Creation of Windows Executive Object (EPROCESS) Part-2
User-Mode Process Creation in the Windows Kernel World…
This blog is the continuity of my last blog, where I shared my research about user-mode process creation from the Windows Subsystem till the call transition to the Kernel side of process creation.
In this blog, process creation stands for User mode Windows process creation.
I will document the areas where the Windows process creation method transitions from user mode to Kernel Windows Executives and create the Windows process structure(EPROCESS).
Let’s start…
NtCreateUserProcess method transitions from user to kernel mode of Windows by calling Windows Executive services…
A screenshot of the process creation stack captured with Windows Process Monitor.
NtCreateUserProcess performs the following operations.
- Validates the parameters once again.
- If Windows EXE is specified, it tries to open the file and create the section object but does not map to the process address space.
This is the flow of the simple process creation; therefore, I might skip some steps(protected process, copy process, etc.).
Windows has a valid EXE file with a section object created but not mapped at this stage.
Executive Process Object(EPROCESS)…
At this stage, NTCreateUserProcess calls the PspAllocateProcess method to create the Executive Process object(EPROCESS).
Each Windows process represents in the form of EPROCESS data structure…
EPROCESS object holds information about the Windows process-related properties (process exit status etc.). It also points to the other related data structures like PCB(Process Control Block, aka KPROCESS), PEB(Process Environment Block), ETHREAD(Executive Thread Object), etc.
Memory, most of the EPROCESS data structures exist in the System Address Space except PEB (Process Environment Block) because it needs to be accessible by user mode.
Window Executive also performs memory management with the help of the Memory Manager service, and it keeps some data structures(working set list, etc.) in process-specific System Address Space.
PspAllocateProces method performs many operations while initializing the EPROCESS object. Here are some of them.
- Inherit the Affinity(priority) from the parent process.
- Check if the process should be mapped with large memory pages.
- Increment the Kernel Object reference count with ObfReferenceObjectWithTag method…
- PspSelectNodeForProcess is used to select the appropriate processor node or affinity.
- Set the parent process id to the InheritedFromUniqueProcessId field.
- Query the Performance Options(PerfOptions) key in IEFO
IEFO stands for Image File Execution Options.
- if the process runs under Wow64, then initialize the EWOW64PROCESS structure.
- Duplicate the parent process access primary token if not specified otherwise.
- Inherit Parent Quota Block if not specified, then default quota block created…
- Process minimum and maximum working size set from the PspMinimumWorkingSet and PspMaximumWorkingSet….
Initialize the process address space…
Note: The process and thread IDs (handles) are stored independently in a global handle table (PspCidTable).
Initialize Kernel Structure…
KeInitializeProcess starts initializing the PCB (KPROCESS) structure.
The dt command can use to view the KPROCESS(Kernel) structure.
kd> dt nt!_KPROCESSSpecify the memory address as an argument debugger will display the then content of the KPROCESS of a particular process.
kd> dt nt!_kprocess ffffe783cc769080The default process affinity of all the threads is set as group affinity…
Threads seeds set on the ideal base processor…
Initialize Process Security…
Initialize the process handle table…
The routine initialized the default quantum and priority class of the process.
Finalize the process address space…
Windows Executives Memory Manager involves translating or mapping the process’s virtual address space to the physical address.
MmInitializeProcessAddressSpace method does most of the work in setting the address space.
- Allocate the nonpaged pool memory to the process.
- Initializes the push lock...the memory uses the push lock to synchronize access to the working set.
- Kernel attaches the current thread with the target process address space. (Attach to another process to execute code)
- Memory manager initializes the working set list.
- Memory manager maps the executable image to the process Virtual Address Space.
- Memory manager detaches the current process from another process virtual address space.
Create PEB Structure…
At this stage, the memory manager calls the MmCreatePeb method to create the PEB Structure.
- Maps the NLS(Nonlocalized Support) table to process address space.
- Map the section object to the target process address space…
- Initialize and map the process address space and map to the system pages…
Insert process to the Windows active process list…
NtCreateUserProcess calls the PspInsertProcess method and inserts the newly created process into the Windows active process list, which means the newly created function will be accessible with commands. However, the new approach does not have the initial thread…therefore, it will not be useable.
At this stage, Windows Executive Process is entirely set up…
It is tough to be sure with Windows Internal mechanism understanding because some APIs need to be documented, but they are not.
Thanks to…
I took significant help from Windows Internals 7th Part 1 and Geoff’s Blog to understand the EPROCESS creation and Windows API calling hierarchy. Tim’s guide was convenient for understanding assembly language instructions from a readability perspective.
I draw an image to illustrate my understanding of EPROCESS Object creation.
Curiosity is the wick in the candle of learning — William Arthur Ward
I appreciate any help you can provide on the missing part of this topic.
