job
• Mailslot
• Memory Resource Notification
• Mutex
• Named Pipe
• Pipe
• Process
• Semaphore
• Thread
• Transaction
• waitable timer

You can manipulate the event file mutex thread. Wait a minute....

Two, multi-process common kernel objects 1. The first method. Using OpenProcess

In Windows programs. We operate on kernel objects. We can open a kernel object with an existing process through the OpenProcess API.

Such as:

　　

The handle table inside each process is private. For example, the first table. The handle index bit 1. The corresponding kernel object is a. It is useless to pass the index to the B process.

The B process can only get a kernel object when it is opened using the API.

Where the middle of the purple table represents the reference count. This means that the kernel object references this value once and then +1

The CloseHandle function is to make the reference count of the kernel object-1 if it is all closed. Then no one is using the kernel object at this time. There is no holding. So the kernel object will be destroyed. That is, when the reference count bit for the kernel object is 0. The kernel object at this point

is the real destruction.

The thread is a special case: when the thread's kernel object reference count is 0, it does not close. The thread must be closed at this point. Using CloseHandle is a reference count-1.

2. Using the inheritance handle technique

In a Windows program. A create B. or an API with kernel objects at the time of creation. has an SD attribute. That is, the security attribute. This property can indicate whether the handle you create can be inherited.

For example:

CreateEvent () creates an event. Do not take the role of API first. Let's look at the parameters of the API.

HANDLE Createeventa (  lpsecurity_attributes lpeventattributes, the     security attribute structure mainly introduces his  BOOL                  bManualReset,  BOOL                  binitialstate,  LPCSTR                lpname);

The first one is the security attribute structure. If we don't specify. The default is the parent process.

The security attribute structure body.

struct _security_attributes {  DWORD  nlength;                                         The current structure size. LPVOID lpsecuritydescriptor used by Windows extensions  ;                        Indicates to whom the handle is given who can access it. It is not important to look at the definition of a struct in the API. It doesn't matter.  BOOL   binherithandle;                                 *psecurity_attributes, *lpsecurity_attributes;

As shown in the following:

If our handle can be inherited. Then the first item of the handle table is filled with 1. Indicates that the handle can be inherited. 0 if not inherited.

At this point our child process can inherit all the inheritable handle tables of the parent process. Note. is all inheritable. It can be shared. As shown in.

B d created by a process can be inherited. So the child process can completely replicate the A-process inheritable handle table. Inheritance of 0 is not allowed to be assigned a value of 0

Second, process PID analysis

In Windows Task Manager. There are PID options. We can check to see. Also, the concept of process IDs is often heard in Windows.

So the process ID is something.

In fact, the process ID is an index of the global handle table. The handle table mentioned above. All are self-contained handle tables. The PID is the global handle table.

The handle of all running processes is recorded in the handler table. And it's the only one. If the process dies then this PID may hold a different handle. But also the only one. as shown in.

And this global handle table is really meaningful. Why do you say that?

We can do a test.

1. Open the process handle using OpenProcess.

2. End the process with terminlateprocess.

OpenProcess (access rights, whether the handle can be inherited, process PID)

Terminlateprocess (process handle, custom exit code) ends the process.

Using the two APIs above, we can test whether our existing processes can be closed. If you're going to find out after the test.

It is only useful to get a handle to the PID. That is, the global handle table. And the above is the handle table of the child process.

III. Common Process Operation API

1. GetModuleFileName () Gets the current module path for example: C:\\1.exe

2.GetCurretDirectory () Gets the current working directory for example: C:\TEXT\ABC

3.OpenProcess () opens the process based on the process PID. Gets the process handle.

4.FindWindow () Depending on the class name and file name. Returns the window handle.

5.GetWindowsThreadProcessId () based on the window handle. Get Process PID

6.EnumProcesses traverse all processes. Return to the Process PID specific reference MSDN has provided examples.

7.GetCommandLine () Get command-line arguments

8.createtoolhelp32snapshot () creates a process snapshot. If you understand the reverse, you know. The TEB PEB structure in the FS register has a linked list that stores the current module or process. This is a snapshot that holds the current moment.

We can traverse them. Refer to MSDN or this blog for details.

Four, write the Windows program encountered problems.

We are writing Windows programs. Contains windows.h but some functions may not. Like the eighth function we said above. Snapshot functions.

At this point we are querying MSDN. We can search the Web page.

We can see in the bottom of the required header file is tlhelp32.h at this point we can include a bit.

Problems encountered in 2.

Sometimes our header files are also included and used. But there was an error when invoking the API. Why?

The reason is that some APIs are available in a high version. When used in a low version, it is not exported. There is an error in using this. The hint does not have this API.

Solution: If you have learned the Win32 of this method, you will understand. It doesn't matter if you haven't learned it. Generally this problem is rarely met. The blogger had only foreseen it once.

You can use Loadlibary to load the required DLLs. Then use GetProcAddress to get the address of the function. Use this function with a function pointer.