커널 디버깅을 하면서 몇가지 공부한 사실을 정리한다.
EPROCESS(Executive Process)와 ETHREAD(Executive Thread)는 process가 생성될 때 kernel 메모리에 생성되는 구조체이다.
user 메모리에 생성되는 구조체로는 이와 대응되게 PEB(Process Environment Block), TEB(Thread Environment Block)가 있다.
위와 같은 구조로 프로세스가 관리된다.
PEB와TEB는system call호출로 매번EPROCESS와ETHREAD에서 정보를 가져오기에는 성능상의 이슈가 발생하기 때문에 존재하는 것이라고 한다.
KPROCESS(Process Control Block)와 KTHREAD(Thread Control Blcok)는 각각 EPROCESS와 ETHREAD 구조체 내에 존재하는 구조체이다.
일단 간단하게 EPROCESS만 조금 확인해보자.
EPROCESS
kd> dt nt!_EPROCESS
+0x000 Pcb : _KPROCESS // process control block의 주소.(physical address)
+0x160 ProcessLock : _EX_PUSH_LOCK
+0x168 CreateTime : _LARGE_INTEGER // 프로세스 생성 시점
+0x170 ExitTime : _LARGE_INTEGER // 프로세스 종료 시점
+0x178 RundownProtect : _EX_RUNDOWN_REF
+0x180 UniqueProcessId : Ptr64 Void // PID
+0x188 ActiveProcessLinks : _LIST_ENTRY // 실행중인 모든 프로세스의 double linked list.
+0x198 ProcessQuotaUsage : [2] Uint8B
+0x1a8 ProcessQuotaPeak : [2] Uint8B
+0x1b8 CommitCharge : Uint8B
+0x1c0 QuotaBlock : Ptr64 _EPROCESS_QUOTA_BLOCK
+0x1c8 CpuQuotaBlock : Ptr64 _PS_CPU_QUOTA_BLOCK
+0x1d0 PeakVirtualSize : Uint8B
+0x1d8 VirtualSize : Uint8B
+0x1e0 SessionProcessLinks : _LIST_ENTRY
+0x1f0 DebugPort : Ptr64 Void
+0x1f8 ExceptionPortData : Ptr64 Void
+0x1f8 ExceptionPortValue : Uint8B
+0x1f8 ExceptionPortState : Pos 0, 3 Bits
+0x200 ObjectTable : Ptr64 _HANDLE_TABLE
+0x208 Token : _EX_FAST_REF
+0x210 WorkingSetPage : Uint8B
+0x218 AddressCreationLock : _EX_PUSH_LOCK
+0x220 RotateInProgress : Ptr64 _ETHREAD
+0x228 ForkInProgress : Ptr64 _ETHREAD
+0x230 HardwareTrigger : Uint8B
+0x238 PhysicalVadRoot : Ptr64 _MM_AVL_TABLE
+0x240 CloneRoot : Ptr64 Void
+0x248 NumberOfPrivatePages : Uint8B
+0x250 NumberOfLockedPages : Uint8B
+0x258 Win32Process : Ptr64 Void
+0x260 Job : Ptr64 _EJOB
+0x268 SectionObject : Ptr64 Void
+0x270 SectionBaseAddress : Ptr64 Void
+0x278 Cookie : Uint4B
+0x27c UmsScheduledThreads : Uint4B
+0x280 WorkingSetWatch : Ptr64 _PAGEFAULT_HISTORY
+0x288 Win32WindowStation : Ptr64 Void
+0x290 InheritedFromUniqueProcessId : Ptr64 Void
+0x298 LdtInformation : Ptr64 Void
+0x2a0 Spare : Ptr64 Void
+0x2a8 ConsoleHostProcess : Uint8B
+0x2b0 DeviceMap : Ptr64 Void
+0x2b8 EtwDataSource : Ptr64 Void
+0x2c0 FreeTebHint : Ptr64 Void
+0x2c8 FreeUmsTebHint : Ptr64 Void
+0x2d0 PageDirectoryPte : _HARDWARE_PTE
+0x2d0 Filler : Uint8B
+0x2d8 Session : Ptr64 Void
+0x2e0 ImageFileName : [15] UChar // process name
+0x2ef PriorityClass : UChar
+0x2f0 JobLinks : _LIST_ENTRY
+0x300 LockedPagesList : Ptr64 Void
+0x308 ThreadListHead : _LIST_ENTRY
