Você está na página 1de 36

,

Windows. 1

: 0.2

: Vlad Kovtun NRJETIX 2000 - 2014


: 03.04.2015 14:56:00

12.09.2010 0.1. . ..
28.08.2014 0.2. . ..

2
3
11. , Windows 4
4
4
4
7
7
8
CreateProcess 9
1: , 11
2: 11
2: EPROCESS 12
2: 12
2: 12
2D: 13
2: 13
2F:
14
3: , 14
4: Windows 15
5: 16
6: 16
16
16
19
20
21
21
Windows 21
22
27
27
30
32
32
33
36
36
11. ,
Windows

1. .
2. .
3. .


Windows (EPROCESS),
. , ,
EPROCESS . ,
,
(READ) . EPROCESS
, (process
environment block, ) .
, ,
.
, Windows-,
Windows (Csrss) EPROCESS
. , Windows, pa
(Win32k.sys), ,
USER GDI,
.

Windows

. 1.

. EPROCESS . 2.
( PCB)

PsActiveProcessHead EPROCESS

Windows

. 2. (EPROCESS),

1. EPROCESS

,
(KPROCESS) , (KTHREAD),
,
CPU, CPU,

,
-, ,
WindowStation-

,


.
:
,
,
Winlogon

,
,
(virtual address
descriptors)

( MNTWSL);
, ,
; (last trim time);
; ;
;
,
,
,

LPC- ,
,

LPC- ,
,

,
(ACCESS TOKEN)


(
)

( ,
, ),
() TLS-a (
)

,
Windows Windows,
(W32PROCESS)

KPROCESS, EPROCESS, (process execution block),


EPROCESS,
. KPROCESS,
(process control block, PCB), . 3. ,
Windows .
, ,
, ,
DLL- Windows . ( EPROCESS
KPROCESS .) ,
. 4.


Inswap/Outswap
(/)
KTHREAD ...
-




. 3.


TLS
( )

GDI


. 4. PEB


2 ,
.
, .
2. ,

PsActiveProcessHead

PsIdleProcess EPROCESS Idle

PsInitialSystemProces
s EPROCESS ( 2),

PspCreateProcessNotif ( 8),
yRoutine

PspCreateProcess DWORD
NotifyRoutineCount

PspLoadlmageNotifyRo ,
utine

PspLoadlmageNotifyRo DWORD
utineCount

PspCidTable
HANDLETABLE


Windows ,
, ;
Performance. 3
, (
, -,
).
3. ,

Process: % Privileged Time ,


(: %
)

Process: % Processor Time CPU,


(: %
CPU) ; % Privileged Time
% User Time

Process: % User Time (: ,


%
)

Process: Elapsed Time (: ( ),


)

Process: ID Process (: ;
)
,

Process: Creating Process ID ;


[: (ID)
]

Process: Thread Count (:


)

Process: Handle Count (:


)


4 Windows-,
[4].
4. ,

CreateProcess

CreateProcessAsUser

CreateProcessWithLog
onW ,

CreateProccssWithTok
enW
,

OpenProcess
ExitProcess DLL

TerminateProcess DLL

FlushInstructionCache

GetProcessTimes , ,

GetExitCodeProcess , ,

GetCommandLine ,

GetCurrentProcess

GetCurrentProcessId

GetProcessVersion Windows,

GetStartupInfo STARTUPINFO,
CreateProcess

GetEnvironmentString
s

GetEnvironmentVariab
le

GetProcessShutdownP
arameters
SetProcessShutdownP
arameters

GetGuiResources USER GDI

CreateProcess
, ,
?
Windows- ,
CreateProcess, CreateProcessAsUser, CreateProcessWtihTokenW
CreateProcessWithLogonW,
: Kernel32.dll ( Windows),
Windows (Csrss). Windows
, ,
(
), , Windows-
. Windows- CreateProcess
, Windows.
Windows-
CreateProcess.
. CreateProcess

,
.
1. (), .
2. .
3. (,
).
4. Windows .
5. ( CREA_SUSPENDED).
6.
(, DLL) .
Windows . 5.
, CreateProcess .
CreateProcess rtionFlags,
, CreateProcess, .
Windows .
,
Normal, - Idle
Below Normal.
, .
Real-time,
Increase Scheduling Priority, High.
, CreateProcess , ,
, Real-
time, Real-time.
,
. CreateProcess
,
-.

