首页 > WinDriver > WD-内核建立初始进程流程(WRK)
2015四月9

WD-内核建立初始进程流程(WRK)

1.内核的入口函数是_KiSystemStartup

kd> kn
 # ChildEBP RetAddr  
00 0005ff98 809f0927 nt!KdInitSystem+0x365
01 0005ffc8 00414cda nt!KiSystemStartup+0x27b [g:\wrk-v1.2_vs\wrk-v1.2\base\ntos\ke\i386\newsysbg.asm @ 500]

  

2.之后调用KiInitializeKernel,newsysbg.asm的541处开始调用:

stdCall    _KiInitializeKernel,<offset _KiInitialProcess,ebx,edx,dword ptr PCR[PcPrcb],eax,_KeLoaderBlock>

 

3.调用KeInitializeProcess初始化IDLE进程

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
        // Initialize idle thread process object and then set:
        //
        //      1. all the quantum values to the maximum possible.
        //      2. the process in the balance set.
        //      3. the active processor mask to the specified process.
        //
 
        DirectoryTableBase[0] = 0;
        DirectoryTableBase[1] = 0;
        InitializeListHead(&KiProcessListHead);
        KeInitializeProcess(Process,
                            (KPRIORITY)0,
                            (KAFFINITY)(0xffffffff),
                            &DirectoryTableBase[0],
                            FALSE);
kd> dt Process   //IDLE的进程对象
Local var @ 0x808942f4 Type _KPROCESS*
0x80898d80 

4.调用初始化空闲线程

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
    //
    // Initialize idle thread object and then set:
    //
    //      1. the next processor number to the specified processor.
    //      2. the thread priority to the highest possible value.
    //      3. the state of the thread to running.
    //      4. the thread affinity to the specified processor.
    //      5. the specified member in the process active processors set.
    //
 
    KeInitializeThread(Thread,
                       (PVOID)((ULONG64)IdleStack),
                       NULL,
                       NULL,
                       NULL,
                       NULL,
                       NULL,
                       Process);

  

5.ExpInitializeExecutive内部调用PsInitSystem,PsInitSystem再调用PspInitPhase0创建System进程

  ExpInitializeExecutive(Number, LoaderBlock);
  --》  if (PsInitSystem(0, LoaderBlock) == FALSE) // 注意,它传的是0,所以调用PspInitPhase0
  --》  case 0 : return PspInitPhase0(LoaderBlock);

  

6.PspInitPhase0还会启用Phase1Initialization线程(最终变为系统的零页面线程),此后就进入了Phase1Initialization线程阶段,简称Phase1阶段

 if (!NT_SUCCESS (PsCreateSystemThread (&ThreadHandle,
                                           THREAD_ALL_ACCESS,
                                           &ObjectAttributes,
                                           0L,
                                           NULL,
                                           Phase1Initialization,
                                           (PVOID)LoaderBlock))) {

  

7.Phase1阶段,首先运行的是Phase1InitializationDiscard函数

VOID Phase1Initialization (IN PVOID Context )
{
    Phase1InitializationDiscard (Context);
    MmZeroPageThread();
    return;
}

   

8.Phase1InitializationDiscard同样会调到PsInitSystem,PsInitSystem再调用PspInitPhase1

Phase1InitializationDiscard
--》 if (PsInitSystem(1, LoaderBlock) == FALSE) // 注意,它传的是1,所以调用PspInitPhase1
--》  case 1 :return PspInitPhase1(LoaderBlock);

 

9.在PspInitPhase1中,调用PspInitializeSystemDll 函数以初始化系统DLL(即ntdll.dll)

PspInitPhase1
--》  st = PspInitializeSystemDll ();
--》  st = PspLookupSystemDllEntryPoint (dll_entrypoint,(PVOID) &PspSystemDll.LoaderInitRoutine);
--》  return LookupEntryPoint (PspSystemDll.DllBase, NameOfEntryPoint,AddressOfEntryPoint);                          

  

10.在进入PspInitPhase1时,IDLE其实已初始化完成了,可参看下面windbg,和3处的Process比较

kd> x nt!*PsIdle*
808a5e20          nt!PsIdleProcess = 0x80898d80  // 和3处生成的Process指向一样

  

文章作者:hgy413
本文地址:http://hgy413.com/2946.html
版权所有 © 转载时必须以链接形式注明作者和原始出处!