+0x318 SecurityPort : Ptr64 Void
+0x320 Wow64Process : Ptr64 Void
+0x328 ActiveThreads : Uint4B
+0x32c ImagePathHash : Uint4B
+0x330 DefaultHardErrorProcessing : Uint4B
+0x334 LastThreadExitStatus : Int4B
+0x338 Peb : Ptr64 _PEB
+0x340 PrefetchTrace : _EX_FAST_REF
+0x348 ReadOperationCount : _LARGE_INTEGER
+0x350 WriteOperationCount : _LARGE_INTEGER
+0x358 OtherOperationCount : _LARGE_INTEGER
+0x360 ReadTransferCount : _LARGE_INTEGER
+0x368 WriteTransferCount : _LARGE_INTEGER
+0x370 OtherTransferCount : _LARGE_INTEGER
+0x378 CommitChargeLimit : Uint8B
+0x380 CommitChargePeak : Uint8B
+0x388 AweInfo : Ptr64 Void
+0x390 SeAuditProcessCreationInfo : _SE_AUDIT_PROCESS_CREATION_INFO
+0x398 Vm : _MMSUPPORT
+0x420 MmProcessLinks : _LIST_ENTRY
+0x430 HighestUserAddress : Ptr64 Void
+0x438 ModifiedPageCount : Uint4B
+0x43c Flags2 : Uint4B
+0x43c JobNotReallyActive : Pos 0, 1 Bit
+0x43c AccountingFolded : Pos 1, 1 Bit
+0x43c NewProcessReported : Pos 2, 1 Bit
+0x43c ExitProcessReported : Pos 3, 1 Bit
+0x43c ReportCommitChanges : Pos 4, 1 Bit
+0x43c LastReportMemory : Pos 5, 1 Bit
+0x43c ReportPhysicalPageChanges : Pos 6, 1 Bit
+0x43c HandleTableRundown : Pos 7, 1 Bit
+0x43c NeedsHandleRundown : Pos 8, 1 Bit
+0x43c RefTraceEnabled : Pos 9, 1 Bit
+0x43c NumaAware : Pos 10, 1 Bit
+0x43c ProtectedProcess : Pos 11, 1 Bit
+0x43c DefaultPagePriority : Pos 12, 3 Bits
+0x43c PrimaryTokenFrozen : Pos 15, 1 Bit
+0x43c ProcessVerifierTarget : Pos 16, 1 Bit
+0x43c StackRandomizationDisabled : Pos 17, 1 Bit
+0x43c AffinityPermanent : Pos 18, 1 Bit
+0x43c AffinityUpdateEnable : Pos 19, 1 Bit
+0x43c PropagateNode : Pos 20, 1 Bit
+0x43c ExplicitAffinity : Pos 21, 1 Bit
+0x440 Flags : Uint4B
+0x440 CreateReported : Pos 0, 1 Bit
+0x440 NoDebugInherit : Pos 1, 1 Bit
+0x440 ProcessExiting : Pos 2, 1 Bit
+0x440 ProcessDelete : Pos 3, 1 Bit
+0x440 Wow64SplitPages : Pos 4, 1 Bit
+0x440 VmDeleted : Pos 5, 1 Bit
+0x440 OutswapEnabled : Pos 6, 1 Bit
+0x440 Outswapped : Pos 7, 1 Bit
+0x440 ForkFailed : Pos 8, 1 Bit
+0x440 Wow64VaSpace4Gb : Pos 9, 1 Bit
+0x440 AddressSpaceInitialized : Pos 10, 2 Bits
+0x440 SetTimerResolution : Pos 12, 1 Bit
+0x440 BreakOnTermination : Pos 13, 1 Bit
+0x440 DeprioritizeViews : Pos 14, 1 Bit
+0x440 WriteWatch : Pos 15, 1 Bit
+0x440 ProcessInSession : Pos 16, 1 Bit
+0x440 OverrideAddressSpace : Pos 17, 1 Bit
+0x440 HasAddressSpace : Pos 18, 1 Bit
+0x440 LaunchPrefetched : Pos 19, 1 Bit
+0x440 InjectInpageErrors : Pos 20, 1 Bit
+0x440 VmTopDown : Pos 21, 1 Bit
