The Life and Death of an EXE executable program

Missing full-text reprinted Images

Preface:

I recently studied duilib, a VC interface library, and encountered some problems when I carefully read its source code, such
How the interface is drawn, and how underlying operations are implemented, that is, createwindow and
How showwindow is implemented is unknown, so I think it is necessary to re-understand Win32
The startup/running principle of the application is good.
As described in, the operating principle of EXE executable files in Windows is described in this article.
It involves a lot of knowledge and requires readers to operate on Windows systems (such as registries, processes, threads,
Memory Management, PE file format, etc.), Windows Programming (This article uses the C ++ language) and so on.
This article tries to describe the program in plain and easy-to-understand language, so that more people can understand it and how it works.
Line has a good understanding.
In terms of article arrangement, I am here to execute the main/winmain function that everyone knows,
The execution is divided into three parts: the initialization of the EXE program, the running process of the main function, and the final work of the program.
PS: My technology is also limited. mistakes and omissions are inevitable in the article. Please submit your approval
Comment and correct. Reprinted please indicate the source, thank you
This document uses the example 444.exe program:
1:

Http: // 183.60.157.31/file/D4/53/tzydh05zchtmkwtlae44iue6luk204.zip? Key = n5f6

A61fc1a1fb1_d2b250dc7cd74e2ce2082ccc1b4dda-8e & uid = 1035291 & token = l1az8k
Lrmhi8bwxl49201cxedj&dir=%2f&name=xunlei.zip
2:

Http://115.com/file/clg0o6il #

1. exe program Initialization
It's so easy to open a software. Double-click the software Icon! But have you ever thought about
What does the system do when you click the icon? Why is the software running by double-clicking the icon?
That is, shell (implemented by the assumer.exe process ). When you start your computer to enter the desktop,
The system creates the assumer.exe process. Other processes can all be sub-processes of assumer.exe.
Because all of them are created by the assumer.exe process. That is, when you double-click the icon, Shell
This action is detected. related items in the Registry store information about the double-click operation, such as the EXE file
Which is the shell used to connect and start the EXE.
Information associated with the EXE file stored in the registry
Parameter information specified when opening an EXE
Specify the shell to start the EXE program
We can see that the shell‑policer.exe file specified by the EXE file is started. Therefore, we should
It is known that a thread of the assumer.exe process will detect this operation when the EXE file is marked with a double hit,
It obtains the file name based on the information in the Registry (according to the % 1 parameter). Then, er.exe uses
File Names call the CreateProcess function, which does a lot of work.
The CreateProcess function is defined as follows:
Boolwinapicreateprocess (
_ In_optlpctstrlpapplicationname,
_ Inout_optlptstrlpcommandline,
_ In_optlpsecurity_attributeslpprocessattributes,
_ In_optlpsecurity_attributeslpthreadattributes,
_ Inboolbinherithandles,
_ Indworddwcreationflags,
_ In_optlpvoidlpenvironment,
_ In_optlpctstrlpcurrentdirectory,
_ Inlpstartupinfolpstartupinfo,
_ Outlpprocess_informationlpprocessinformation
);
The specific information and usage of this function have been described in detail on msdn.

