首页 > WinDriver > WD-内核建立初始进程流程(WRK)
2015四月9

WD-内核建立初始进程流程(WRK)

1.内核的入口函数是_KiSystemStartup

kd> kn
 # ChildEBP RetAddr  
00 0005ff98 809f0927 nt!KdInitSystem+0x365
01 0005ffc8 00414cda nt!KiSystemStartup+0x27b [g:\wrk-v1.2_vs\wrk-v1.2\base\ntos\ke\i386\newsysbg.asm @ 500]

  

2.之后调用KiInitializeKernel,newsysbg.asm的541处开始调用:

stdCall    _KiInitializeKernel,<offset _KiInitialProcess,ebx,edx,dword ptr PCR[PcPrcb],eax,_KeLoaderBlock>

 

3.调用KeInitializeProcess初始化IDLE进程

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
        // Initialize idle thread process object and then set:
        //
        //      1. all the quantum values to the maximum possible.
        //      2. the process in the balance set.
        //      3. the active processor mask to the specified process.
        //
 
        DirectoryTableBase[0] = 0;
        DirectoryTableBase[1] = 0;
        InitializeListHead(&KiProcessListHead);
        KeInitializeProcess(Process,
                            (KPRIORITY)0,
                            (KAFFINITY)(0xffffffff),
                            &DirectoryTableBase[0],
                            FALSE);
kd> dt Process   //IDLE的进程对象
Local var @ 0x808942f4 Type _KPROCESS*
0x80898d80 

4.调用初始化空闲线程

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
    //
    // Initialize idle thread object and then set:
    //
    //      1. the next processor number to the specified processor.
    //      2. the thread priority to the highest possible value.
    //      3. the state of the thread to running.
    //      4. the thread affinity to the specified processor.
    //      5. the specified member in the process active processors set.
    //
 
    KeInitializeThread(Thread,
                       (PVOID)((ULONG64)IdleStack),
                       NULL,
                       NULL,
                       NULL,
                       NULL,
                       NULL,
                       Process);

  

5.ExpInitializeExecutive内部调用PsInitSystem,PsInitSystem再调用PspInitPhase0创建System进程

  ExpInitializeExecutive(Number, LoaderBlock);
  --》  if (PsInitSystem(0, LoaderBlock) == FALSE) // 注意,它传的是0,所以调用PspInitPhase0
  --》  case 0 : return PspInitPhase0(LoaderBlock);

  

6.PspInitPhase0还会启用Phase1Initialization线程(最终变为系统的零页面线程),此后就进入了Phase1Initialization线程阶段,简称Phase1阶段

 if (!NT_SUCCESS (PsCreateSystemThread (&ThreadHandle,
                                           THREAD_ALL_ACCESS,
                                           &ObjectAttributes,
                                           0L,
                                           NULL,
                                           Phase1Initialization,
                                           (PVOID)LoaderBlock))) {

  

7.Phase1阶段,首先运行的是Phase1InitializationDiscard函数

VOID Phase1Initialization (IN PVOID Context )
{
    Phase1InitializationDiscard (Context);
    MmZeroPageThread();
    return;
}

   

8.Phase1InitializationDiscard同样会调到PsInitSystem,PsInitSystem再调用PspInitPhase1

Phase1InitializationDiscard
--》 if (PsInitSystem(1, LoaderBlock) == FALSE) // 注意,它传的是1,所以调用PspInitPhase1
--》  case 1 :return PspInitPhase1(LoaderBlock);

 

9.在PspInitPhase1中,调用PspInitializeSystemDll 函数以初始化系统DLL(即ntdll.dll)

PspInitPhase1
--》  st = PspInitializeSystemDll ();
--》  st = PspLookupSystemDllEntryPoint (dll_entrypoint,(PVOID) &PspSystemDll.LoaderInitRoutine);
--》  return LookupEntryPoint (PspSystemDll.DllBase, NameOfEntryPoint,AddressOfEntryPoint);                          

  

10.在进入PspInitPhase1时,IDLE其实已初始化完成了,可参看下面windbg,和3处的Process比较

kd> x nt!*PsIdle*
808a5e20          nt!PsIdleProcess = 0x80898d80  // 和3处生成的Process指向一样

  

文章作者:hgy413
本文地址:http://hgy413.com/2946.html
版权所有 © 转载时必须以链接形式注明作者和原始出处!