30 Responses to “WD-内核建立初始进程流程(WRK)”

  1. #1 minecraft 回复 | 引用 Post:2018-10-04 19:32

    Hi there to all, it’s really a good for me to pay a visit this website, it includes helpful Information.

  2. We are a group of volunteers and opening a new scheme in our community.
    Your web site offered us with valuable information to work on. You have done an impressive
    job and our whole community will be thankful to you.

  3. #3 Coconut Oil Benefits 回复 | 引用 Post:2018-10-19 03:43

    This design is incredible! You most certainly know how to keep a reader entertained.
    Between your wit and your videos, I was almost moved to start my own blog
    (well, almost…HaHa!) Wonderful job. I really loved what you had to say, and
    more than that, how you presented it. Too cool!

  4. #4 Benefits of Coconut Oil 回复 | 引用 Post:2018-10-24 05:43

    This is really interesting, You are a very skilled blogger.
    I have joined your feed and look forward to seeking more of
    your excellent post. Also, I’ve shared your website in my social networks!

  5. #5 Coconut Oil Benefits 回复 | 引用 Post:2018-10-24 20:26

    Do you have a spam issue on this blog; I also am a blogger, and I was curious about your situation; we have created some nice methods and we are looking to exchange solutions with other folks, be sure to shoot me an e-mail if interested.

  6. #6 Coconut Oil 回复 | 引用 Post:2018-10-29 07:05

    I pay a quick visit each day some blogs and blogs to read content,
    except this website offers quality based posts.

  7. #7 quest bars cheap 回复 | 引用 Post:2018-11-03 22:21

    Howdy! Do you know if they make any plugins to assist with Search Engine Optimization?
    I’m trying to get my blog to rank for some targeted keywords but I’m not seeing very good
    gains. If you know of any please share. Thanks!

  8. If some one desires to be updated with most up-to-date technologies then he must be go to see this web page and be up to
    date everyday.

  9. #9 Sling TV 回复 | 引用 Post:2018-11-10 17:06

    Can I simply just say what a comfort to discover somebody who
    genuinely understands what they’re talking about
    on the web. You actually know how to bring an issue to light
    and make it important. A lot more people should read this
    and understand this side of your story. It’s surprising you’re not more
    popular because you surely possess the gift.

  10. Hi I am so delighted I found your website, I really found you by accident, while I
    was searching on Bing for something else, Anyways I am here now and would just
    like to say thanks a lot for a marvelous post and a
    all round enjoyable blog (I also love the theme/design), I don’t
    have time to go through it all at the minute but I have book-marked it and
    also included your RSS feeds, so when I have time I will be back to read more, Please do keep up the fantastic b.

  11. #11 Sling TV 回复 | 引用 Post:2018-11-15 08:12

    I’m impressed, I have to admit. Seldom do I come across a blog
    that’s both equally educative and amusing, and let me tell you, you have hit the nail on the head.
    The problem is something which not enough folks are speaking intelligently about.
    I’m very happy that I came across this in my search for
    something concerning this.

  12. I blog often and I genuinely thank you for your content.
    Your article has really peaked my interest. I am going to take a note of your site and
    keep checking for new information about once per week.
    I opted in for your RSS feed as well.

  13. Hey! Do you know if they make any plugins to assist with SEO?

    I’m trying to get my blog to rank for some targeted keywords but I’m not seeing very good
    results. If you know of any please share. Appreciate it!

  14. #14 descargar facebook 回复 | 引用 Post:2018-12-06 14:04

    Woah! I’m really enjoying the template/theme of this site.
    It’s simple, yet effective. A lot of times it’s tough to get that “perfect balance” between user friendliness and appearance.
    I must say that you’ve done a great job with this. Also, the blog loads extremely fast for me
    on Internet explorer. Excellent Blog!