Http://msdn.microsoft.com/en-us/library/ms682425%28v=VS.85%29.aspx

So what does the CreateProcess function do internally? Come on!
Create process Kernel Object
CreateProcess is actually implemented through the ntcreateprocess function. At this time, the system will create
An object called a kernel object is a process kernel object. The process kernel object can be viewed as
The operating system is used to manage the kernel objects of processes. It is also used to store process statistics.
(A small data structure), the process Kernel Object maintains the structure of a handle table.
After a process is initialized, its handle table is empty. When the first-line thread in the process passes through the specified function
When a kernel object is created, the kernel allocates a memory area for the object and initializes it. However
Then, the kernel will look for an empty entry in the Process Handle table. After finding it, it will initialize
Location. The main process of initialization is to fill in a unit of the handle table, including specifying the kernel pair
Such as the image address, the specified access code, and the specified tag.
For a description of the handle table, see <Windows Process kernel object handle table> this article.
Create a virtual address space for a process
After a process kernel object is created, its reference count is set to 1. Then the system creates the process
Allocate 4 GB of virtual process address space. The reason is 4 GB, because in a 32-bit operating system,
The length of a needle is 4-character, while the address-seeking capability of a 4-character needle is from
0x00000000 ~ The maximum value of 0xffffffffff indicates the capacity of 4 GB.
The physical address space corresponds to the virtual address space.
Physical memory. If your computer has MB of memory installed
The range of the address space is 0x00000000 ~ 0x1fffffff.
When the operating system maps virtual addresses to physical addresses, it can only be mapped to this range.
It will only be mapped to this range. When a process is created, each process has its own 4 GB virtual
Address space. Note that this 4 GB address space is "virtual" and does not actually exist,
In addition, each process can only access data in its own virtual address space and cannot access the number of other processes.
This method achieves address isolation between processes. Is this 4 GB virtual address space?
Can applications be used at will? Unfortunately, in windows, this virtual address space is
It is divided into four parts: NULL pointer zone, user zone, 64 kB access zone, and kernel zone. Applications
Only the user zone is available, which is about 2 GB (up to 3 GB ). Kernel Zone
It is 2 GB, and the kernel zone stores data such as system thread scheduling, memory management, and device driver.
Data is shared by all processes, but applications cannot be directly accessed.
How to divide virtual address spaces
The virtual address space of each process must be divided into various partitions. The partition of the address space is based on the Operation
As the basic implementation method of the system. Different Windows kernels have slightly different partitions. Lower
The figure shows how each platform performs segmentation between the addresses of the route entries.
The 32-bit Windows kernel has the same score as the 64-bit Windows kernel.
The difference is that the partition size and position are different. On the other hand, you can see that under Windows 98
The partition is very different.
Initialize the virtual address space of the process
After the process address space is created, the loader (also known as the PE Loader) of Windows starts.
Work. Loader will read the information of the EXE file (PE file), which involves the format of the PE File
Knowledge. If you do not understand it, it may be difficult to understand the following. Please recharge your batteries at Baidu! !
In this case, the loader checks the validity of the PE file. If the PE file is incorrect, it may display
Thisprogramcannotberunindosmode. No error.
The content (Binary Code) of the PE file is mapped to the address space of the process. The principle is low address ing.
To the virtual address space of the low address, the high address is mapped to the virtual address space of the high address. Actually ing
When the address space is increased, because the size of the alignment between the PE file and the address space is different, you can
Use the/align switch to adjust this value.
Next, we will read the import Address Table (importtable) of the PE file, which stores the EXE file
The module files (DLL) to be imported are loaded to the address space of the process.
The method is to call the loadlibrary function to load the program code to a specific address, and then the system maps these
To the address space of the process, you must know that the DLL can be mapped to the address of all processes only once it is loaded.
And maintain a reference count for each DLL. When the reference count is 0, the DLL is detached from the memory.
To release the occupied memory. Other dll may be referenced in the DLL, so it is recursive when the DLL is loaded.
Until all the DLL modules described in importtable are loaded.
Complete.
Create the main thread of the process
After the process initialization is complete, start to create the main thread of the process. A process must have at least one master
A thread can run. It can be said that a process only acts as a container, and a thread executes user code.
.
The thread is created using the createthread function. Its definition is as follows:
Handlewinapicreatethread (
_ In_optlpsecurity_attributeslpthreadattributes,
_ Insize_tdwstacksize,
_ Inlpthread_start_routinelpstartaddress,
_ In_optlpvoidlpparameter,
_ Indworddwcreationflags,
_ Out_optlpdwordlpthreadid
);
For more information about this function, see the description of msdn:

Http://msdn.microsoft.com/en-us/library/ms682453%28v=VS.85%29.aspx

When a thread is created, it is similar to a process. The system creates a thread Kernel Object and initializes the thread stack.
There are two thread stacks. One is the core stack, which is maintained by the core State; the other is the user stack, which runs in
In user mode. Similarly, the reference count of the thread is also set to 1.
After the process and thread are created (the process address space is also available, and the required DLL is also loaded.
). The CreateProcess function returns the information stored in process_information.
It is defined as follows:
Typedefstruct_process_information {
Handlehprocess;
Handlehthread;
Dworddwprocessid;
Dworddwthreadid;
} Process_information, * lpprocess_information;
It can be seen that it is the process (thread) handle and the process (thread) ID, with the handle called
The closehandle function uses the reference count minus 1 when passing in the handle. If the reference count is 0
Detach and release the memory. Another is the process (thread) ID. This parameter can be used
The input parameter of OpenProcess (openthread) opens an existing process (thread ).
Other information, such as the environment variable used by the process (specified by lpenvironment ),
Is saved in the startupinfo structure, which is defined:
Typedefstruct_startupinfo {
Dwordcb;
Lptstrlpreserved;
Lptstrlpdesktop;
Lptstrlptitle;
Dworddwx;
Dworddwy;
Dworddwxsize;
Dworddwysize;
Dworddwxcountchars;
Dworddwycountchars;
Dworddwfillattribute;
Dworddwflags;
Wordwshowwindow;
Wordcbreserved2;
Lpbytelpreserved2;
Handlehstdinput;
Handlehstdoutput;
Handlehstderror;
} Startupinfo, * lpstartupinfo;
Since there are many Members in this structure, I will not detail it. Please refer to the description on msdn.