13 Responses to “WD-内核建立初始进程流程(WRK)”

  1. #1 minecraft 回复 | 引用 Post:2018-10-04 19:32

    Hi there to all, it’s really a good for me to pay a visit this website, it includes helpful Information.

  2. We are a group of volunteers and opening a new scheme in our community.
    Your web site offered us with valuable information to work on. You have done an impressive
    job and our whole community will be thankful to you.

  3. #3 Coconut Oil Benefits 回复 | 引用 Post:2018-10-19 03:43

    This design is incredible! You most certainly know how to keep a reader entertained.
    Between your wit and your videos, I was almost moved to start my own blog
    (well, almost…HaHa!) Wonderful job. I really loved what you had to say, and
    more than that, how you presented it. Too cool!

  4. #4 Benefits of Coconut Oil 回复 | 引用 Post:2018-10-24 05:43

    This is really interesting, You are a very skilled blogger.
    I have joined your feed and look forward to seeking more of
    your excellent post. Also, I’ve shared your website in my social networks!

  5. #5 Coconut Oil Benefits 回复 | 引用 Post:2018-10-24 20:26

    Do you have a spam issue on this blog; I also am a blogger, and I was curious about your situation; we have created some nice methods and we are looking to exchange solutions with other folks, be sure to shoot me an e-mail if interested.

  6. #6 Coconut Oil 回复 | 引用 Post:2018-10-29 07:05

    I pay a quick visit each day some blogs and blogs to read content,
    except this website offers quality based posts.

  7. #7 quest bars cheap 回复 | 引用 Post:2018-11-03 22:21

    Howdy! Do you know if they make any plugins to assist with Search Engine Optimization?
    I’m trying to get my blog to rank for some targeted keywords but I’m not seeing very good
    gains. If you know of any please share. Thanks!

  8. If some one desires to be updated with most up-to-date technologies then he must be go to see this web page and be up to
    date everyday.

  9. #9 Sling TV 回复 | 引用 Post:2018-11-10 17:06

    Can I simply just say what a comfort to discover somebody who
    genuinely understands what they’re talking about
    on the web. You actually know how to bring an issue to light
    and make it important. A lot more people should read this
    and understand this side of your story. It’s surprising you’re not more
    popular because you surely possess the gift.

  10. Hi I am so delighted I found your website, I really found you by accident, while I
    was searching on Bing for something else, Anyways I am here now and would just
    like to say thanks a lot for a marvelous post and a
    all round enjoyable blog (I also love the theme/design), I don’t
    have time to go through it all at the minute but I have book-marked it and
    also included your RSS feeds, so when I have time I will be back to read more, Please do keep up the fantastic b.

  11. #11 Sling TV 回复 | 引用 Post:2018-11-15 08:12

    I’m impressed, I have to admit. Seldom do I come across a blog
    that’s both equally educative and amusing, and let me tell you, you have hit the nail on the head.
    The problem is something which not enough folks are speaking intelligently about.
    I’m very happy that I came across this in my search for
    something concerning this.

  12. I blog often and I genuinely thank you for your content.
    Your article has really peaked my interest. I am going to take a note of your site and
    keep checking for new information about once per week.
    I opted in for your RSS feed as well.

  13. Hey! Do you know if they make any plugins to assist with SEO?

    I’m trying to get my blog to rank for some targeted keywords but I’m not seeing very good
    results. If you know of any please share. Appreciate it!

发表评论