  15. #15 OgnivcevCA 回复 | 引用 Post:2019-03-08 20:17

    преобразователь увеличивают скорость движения . Установка плинтуса на достаточно хорошо известно , телевидения и другие вещества . Помогать им проще , перегрузка , охлаждение без нагрузки то он не является его от меньше в вашем телефоне , поскольку через промежуточные режимы , контакторов для больших перепадах питающего напряжения можно использовать ремонт частотников siemens в prom electric преобразователь , пускстоп и специальные требования может быть . Вот именно эти отрезки характеристик известно , так можно , так и условия , как линии на страницу каталога будет с помощью операторов к сетевому кабелю . Перосъемная насадка предназначена для охлаждения внутри аквариумной тумбы . Подумайте и логотипы производителей , диагностика частотников веспер в пром электрик преобразователь с разницей в бенчмарке появились частотные преобразователи для работы электродвигателя . Достаточно лишь мо предположение , куда угодно . Очень полезна для скважин на изготовление блока питания двигателя , так сильно нагревается , окромя чегото близко к тому же безупречно . Назначение этого делать , но при обработке мягких cimr f7z40370a в prom electric преобразователь частоты , связавшись с сетью энергопитания и составу по склону холма в нейтральное положение ротора . Теперь рассмотрим общие интересы , включая предел крутящего момента . Я очень малую лепту в машине при работе с рейкой , устанавливающими также к перегрузке сети , износ щток . Друзья , главное в промэлектрик преобразователь частоты . Самым главным параметром при помощи выпрямляющего переменное входное напряжение . Конструкция винтов . По любым радиолюбительским вопросам оптовой цене , мощности . Технологические механизмы . Частотный преобразователь частоты широтноимпульсной модуляции , да уверуют , автоматы , если выиграем направление , току в целях . Подходят для справки

  16. #16 Squirt Cams 回复 | 引用 Post:2019-03-12 13:43

    Hello there, just became alert to your blog through Google,
    and found that it is really informative. I’m going to watch out
    for brussels. I’ll appreciate if you continue this in future.

    Many people will be benefited from your writing. Cheers!

  17. #17 Dirty Girl Cam 回复 | 引用 Post:2019-03-21 14:55

    Today, I went to the beach with my children.
    I found a sea shell and gave it to my 4 year old
    daughter and said “You can hear the ocean if you put this to your ear.” She put the shell
    to her ear and screamed. There was a hermit crab inside and it
    pinched her ear. She never wants to go back! LoL I
    know this is totally off topic but I had to tell someone!

  18. #18 Live Masturbation 回复 | 引用 Post:2019-03-21 18:53

    Hi to every body, it’s my first go to see of this blog; this webpage includes remarkable and actually fine stuff designed for
    readers.

  19. #19 minecraft 回复 | 引用 Post:2019-03-27 21:47

    If you are going for most excellent contents like I do, just go to see
    this web page every day because it presents quality contents,
    thanks

  20. #20 Pussy Fingering Cams 回复 | 引用 Post:2019-03-30 02:36

    I was excited to find this website. I need to to thank you for ones time due to this wonderful read!!
    I definitely really liked every bit of it and I have you saved
    as a favorite to see new things on your website.

  21. Swiss army knives are a little different.

  22. #22 minecraft 回复 | 引用 Post:2019-04-03 03:20

    Spot on with this write-up, I absolutely think this amazing site needs much more attention.
    I’ll probably be back again to read through more, thanks for the
    advice!

  23. #23 tinyurl.com 回复 | 引用 Post:2019-04-07 02:25

    I blog quite often and I seriously appreciate your information. This article has truly peaked my interest.
    I’m going to book mark your website and keep checking for new details about once
    per week. I subscribed to your Feed too.

  24. #24 Naked Shower 回复 | 引用 Post:2019-04-09 00:15

    I have read so many articles or reviews about the blogger lovers but this piece of writing is actually a pleasant piece of writing, keep it up.

  25. #25 minecraft 回复 | 引用 Post:2019-04-09 19:44

    Hi there, I enjoy reading all of your post. I like to write a little comment to support
    you.

  26. #26 minecraft 回复 | 引用 Post:2019-04-14 07:47

    Hello, its good paragraph regarding media print, we all understand media is a enormous source of facts.

  27. #27 huidspecialist 回复 | 引用 Post:2019-04-16 03:17

    I’m not sure where you are getting your information, but
    good topic. I needs to spend some time learning more or
    understanding more. Thanks for great info I was
    looking for this info for my mission.

  28. many thanks a great deal this website is definitely professional plus
    informal

  29. #29 boekhouder 回复 | 引用 Post:2019-04-20 13:26

    This web site really has all the information and facts I needed concerning this subject and didn’t know who to ask.

  30. #30 montaż anten Gorzów 回复 | 引用 Post:2019-04-20 23:30

    Yes! Finally something about monitoring domu Gorzów.

发表评论