Http://msdn.microsoft.com/en-us/library/ms686331%28v=VS.85%29.aspx

If you want to obtain the process startup information, you can call the getstartupinfo function. In fact,
In the Runtime library code described below, this function is called to obtain startup information.
C/C ++ Runtime Library Initialization
When the main thread of the process is initialized and the thread obtains the CPU time slice, the CPU changes the Cs: IP Address
Point to the program entry point (OEP). Here, the 444.exe Program (a common Windows program
For example.
First, use the PE File Information of stud_pe 444.exe, as shown in:
The program entry point of 444.exe is 000111b3 (the address of 000005b3 below is
The relative virtual address in the PE file, and if OEP is the address mapped to the address space ).
Note that this address is relative to a virtual address, and the base address (00400000 here) must be added to the OEP.
Address, so OEP = 00400000 + 000111b3 = 004111b3. This address is very important because
This is the address that CS: IP points to when the program is running, that is, the first command for running the program is in this address.
! !
Next we will use the pebrowse tool to decompile the content of the. text section. text section is the Storage Generation
For more information about the concepts of the section, see relevant documents of the PE file.
From the figure above, we can see that the 0x4111b3 address is a JMP command, which redirects
Run winmaincrtstartup (the address is 0x412220) at the address of this function.
Out of this mysterious "real entry function ".
In fact, there are four forms of entry functions:
1. maincrtstartup (for console applications of the ANSI version)
2. wmaincrtstartup (for console applications of the Unicode version)
3. winmaincrtstartup (For ANSI Windows applications)
4. wwinmaincrtstartup (for Windows applications of the Unicode Version)
Obviously, I used 3rd Windows applications in this example. It is worth
I am using the Disassembly tool to view this information. The purpose is to allow the program to run process 1.
. But you can also look at the source code file of the C/C ++ Runtime Library.
The operating principle is more experienced. These source codes are included when you install VC ++ 6.0 or Visual Studio.
I installed visualstudio2010 on my computer. Because I installed it on the H disk
The path to the source code file of the CRT library is:
H: \ ProgramFiles \ microsoftvisualstudio10.0 \ Vc \ CRT \ SRC
The function winmaincrtstartup is defined in the crtexe. c file.
Let's see if it is the same as the decompiled code.
Next, let's look at the winmaincrtstartup source code. To facilitate the use of XXX to represent calls of various versions
Intxxxcrtstartup (void)
{
_ Security_init_cookie ();
Return _ tmaincrtstartup ();
}
We can see that this "real entry function" first calls the _ security_init_cookie () function.
Complete Security Initialization, and then return the call to the _ tmaincrtstartup () function,
In this way, all operations are completed in this function one by one! !
In _ tmaincrtstartup, The getstartupinfow function is called to obtain the parent process creation.
The startup information of this process, and then a series of initialization, including the call of the C ++ constructor,
There are also static variables and global variable initialization. These operations are completed in the _ initterm function.
Then, you will find that the (w) winmain/(w) main function is called! ! !
We are no longer familiar with this function! ! This is the first function we need to write when writing a program.
The so-called main function, but you can see that after so many complex series of initialization, this function
The number is finally called, and the mainret is the return value of the main function, used to write voidmain ()
Friends can see clearly, there has never been a voidmain () form of calling, don't be given by Tan haoqiang's book
"Misleading.
# Ifdefwprflag
Mainret = wwinmain (
# Else/* wprflag */
Mainret = winmain (
# Endif/* wprflag */
(Hinstance) & __ imagebase,
Null,
Lpszcommandline,
Startupinfo. dwflags & startf_useshowwindow
? Startupinfo. wshowwindow
: Sw_showdefault );
# Else/* _ winmain _*/
# Ifdefwprflag
_ Winitenv = envp;
Mainret = wmain (argc, argv, envp );
# Else/* wprflag */
_ Initenv = envp;
Mainret = Main (argc, argv, envp );
# Endif/* wprflag */
The example 444.exe used in this document is an ANSI window program. Therefore, it calls
The winmain function, of course, since the winmain function has been called, the first part of
The explanation is complete. See the second part.
Ii. Main Function running process
Finally, I want to talk about the running principle of the main function. Are you looking forward to it? Do you think the first part of it?
It's too complicated. In fact, the initialization process of the first part of the EXE program is very complicated and cumbersome.
Here is just a little bit of water. Many of the details can be understood without looking at the relevant information.
Because this is something from Microsoft, it is impossible for you to understand the core of internal things, or they will not
Eat, huh, huh. If you want to understand it, you can also study it.
In fact, this article focuses on this part, that is, the operating principle of the window program we are familiar,