+0x440 ImageNotifyDone : Pos 22, 1 Bit
+0x440 PdeUpdateNeeded : Pos 23, 1 Bit
+0x440 VdmAllowed : Pos 24, 1 Bit
+0x440 CrossSessionCreate : Pos 25, 1 Bit
+0x440 ProcessInserted : Pos 26, 1 Bit
+0x440 DefaultIoPriority : Pos 27, 3 Bits
+0x440 ProcessSelfDelete : Pos 30, 1 Bit
+0x440 SetTimerResolutionLink : Pos 31, 1 Bit
+0x444 ExitStatus : Int4B
+0x448 VadRoot : _MM_AVL_TABLE
+0x488 AlpcContext : _ALPC_PROCESS_CONTEXT
+0x4a8 TimerResolutionLink : _LIST_ENTRY
+0x4b8 RequestedTimerResolution : Uint4B
+0x4bc ActiveThreadsHighWatermark : Uint4B
+0x4c0 SmallestTimerResolution : Uint4B
+0x4c8 TimerResolutionStackRecord : Ptr64 _PO_DIAG_STACK_RECORD
실제로 한 프로세스를 올려서 process의 double linked list를 확인해 보면 다음과 같음을 알 수 있다.
kd> dt nt!_EPROCESS fffffa8001e04b30
+0x000 Pcb : _KPROCESS
+0x160 ProcessLock : _EX_PUSH_LOCK
+0x168 CreateTime : _LARGE_INTEGER 0x01d65fdd`ab553b95
+0x170 ExitTime : _LARGE_INTEGER 0x0
+0x178 RundownProtect : _EX_RUNDOWN_REF
+0x180 UniqueProcessId : 0x00000000`00000680 Void
+0x188 ActiveProcessLinks : _LIST_ENTRY [ 0xfffffa80`0205ecb8 - 0xfffffa80`02947bb8 ] // double linked list
+0x198 ProcessQuotaUsage : [2] 0x26f8
+0x1a8 ProcessQuotaPeak : [2] 0x53f8
+0x1b8 CommitCharge : 0x1ae
+0x1c0 QuotaBlock : 0xfffffa80`0430d300 _EPROCESS_QUOTA_BLOCK
+0x1c8 CpuQuotaBlock : (null)
+0x1d0 PeakVirtualSize : 0x5384000
+0x1d8 VirtualSize : 0x4dca000
+0x1e0 SessionProcessLinks : _LIST_ENTRY [ 0xfffffa80`0205ed10 - 0xfffffa80`02947c10 ]
double linked list를 확인해 보면 다음과 같다.
kd> dq 0xfffffa80`0205ecb8-188
fffffa80`0205eb30 00000000`00580003 fffffa80`0205eb38
fffffa80`0205eb40 fffffa80`0205eb38 fffffa80`0205eb48
fffffa80`0205eb50 fffffa80`0205eb48 00000000`5c5bf000
fffffa80`0205eb60 fffffa80`02e6ce58 fffffa80`01d66e58
fffffa80`0205eb70 00000000`00000000 00000000`00040001
fffffa80`0205eb80 00000000`00000001 00000000`00000000
fffffa80`0205eb90 00000000`00000000 00000000`00000000
fffffa80`0205eba0 fffffa80`0205eba0 fffffa80`0205eba0
kd> dq 0xfffffa80`02947bb8-188
fffffa80`02947a30 00000000`00580003 fffffa80`02947a38
fffffa80`02947a40 fffffa80`02947a38 fffffa80`02947a48
fffffa80`02947a50 fffffa80`02947a48 00000000`19827000
fffffa80`02947a60 fffffa80`01fce848 fffffa80`02d50958
fffffa80`02947a70 00000000`00000000 00000000`00040001
fffffa80`02947a80 00000000`00000001 00000000`00000000
fffffa80`02947a90 00000000`00000000 00000000`00000000
fffffa80`02947aa0 fffffa80`02947aa0 fffffa80`02947aa0
'reversing' 카테고리의 다른 글
| segmentation (0) | 2020.07.24 |
|---|---|
| windows paging - x86, 64 (0) | 2020.07.24 |
