Windows debugging 4

Process depth

==============

Every Windows Process is represented by a block called executive process (eprocess. In addition to many process-related attributes, it also contains and points to a series of other related data structures. For example, each process has one or more executive threads (ETHREAD) used to represent the thread structure ). The executive thread will be discussed later. The eprocess and its related data structures exist in the operating system space, except for the process environment block (peb. Peb exists in the address space of the process because it contains information that can be modified by user-mode code.

Besides the eprocess block, the Win32 subsystem process (CSRSS) maintains a parallel structure for each Win32 program. similarly, when a thread calls a Win32 user or GDI function implemented by the kernel state, the kernel state of the Win32 subsystem (win32k. sys) creates a data structure for each process.

 

Shows the structure of the eprocess Block

 

Element	Purpose
Kernel process (kprocess) block	Common dispatcher object header, a pointer to the process page Directory, which belongs to the list of kernel thread (kthread) blocks of the process. The default basic priority, quota, and preferred mask value, there is also the total kernel and user thread time in the process
Process Identification	Unique process ID, process ID of the process to be created, name of the image to be run, and the window station process on which the image is running
Quota Block	Restrictions on nonpaged pool, paged pool, page file usage, current and peak process nonpaged and paged pool usage (Note: many processes can share this structure. All system processes point to this unique, default quota data block within the system, and all interaction process sessions) share a quota .)
Virtual Address Descriptors (vads)	A series of data structures that describe the status of the address space that exists in the process.
Working Set Information	Point to the working set list (mmwsl structure); current, peak, minimum, maximum working set size; last trim time; Page error count; Memory priority; outswap flag; page error history.
Virtual Memory Information	The current and highest virual memory size, the hardware page table created for the process page Directory
Exception Local Procedure Call (LPC) Port	When a thread of a process causes an exception, the process manager sends a message, which is transmitted through a cross-process communication pipeline. This is an MTS queue.
Debugging LPC Port	A cross-process pipeline allows the Process Manager to send messages when a thread of a process triggers a debug event.
Access Token (access_token)	Executive object describing the process security profile
Handle table	Process Handle Address Table
Device Map	The address used to parse the object directory referenced by the device name (supports multiple users ).
Process environment block (peb)	Image Information (base address, version number, module list), process heap information, thread-Local Storage utility (note: the pointers to the process heaps start at the first byte after the peb .)
Win32 subsystem process block (w32process)	Process details required by the kernel-state component in the Win32 subsystem. process details needed by the kernel-mode component of the Win32 subsystem.

 

 

Kernel processor block (PCB)

The eprocess block has two key sub-data structures: one is the kernel process block (kprocess) and the other is the process environment block (peb ).

Peb exists in the address space of the user process and contains the information required by image loader, heap manage, and other Win32 system DLL files that can be written in the user State. note that eprocess and kprocess can only be accessed in kernel mode. peb is always mapped to address 0x7ffdf000.

 

Thread depth

====================

At the operating system level, a thread is represented by an ETHREAD data structure. the ETHREAD block and other data structures it points to exist in the address space of the system, except for the thread environment block (Teb ). in addition, the Win32 subsystem process CSRSS maintains a parallel data structure for the threads created by each Win32 process. similarly, the kernel-state Win32 subsystem maintains the data structure (w32thread structure) that each thread has. The ETHREAD block has members pointing to it.

The following table lists the important data domains of ETHREAD.

Element	Description
Kthread Block	Data Structure pointing to kthread
Thread time information	Time when the thread is created and exited
Process Identification	Process ID and eprocess block pointing to the process to which the thread belongs
Start address	Address of the thread startup Function
Impersonation Information	Access Token and role playing level (when a thread is playing a client)
LPC Information	The ID of the message that the thread is waiting for, and the address of the message.
I/O Information	List of Io request packages awaiting processing

 

Kthread information. The operating system kernel needs to access this information to execute Thread Scheduling and synchronization for running threads.

Element	Description
Dispatcher Header	Because a thread is an object that can wait, it follows a standard Start with kernel dispatcher Object Header
Execution time	CPU time in the user mode and kernel mode.
Pointer to kernel stack information	The lowest and highest address of the kernel stack.
Pointer to system service table	Every thread starts with a member of the main system service table (keservicedescriptortable ). When a thread calls the Win32 GUI service for the first time, its system service table is changed, including the GDI and user services in win32k. sys.
Scheduling information	Basic priority, current priority, quota, affnity mask, ideal processor, scheduling state, frozen count, suspension count
Wait Blocks	The thread block contains four built-in wait blocks, so the wait block does not need to be allocated and initialized every time the thread waits for anything. (There is a wait block dedicated to timer .)

Wait Information	The list of objects waited by the thread, the reason for waiting, and the time when the thread enters the waiting state
Mutant list	Mutant objects list owned by the thread
APC queues	User-state and kernel-state waiting state APC list, and modifiable flag
Timer Block	Built-in timer block, that is, wait Block
Queue list	Point to thread-related queue objects
Pointer to Teb	Thread ID, TLS information, peb pointer, and GDI and OpenGL information.

 

Thread environment Block

Teb stores the context information of image loader and many Win32 DLL files. because these components run in user mode, they need a writable Data Structure in user mode. this is why this structure exists in the user address space, rather than the system address space that can be written only in the kernel state. you can run it! Thread command to find the address of Teb,