EXE
1


3
Windows



4

Windows


5

6

/

. 5.
1: ,
. 6, CreateProcess
Windows-, , ,

. ,
( ,
).
Windows XP Windows Server 2003 CreateProcess ,
.
Windows-,
. Windows-,
MS-DOS, Win16 POSIX, CreateProcess (support image)
. , ,
Windows-, . Windows
,
, Windows-. ,
POSIX-, CreateProcess
Windows- POSIX, Posix.exe.
MS-DOS Win16, Windows-
Ntvdm.exe. , ,
Windows-. Windows ,
CreateProcess .


Cmd.exe Ntvdm.exe
-


Win16 Windows
CMD- MS-DOS

EXE-, COM-
OS/2 1.x POSIX
PIF- MS-DOS

S2.exe POSIX.exe Ntvdm.exe

. 6.

2:
CreateProcess
Windows
. ,
NtCreateProcess.
:
EPROCESS;
;
(KPROCESS);
(
),
;
;
.
.
.
.

2: EPROCESS
.
1. EPROCESS.
2. CPUs.
3.
PsMinimumWorkingSet PsMaximumWorkingSet.
4.
.
5. Windows (
, - . .).
6. InheritedFromUniqueProcessId
.
7. (
). .
CreateProcessAsUser,
, .
8. , .
,
.
9. STATUS_PENDING.

2:
:
( ,
, x86-
64- );
;
.
, .
,
.
MmTotalCommittedPages MmProcessCommit.
MmResidentAvailablePages
(PsMinimumWorkingSet).

.

2:
CreateProcess KPROCESS,
. (
, .)
(
)
, ( Normal, 8,
Idle Below Normal;
), CPUs
CPU, .
PspForegroundQuantum[0],
.
.
Windows . . .

2D:
,
.

Windows.
(last trim
time) . ,
(balance set manager),
, ,
.
,
.
( )
,
.
Ntdll.dll.
NLS
(national language support).
. POSIX ,

. POSIX
,
.

2:
CreateProcess ,
5.
5.

ImagcBascAddress

NumberOfProcessors KeNumberProcessors

NtGlobalFlag NtGlobalFlag

CriticalSectioriTimeout
MmCriticalSectionTimeout

HeapSegmentReserve
MmHeapSegmentReserve

HeapSegmentCommit MmHeapSegmentCommit

HeapDeCommitTotalFreeThreshold
MmHeapDeCommitTotalFreeThreshold

HeapDcCommitFreeBlockThreshold
MmHcapDeCommitFreeBlockThreshold

NumberOfHeaps 0
MaximumNumberOftieaps ( - ) / 4

ProcessHeaps

OSMajorVersion NtMajorVersion

OSMinorVersion NtMinorVersion

OSBuildNumber NtBuildNumber &


0x3FFF

OSPlatformld 2

2F:

.
1. (
, ),
.
2. ,
.
3. IMAGE_FILE_UP_SYSTEM_ONLY (
,
), CPU.
CPUs:
CPU.
CPUs.
4. CPU (,
),
CPUs .
5. CreateProcess CPUs
(PsActiveProcessHead).
6. , (CreateProcess
Kernel32.dll) .

3: ,

. ,
. , ,
. .
.
NtCreateThread.
( CreateProcess
CreateThread). ,
. -

(. 5). NtCreateThread PspCreateThread
(, )
:
1. .
2. (ETHREAD).
3. .
4. .
5. ETHREAD.
Windows- Kernel32.dll
(BaseProcessStart BaseThreadStart
). , ,
ETHREAD, ;
.
6. KTHREAD KelnitThread.
;

. ,
. KeInitThread
- ,
. ,
KiThreadStartup. KelnitThread
Initialized ()
PspCreateThread.
7. ,
.
8. .
,
. ,
, ,
CreateRemoteThread
.
9. , .

4: Windows
,
.
, Kernel32.dll Windows
, .
:
;
;
;
, , Windows-
( Csrss , ).
, Windows .
1. CreateProcess .
1 ( ,
) 2.
2. , CreateProcess
, .
3. Csrss.
4.
Windows,
.
5. (. .
), .
Windows
( , .)
Windows, ,
.
6. Csrss.
7. CreateProcess .
8. .
9. (process shutdown level) 0x280
( ; MSDN Library
SetProcessShutdownParameters).
10. Windows-.
11. (W32PROCESS),
Windows,
.
12. . Windows
: - ,
. GUI-,
.
GUI, CreateProcess
.

5:
,
, , Windows
. (. 6)
,
CREATE_SUSPENDED.

