Process creation and handle table
Process creation process
- When you open the system, the kernel function is called to create the process Explorer. Exe, the desktop process.
- When you double-click a program, the CreateProcess function is called to create the process. That is, all processes created on the desktop are children of the desktop process, and the children are not affected when the parent process terminates.
- Processes are created by other processes.
What the function CreatProcess does
- First, the kernel allocates space for the process object to store data, and the handle table is also in this space. When the process creates other kernel objects, the address and handle of the object are stored in the handle table, and the corresponding handle is returned. Users can operate the kernel object through the handle. The reason for not returning the address of the kernel object directly is that the user is not allowed to modify the object directly, in case it causes an error.
- Then create the virtual address space, map the EXE file to the virtual space, according to the DLL name imported from the import table, continue to map the USED DLL to the space, relocate the DLL file according to the relocation table in the DLL file, modify the absolute address, and then view the import table of the EXE/DLL file, modify the IAT table. Replace it with the function address in another DLL file.
- Finally, create the main thread, set the thread CONTEXT, and execute from the entry point.
The use of the CreateProcess
BOOL CreateProcess( LPCSTR lpApplicationName, LPSTR lpCommandLine, LPSECURITY_ATTRIBUTES lpProcessAttributes, LPSECURITY_ATTRIBUTES lpThreadAttributes, BOOL bInheritHandles, DWORD dwCreationFlags, LPVOID lpEnvironment, LPCSTR lpCurrentDirectory, LPSTARTUPINFOA lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation );
Copy the codeLpApplicationName and lpCommandLine are the process name and command line respectively. You can create a specified process using lpApplicationName and lpCommandLine.
- The lpApplicationName word specifies the path and filename of the module to be executed
TCHAR szApplicationName[] = TEXT("C:/Windows/System32/notepad.exe");
STARTUPINFO si = { 0 };
si.cb = sizeof(STARTUPINFO);
PROCESS_INFORMATION pi = { 0 };
CreateProcess(szApplicationName,
nullptr.nullptr.nullptr,
FALSE,
CREATE_NEW_CONSOLE,
nullptr.nullptr,
&si,
&pi);
Copy the codeThis creates the notepad.exe process by name.
- LpCommandLine. If only lpCommandLine is used and szApplicationName is nullptr, the process name is the first string in lpCommandLine ending with a space.
TCHAR szApplicationName[] = TEXT("C:/Windows/System32/notepad.exe");
TCHAR lpCommandline[] = TEXT("C:/Windows/System32/notepad.exe");
STARTUPINFO si = { 0 };
si.cb = sizeof(STARTUPINFO);
PROCESS_INFORMATION pi = { 0 };
CreateProcess(nullptr,
lpCommandline,
nullptr.nullptr,
FALSE,
CREATE_NEW_CONSOLE,
nullptr.nullptr,
&si,
&pi);
Copy the codeThis is to create the process through the lpCommandLine
- BInheritHandles is the fifth argument. When it is TRUE, it means that the child can inherit handles from kernel objects that can be inherited from the parent. When it is FLASE, the child cannot inherit handles from the parent.
- LpStartupInfo allows you to set extended attributes for a process
- LpProcessInformation, as the OUT parameter, stores the handle and ID of the process as well as the handle and ID of the main thread
Write a blog for the first time, mainly be recently want to learn a bit much, record oneself study situation, comb well as much as possible touch fish