Knowing this principle is very helpful for Windows program design. Well, I will not talk much about it,
Continue.
How windows Windows runs
I don't know how many of my friends come up with MFC. After creating the project, run the wizard, next, next
Step, a window program will come out, but you do not know why, you may be connected to a winmain
I don't know how the program runs. This article is not about the principle of MFC, but about the original
When it comes to MFC, the concept of a Windows window program is essentially C ++'s packaging of API functions,
The internal implementation of this function cannot be separated from the calling of API functions. If you understand the principles described in this section, then
The principle is easy to understand.
Before talking about the principles, I think it is necessary to talk about the following concepts:
Window: A Visualized object with a title bar, menu bar, minimized, and maximum
And close the button, which everyone knows
Handle: a dword (32-bit) value that identifies different objects, such as Windows and graphs.
Labels, menus, files, fonts, etc. Corresponding window handles (hwnd) and Icon handles (hicon)
Menu handle (hmenu), file handle (handle), etc.
�� Message: indicates the operation identifier generated when a user interacts with a program. It is also a DWORD
Value, with window message (identified by wm_xxx), notification message (wm_nofity), Life
Name message (wm_command), various control messages, etc.
�� Window function: handler of various messages. When a message arrives
Process the message you want
There are also some concepts that you can find relevant materials. I will not talk about them here. With these concepts
It's easy.
First, you must know that Windows window programs are message-based, and messages are generated by users and programs.
Interaction can also be generated by various system messages. Messages are constantly generated, and many messages are continuously connected,
The system maintains two types of message queues, namely, system message queues,
One is the user message queue. Due to the continuous generation of messages, a message loop is generated, usually window
After creation, this while (getmessage (& MSG, null, 0) statement is used to obtain the message. This
The sample message is continuously generated, and then the message is sent to the window for processing in the window function, the program can
Keep running until you close and exit.
A message is a structure defined as follows:
Typedefstructtagmsg {
Hwndhwnd;
Uintmessage;
Wparamwparam;
Lparamlparam;
Dwordtime;
Pointpt;
} MSG, * PMSG, * lpmsg;
Hwnd is a message-related window, message is the message identifier, wparam, lparam is attached
This parameter is specified when sendmessage or postmessage is used. Time indicates that the message is
The time when the message is sent. PT indicates the cursor position when the message is sent (relative to the screen coordinate ).
So what is the execution process of winmain? Don't worry, and look down. . .
First, create the window. Before creating the window, register the window class.
It is not an object-oriented class, but a window style, style, and so on.
The operation of the interface class is written in a function.
Atommyregisterclass (hinstancehinstance)
{
Wndclassexwcex;
Wcex. cbsize = sizeof (wndclassex );
Wcex. Style = cs_hredraw | cs_vredraw;
Wcex. lpfnwndproc = wndproc;
Wcex. cbclsextra = 0;
Wcex. cbwndextra = 0;
Wcex. hinstance = hinstance;
Wcex. hicon = loadicon (hinstance, makeintresource (idi_my444 ));
Wcex. hcursor = loadcursor (null, idc_arrow );
Wcex. hbrbackground = (hbrush) (color_window + 1 );
Wcex. lpszmenuname = makeintresource (idc_my444 );
Wcex. lpszclassname = szwindowclass;
Wcex. hiconsm = loadicon (wcex. hinstance, makeintresource (idi_sall ));
Returnregisterclassex (& wcex );
}
Hinstace refers to the modules loaded by applications. In Win32 systems, it is usually linear
Address, do you remember the first part? The first parameter of winmain is it, which is passed in like this
Mainret = winmain (hinstance) & __ imagebase ,. . . ) The _ imagebase is
You can see the figure below.
This figure is taken down when I checked the memory during vs2010 debugging.
_ Imagebase should be 0x00905a4d, and the four bytes are the first four of the PE files.
Byte (the two bytes in the PE file header are marked by MZ). It is mapped to the address space and
It is hinstance. Obviously, the hinstance in this example should be 0x008b0000. Note that
The value of hinstance in the row is different, which is the address mapped to the address space. It and
The hmodule is actually the same,
Let's look at the wndclassex structure. We can see that there is a member lpfnwndproc, which specifies
The address of the window function. Do not write an error here. Otherwise, the program cannot run and there is no error.
Error message. The lpszclassname Member specifies the Class Name of the window. You can use the spy ++ tool to view the window
Class Name. Then return the call to the registerclassex function.
Class.
The next step is to create a window. Create a window using the createwindow (Ex) function.
Write the operation in the window to the function:
Boolinitinstance (hinstancehinstance, intncmdshow)
{
Hwndhwnd;
Hinst = hinstance;
Hwnd = createwindow (szwindowclass, sztitle, ws_overlappedwindow,