6:

, KiThreadStartup, IRQL DPC/dispatch
, ,
PspUserThreadStartup.
.
Windows Windows Server 2003 PspUserTbreadStartup ,
(application prefetching), , ,
(logical prefetcher)
(prefetch instruction file) ( ),
,
. , PspUserThreadStartup

(LdrlnitializeThunk Ntdll.dll). ,
.
PspUserThreadStartup KiThreadStartup,
, LdrlnitializeThunk.
, , NLS,
(thread local storage, TLS)
. DLL
DLL_PROCESS_ATTACH.
,
,
. ,
.


, , ,
,
.


,
(ETHREAD). . 7
ETHREAD , ,
,
(thread environment block, TEB) .
, Windows (Csrss)
, Windows-.
Windows, (Win32k.sys),
, USER- GDI-, W32THRED,
ETHREAD.

KTHREAD TEB

EPROCESS




LPC

. 7. (ETHREAD)

ETHREAD, . 7,
. - (READ).
(
, ),
,
( ), ,
LPC -.
6. ETHREAD

KTHREAD 7

EPROCESS
,

(
, , )

LPC ,

, -
- (I/O request packets, IRP)

, , KTHREAD
. , Windows
. KTHREAD . 8.



TLS
,

APC

TEB

. 8.

KTHREAD . 7.
7. KTHREAD

, ,

(
)



KeServiceDescriptorTable, GUI-
Windows, ,
GDT USER Win32k.sys

, , ,
CPUs, CPU, ,
(freeze count) (suspend count)

,

- (
)

, ,


, (alertable flag)

( )

, TEB, , ,
GDI OpenGL

, , ,
. 9, , .
Windows DLL.
,
, .
, ,
. thread
.

()

RPC

LastError
,



User32

GDI32

OpenGL

TLS

Winsock

. 9.


, Windows
. , , 8.
8. ,

PspCreateThread
NotifyRoutine ( 8)

PspCreateThread DWORD
NotifyRoutineCount

PspCreateProcessNotifyRoutin
( 8)



, 9.
Performance,
.
9.

Process: Priority Base (: ;


) ,

Thread: % Privileged Time ,


(: %
)

Thread: % Processor Time CPU,


(: % CPU) ;
% Privileged Time % User Time

Thread: % User Time (: % ,



)

Thread: Context Switches/Sec


(:
/)

Thread: Elapsed Time (: CPU ( ),


)

Thread: ID Process (: ;
) ,

Thread: ID Thread (: ;
) ,

Thread: Priority Base (: ;


)

Thread: Priority Current (:


)

Thread: Start Address (: (


) )

Thread: Thread state (: 0


) 7

Thread: Thread Wait Reason


(: 0 19
)

10 Windows-,
. ,
.
10. Windows,

CreateThread

CreateRemoteThread

ExitThread

TerminateThread

GetExitCodeThread

GetThreadTimes

GetCurrentThread

GetCurrentThreadld

GetThreadld

GetThreadContext CPU SetThreadContext


GetThreadSelectorEntry
( 8)


.
Windows,

. Windows-
CreateThread ( Kernel32.dll).
1. CreateThread
.
2. CreateThread ,
CPU.
3. NtCreateThread.
.
4. CreateThread Windows ,
.
5.
( 3).
6. , CPU,
CREATE_SUSPENDED.
,
3: , .

Windows
Windows
,
, .
CPUs, .
CPUs (processor affinity).
CPU, CPUs Windows-
, .
,
( , ).
: (
), ( )
.
. Windows
, .
, ,
.
, !
Windows, , .
,
. , ,
(kernel's dispatcher).
.
,
.
Running (),
.

Windows.
CPUs, -
CPU, .
Windows , .
, Windows .
, ,
,
.
, Windows .
, , ,
. ,
, ,
, . ,
10, 2 , 12
, 1/12 CPU,
Windows CPU .
,
, Windows.


. 10, Windows 32 0 31.
:
(16-31);
() (115);
(0),
(zero page thread).
31

16

16
15

15

1
1
0 ( ,
)

. 10.

Windows
API Windows. Windows API
, [Real-time ( ), High
(), Above Normal ( ), Normal (), Below Normal (
) Idle ()],
[Time-critical (
), Highest (), Above-normal ( ), Normal (),
Below-normal ( ), Lowest () Idle ()].
Windows API ,
.
Windows API Windows (
) . 11.
(),
: . , ,
.
(1-15). Windows
(16-31),
.

31




16-31 24


16
15

13



10
1-15
8

6

4
1
0 ; Windows-

. 11. Windows API


,
.
Windows- CreateProcess START.
, SetPriorityClass
, UI,
Process Explorer. , ,
CPU,
.
, .
,
, (
);

.
( ,
)
(24, 13, 10, 8, 6 4).
(, ,
) Normal (8).

8. ,

NtSetInformationProcess.

Windows API,
11 ( .
Windows API).
11. API-

API-

SuspenThread/ /
ResumeThread

GetPriorityClass/ /
SetPriorityClass ( )

GetThreadPriority/ / (
SetThreadPriority )

GetProcessAffinityMask/ / CPU
SetProcessAffinityMask

SetThreadAffinityMask (
)
CPU,
CPUs

SetlnformationJobObject ;
, , , CPU
( .
- )

GetLogicalProcessorInfor CPU [
mation CPUs (hyperthreaded
systems) NUMA]

GetThreadPriorityBoost/
SetThreadPriorityBoost
(
)

SetThreadldealProcessor CPU ,
CPUs,

GetProcessPriorityBoost /
SetProcessPriorityBoost (
)

SwitchToThread CPU (
1 ),
CPU

Sleep
( );

SleepEx ,
-,



; , ,
Increase Scheduling Priority. ,
.
,
, (,
, ).
. ,
(Interrupt Request Levels, IRQL) 8, Windows
, ,
, Windows
.


, ,
Windows 2000
Windows XP. . 12 [
Thread: thread state (:
)].

Initialized (0)

Standby (3)

,

Ready (1) Running (2)

Transition (6) Waiting (5) Terminate (4)

. 12. Windows 2000 Windows XP


Ready () .
,
, .
Standby ()
CPU.
. Standby
CPU . ,
(, , ,
Standby, ).
Running ()
, .
, ,
, ,
CPU (
).
Waiting () Waiting .

.
,
Ready.
Transition ( ) ,
, .
, Ready.
Terminated () ,
Terminated. (
, )
,
.
Initialized ()
.
Windows Server 2003 . 13.
Deferred Ready (, ).
, CPU,
. ,

(scheduling database).

Ready (1)

Initialized (0)

Standby (3)

,

Deferred
Running (2)
ready (7)

Transition (6) Waiting (5) Terminate (4)

. 13. Windows Server 2003




, (dispatcher
database) (. 14). , ,
, CPUs.
.
, Windows 2000 Windows XP,
Windows Server 2003.

1 2 3 4


31

31 0

. 14. (
Windows 2000/XP)

(ready queues)
Ready, CPU. 32
. ,
, Windows 32- ,
(ready summary) KiReadySummary.

( 0 0, 1 1
..).

IRQL DPC/dispatch SYNCH_LEVEL (
2). IRQL
, IRQL 0 1.
IRQL , CPU
IRQL
.

CPU, .
Windows ,
.
, Windows .
Windows 2000 Professional Windows XP
2 (clock intervals), Windows Server - 12.
,
. ,
, ,

.

HAL, . , 8-
10 , 8- 15
.


.
, . ,
,
.
, ,
. :
DPC ,
,
. DPC
,
.
, 3.
Windows 2000 Windows XP 6
(2 3), Windows Server 36 (12 3). ,
,
(3).
,
. 16
14 (WaitForSingleObject WaitForMultipleObjects)
(,
), .
.


,
: (2 ,
) (12 ,
).
. ,
.
Windows XP Windows Server 2003
My Computer ( ), Properties (),
Advanced (), Settings
() Performance (),
Advanced (). Windows XP
Windows Server 2003 . . 15.
. 15. Windows XP/Windows Server 2003

Background Services ( )
, Windows
Server. ,
, .
Programs Background Services
, .


Windows NT 4.0, -
, (
, ) 2.
,
. , ,
, CPU (,
), ,
(, CAD,
- ), , ,
CPU ( ).
, 2 (
, ).
Windows NT 4.0 Workstation
3 . ,
6 ,
2 . , ,
CPU, ,
CPU ( ,
, ).
,
Idle Programs ( Applications Windows
2000) Performance Options ( ),
.
Background Services (
Windows Server) .


, ,
HKLM\SYSTEM\CurrentCont-
rolSet\Control\PriorityControl\Win32PrioritySeparation.
, (, , )
, . 3
.
. 1 , 2
. 0 3,
( Windows 2000 Professional Windows XP
Windows Server).
. 1,
, 2 .
0 3, (
Windows 2000 Professional Windows XP Windows
Server).
. (
PsPrioritySeparation) 0, 1 2 ( 3
2)
(PspForegroundQuanturri),
.
.
, Performance Options (
) :
.
Win32PrioritySeparation
.


, CPU ? Windows 2000 ,
. ?
, ,
, .


-, CPU,
- (, , , ,
-, , , .)
Windows- (, WaitForSingleObject
WaitForMultipleObjects).
. 16 , Windows
.


Running Ready
20

19

18

17

16

15

14

. 16.
. 16 ( ) ,
(
Running). , .
,
, (
14 , ).