Cw_usedefault, 0, cw_usedefault, 0, null, null, hinstance, null );
If (! Hwnd)
{
Returnfalse;
}
Showwindow (hwnd, ncmdshow );
Updatewindow (hwnd );
Returntrue;
}
After the window is successfully created, a window handle hwnd will be returned. The process of creating the window is actually
Complex: several messages are sent to window functions during creation, such as wm_nccreate,
Wm_create, detailed description of the execution of tracing messages in the next section. With this window
You can do a lot of things after the handle, because many function calls need to input a window handle value
The window showwindow is displayed. This function also sends a few messages and then updates the window.
The window updatewindow mainly sends the wm_paint message for the window to be repainted.
At the end, it is a message loop. A typical message loop statement is as follows:
Msgmsg;
While (getmessage (& MSG, null, 0, 0 ))
{
Translatemessage (& MSG );
Dispatchmessage (& MSG );
}
As long as the program is running, this loop will not exit and the program will not be terminated. When the user closes the window
Wm_close message is generated. The default wm_close implementation (in defwindowproc
) Is to send the wm_destroy message, we need to call it in the wm_destroy message
Postquitmessage function to send wm_quit messages. When the getmessage function obtains
When the message is a wm_quit message, it will return false, so that the loop will exit, and the program will end
.
Another important function is window function. Window Function is a callback function, that is, the system will
You have to call this function. You only need to write it as required. When the message arrives, the system will process it.
For processing, it is dot 'tcallme, iwillcallyou. When registering a window class
The window function is defined as follows:
Lresultcallbackwindowproc (
_ Inhwndhwnd,
_ Inuintumsg,
_ Inwparamwparam,
_ Inlparamlparam
);
Hwnd is the window handle related to message sending, umsg is the message sent, and the last two are attached
Add parameters.
For example, you can write window functions as follows:
Lresultcallbackwndproc (hwndhwnd, uintmessage, wparamwparam, lparamlparam)
{
Paintstructps;
Hdchdc;
Switch (Message)
{
Casewm_paint:
HDC = beginpaint (hwnd, & PS );
: Rectangle (HDC, 50,100,200,400 );
Endpaint (hwnd, & PS );
Break;
Casewm_destroy:
Postquitmessage (0 );
Break;
Default:
Returndefwindowproc (hwnd, message, wparam, lparam );
}
Return0;
}
Only two messages are processed here, and what we often want to do is to process various messages you want to process,
Is Windows message-based, so if you want to process many messages, there will be many
Casewm_xxx processing. If MFC is used, it will distribute the messages and convert them
Some on_xxx processing functions are provided. In MFC, a message route table is maintained.
To sum up its operating principle, it is a process like this:
Registration window class --> Create window --> display window --> Update window --> message loop (get message, minute
Sending messages). The window function processes messages.
Tracking running process
This section uses an instance to track the running process of a Windows program.
When the message is received and the sample code is still 444.exe, this program does not
What's special? I only output some information before and after calling some functions, as well as the implementation of window functions.
In modern code, write a few words to output the message, which can be generated when the program is running.
There is an understanding of the order of messages.
From the debugging information, we can see that 0x00f00000 is the value of hinstance (actually an address,
0x00905a4d is the value at the address, which is the first few bytes of the PE file.
The output of entrymainmethod indicates that the main method is started, and then
Registerclassex registers the window class and writes endxxx to see if the function is called.
The message is sent, so that the message can be captured in the window function.
After registering the window class, start calling the createwindow function to create the window. As mentioned above, this function
The internal operations of the createwindow function are very complex.
Send several messages. The first is the wm_getminmaxinfo (0x0024) message.
Messages are the first message after the window is created, while wm_quit is the last message.
(Getmessage returns false after obtaining the message ).
Note that the above messages are generated before the message loop, because
The message sent by the createwindow function is not started yet. Then there is the second message.
Wm_nccreate (0x0081). Before wm_create, the NC is notclient.
Non-customer zone refers to the title bar, border, and other areas.
There are three null messages next to it. What does it mean? I did not study it myself, and there are only a few messages.
The value is not defined by wm_xxx, so null is used here. Createwindow before return
The last message sent is the wm_create message. The lparam parameter in this message is
The last parameter passed in the createwindow function is usually completed here
It is not recommended to intercept the wm_nccreate message. The default defwindowproc will
Yes.
The next step is to display the window and update the window. The showwindow also does a lot of work internally. Please refer