.
:
(..
, );
.
Windows ,
.
.
.
.
,
. . 17.

Running Ready

18

17

16

15

14

13

. 17.

. 17 18
, ( 16)
. , ,
.
.


CPU, Windows ,
CPU .
, Windows
( , ,
). Windows
,
,
(
Running Ready).
. 18. ,
CPU.

Running Ready
15

14

13

12

11

. 18.


( ExitThread -
TerminateThread), Terminated.
,
, .


.

:
;
;
, (
).
, ,
KTHREAD .
.
,
,
.
IRQL 1.
,
.


, CPU, Windows
CPU ( Idle). CPU
.
Windows -
Idle. Process Explorer System Idle Process.
Windows , 0.
,
.
, IRQL DPC/dispatch,
, DPC ,
.
, .
1. (
).
2. , CPU DPC. ,
DPC.
3. , - CPU, ,
, .
4. HAL CPU ( -
).
Windows Server 2003 ,
CPU,
.


Windows
:
-;
;
;
GUI- - ;
, , -
.

,
. ,
, ,
.
. Windows
(16-31).
. Windows : ,
, , .


:
, .
, Windows
CPU,
CPU ,
. , Windows
CPUs, ,
() .
, ,
, ,
, Windows
CPUs ,
, Windows, CPUs,
(hyperthreaded systems), NUMA.


,
. Windows 2000 Windows
,
. , Windows
.
.
(KeActiveProcessors),
CPU. (
CPUs,
Windows CPUs.)
(idle summary) (KildleSummary),
CPU.
single-CPU IRQT (
Windows 2000 Windows XP DPC/dispatch, Windows Server 2003
DPC/dispatch Synch), multi-CPU ,
CPU IRQL
. Windows 2000 Windows XP
- : -
(dispatcher spinlock) (KiDispatcherLock) -
(context swap spinlock) (KiContextSwapLock).
, , ,
, ,
.

multi-CPU Windows Server 2003
CPU, . 19.
Windows Server 2003 CPU
, .
, CPU,
PRCB (processor control block). multi-CPU
CPUs ,
, CPU (, ,
CPU),
- , PRCB;
IRQL SYNCHLEVEL. ,
PRCB - CPU, Windows 2000 Windows XP,
- .

1 2 3 4

0 1

31 31

0 0

31 0

. 19. multi-CPU Windows Server 2003

CPU ,
(deferred ready state). , , ,
, .
CPU ,
- PRCB.
,
DPC.
, CPU
( ).
, Windows Server 2003
, -,
, Windows 2000 Windows XP
-
.

Hyperthreading
Windows XP Windows Server 2003 multi-CPU ,
Hyperthreading ( CPU
).
1. CPUs
CPU. , Windows XP Home Edition,
CPU, CPU single-CPU
Hyperthreading.
2. CPUs - CPU ,
CPUs CPU,
, CPUs .

NUMA
multi-CPU , Windows XP Windows Server 2003,
(nonuniform memory access, NUMA).
NUMA- CPUs . CPUs
,
(cache-coherent interconnect bus).
, .
CPU ,
.
, NUMA-,
CPUs .

CPU
CPU (affinity mask), ,
CPUs . .
CPU ( , )
CPUs , . . CPU.
/
CPUs CPU.
.
SetThreadAffinityMask, CPUs
;
SetProcessAffinityMask, CPUs
. Process Explorer
GUI- :
Set Affinity ( ).
,
CPUs, SetlnformationJobObject
CPU , ,
Imagecfg Windows 2000 Server Resource Kit Supplement.

CPU
CPUs:
(ideal processor)
;
(last processor) .
CPU
(seed) .
1 , ,
CPUs. ,
CPU 0,
CPU 1.
CPU 1, 2 . .

CPUs.
: ,
. ; ,
, (housekeeping threads)
. ,
multi-CPU , CPUs
SetThreadIdealProcessor.
Hyperthreading CPU
CPU . , double-CPU
Hyperthreading CPUs 4; CPU
CPU 0,
CPU 2, CPU 1, CPU
3 . . CPUs.
NUMA- ()
. 0, 1 . .
CPUs . CPU
CPU .
;
CPU . .


:
(jobs)
multi-CPU

1. . . . 2- . .: , 2002.
1040 .
2. . , . . : .
CS. .: , 2006. 576 .
3. . , . . Microsoft Windows: Windows
Server 2003, Windows XP, Windows 2000. -. / . . -4- . .:
- ; .: ; 2005. -992 .
4. Microsoft Development Network. URL: http://msdn.com