A lot of messages will be sent before the showwindow function returns. We can see that the first message is
Wm_showwindow, the last one is wm_move, and then the function returns
In updatewindow, only one wm_paint message is sent for the window to be repainted.
After these steps are completed, the message loop is started.
These are all processed in message loops and window functions (messages are sent
In this way, the program is always running, and the message loop is eliminated through the getmessage function.
To the window function for processing. You can also use peekmessage. You can
Related information under Baidu.
When the user closes the window, let's take a look at the process.
This is the process of closing the window. It can be seen that the first is production.
Wm_nclbuttondown message, because the close button is in a non-customer zone, then there is
Wm_syscommand message. The message is from the system menu. When you right-click the message in the title bar
The system menu is displayed, followed by the wm_close message. The default implementation is in defwindowproc.
In, I want to call the destroywindow function, which sends a wm_destroy
And wm_ncdestroy messages, while our program processes wm_destroy and calls
The postquitmessage function sends the wm_quit message.
When the message is sent, false is returned. Therefore, if the statement in the loop body is not executed, the message wm_quit is returned.
The message is not printed, so wm_ncdestroy is the last message.
When the while loop ends, the main function returns return (INT) msg. wparam,
The main function has been executed.
To sum up this part, the order in which messages are generated should be as follows:
Wm_getminmaxinfo (0x0024)
Wm_nccreate (0x0081)
Wm_nccalcsize (0x0083)
NULL (0x0093)
NULL (0x0094)
NULL (0x0094)
Wm_create (0x0001)
Wm_showwindow (0x0018)
Wm_windowposchanging (0x0046)
Wm_windowposchanging (0x0046)
Wm_activateapp (0x001c)
Wm_ncactivate (0x0086)
NULL (0x0093)
Wm_geticon (0x007f)
Wm_geticon (0x007f)
Wm_geticon (0x007f)
NULL (0x0093)
NULL (0x0091)
NULL (0x0092)
NULL (0x0092)
Wm_activate (0x0006)
Wm_ime_setcontent (0x0281)
Wm_ime_notify (0x0282)
Wm_setfocus (0x0007)
Wm_ncpaint (0x0085)
NULL (0x0093)
NULL (0x0093)
NULL (0x0091)
NULL (0x0092)
NULL (0x0092)
Wm_erasebkgnd (0x0014)
Wm_windowposchanged (0x0047)
NULL (0x0093)
Wm_size (0x0005)
Wm_move (0x0003)
Wm_paint (0x000f)
Beginmessageloop...
Wm_geticon (0x007f)
Wm_geticon (0x007f)
Wm_geticon (0x007f)
Wm_syncpaint (0x0088)
###############################
##### Other messages in a message loop ######
###############################
##### Below is the message after the window is closed ######
###############################
Wm_nclbuttondown (0x00a1)
Wm_capturechanged (0x0215)
Wm_syscommand (0x0112)
Wm_close (0x0010)
NULL (0x0090)
Wm_windowposchanging (0x0046)
Wm_windowposchanged (0x0047)
Wm_ncactivate (0x0086)
NULL (0x0093)
NULL (0x0093)
NULL (0x0091)
NULL (0x0092)
NULL (0x0092)
Wm_activate (0x0006)
Wm_activateapp (0x001c)
Wm_killfocus (0x0008)
Wm_ime_setcontent (0x0281)
Wm_ime_notify (0x0282)
Wm_destroy (0x0002)
Wm_ncdestroy (0x0082)
Endmessageloop...
I believe that this part of content will benefit you a lot. The internal part of this part is over.
The third part.
Iii. Program final work
After the winmain function is completed, what happened. Let's continue with the analysis.
After debugging, it is found that the winmain function returns to the C/C ++ Runtime library function, and the return value is assigned
Mainret. Then there is some memory recycling and cleanup work, please refer to the figure
The main task here is to call the exit function. The implementation of the exit function is to call the doexit function.
Function, and then execute some cleanup tasks, including releasing unused pointers and occupied memory. Then
Here:
The process is exited. If the _ crtcorexitprocess function fails
Exitprocess ensures successful calls. During debugging, the function exitprocess is finished,
The debug program also exits. It can be seen that the life cycle of such an EXE program is completed.
Summary
From the content of the three sections, the execution process of an EXE program is summarized as follows:
1 worker shell(assumer.exe) Call the CreateProcess function to activate the EXE program
2. The system creates a process Kernel Object and sets the reference count to 1.
3. The system creates a 4 GB virtual address space for the Process
4. the PE Loader maps the EXE code to the address space and looks for importtable Introduction
Dynamic Link Library (DLLs)
5. The system creates a main thread for the process. After the thread obtains the CPU, it directs the Cs: IP address to the. text section.
Program entry point (OEP). Here is a JMP command, which jumps to xxxcrtstartup
Function execution
6. Complete initialization settings for the C/C ++ Runtime Library, including calling the C ++ constructor.
Global variable, static variable Initialization
7. Call the winmain/main function to enter the main function.
8. register the window class, create a window, display the window, update the window, and enter the message loop
9. Close the window and exit cyclically. Return to the C/C ++ runtime database.
10. Complete cleaning
11. exitprocess exited.
Remarks
The content of this article is over now. I hope this article will be confusing and I do not know how to learn windows.
The program design provides guidance and a good understanding of learning MFC.
I am not a master, but I am willing to study this technology. If you also like to study,
Like technology, I believe you can also do it, or do better. Therefore, please make many mistakes in this article.
More advice. . . .
PS: I am a person who likes programming and technology. I think technology is the same as eating, so you
Is that true? My weibo ^_^ http://weibo.com/zhuhuigong
Author: Autumn injury ~~!
Creation Time: 2011/09/1400: 01
Completion Time: 2011/09/1623: 40
References:
1. Introduction to Windows Startup and EXE file loading
2. Start the microsoft.exe Program