2015四月9
WD-内核建立初始进程流程(WRK)
1.内核的入口函数是_KiSystemStartup
kd> kn # ChildEBP RetAddr 00 0005ff98 809f0927 nt!KdInitSystem+0x365 01 0005ffc8 00414cda nt!KiSystemStartup+0x27b [g:\wrk-v1.2_vs\wrk-v1.2\base\ntos\ke\i386\newsysbg.asm @ 500]
2.之后调用KiInitializeKernel,newsysbg.asm的541处开始调用:
stdCall _KiInitializeKernel,<offset _KiInitialProcess,ebx,edx,dword ptr PCR[PcPrcb],eax,_KeLoaderBlock>
3.调用KeInitializeProcess初始化IDLE进程
View Code CPP
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 | // Initialize idle thread process object and then set: // // 1. all the quantum values to the maximum possible. // 2. the process in the balance set. // 3. the active processor mask to the specified process. // DirectoryTableBase[0] = 0; DirectoryTableBase[1] = 0; InitializeListHead(&KiProcessListHead); KeInitializeProcess(Process, (KPRIORITY)0, (KAFFINITY)(0xffffffff), &DirectoryTableBase[0], FALSE); |
kd> dt Process //IDLE的进程对象 Local var @ 0x808942f4 Type _KPROCESS* 0x80898d80
4.调用初始化空闲线程
View Code CPP
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 | // // Initialize idle thread object and then set: // // 1. the next processor number to the specified processor. // 2. the thread priority to the highest possible value. // 3. the state of the thread to running. // 4. the thread affinity to the specified processor. // 5. the specified member in the process active processors set. // KeInitializeThread(Thread, (PVOID)((ULONG64)IdleStack), NULL, NULL, NULL, NULL, NULL, Process); |
5.ExpInitializeExecutive内部调用PsInitSystem,PsInitSystem再调用PspInitPhase0创建System进程
ExpInitializeExecutive(Number, LoaderBlock); --》 if (PsInitSystem(0, LoaderBlock) == FALSE) // 注意,它传的是0,所以调用PspInitPhase0 --》 case 0 : return PspInitPhase0(LoaderBlock);
6.PspInitPhase0还会启用Phase1Initialization线程(最终变为系统的零页面线程),此后就进入了Phase1Initialization线程阶段,简称Phase1阶段
if (!NT_SUCCESS (PsCreateSystemThread (&ThreadHandle,
THREAD_ALL_ACCESS,
&ObjectAttributes,
0L,
NULL,
Phase1Initialization,
(PVOID)LoaderBlock))) {
7.Phase1阶段,首先运行的是Phase1InitializationDiscard函数
VOID Phase1Initialization (IN PVOID Context )
{
Phase1InitializationDiscard (Context);
MmZeroPageThread();
return;
}
8.Phase1InitializationDiscard同样会调到PsInitSystem,PsInitSystem再调用PspInitPhase1
Phase1InitializationDiscard --》 if (PsInitSystem(1, LoaderBlock) == FALSE) // 注意,它传的是1,所以调用PspInitPhase1 --》 case 1 :return PspInitPhase1(LoaderBlock);
9.在PspInitPhase1中,调用PspInitializeSystemDll 函数以初始化系统DLL(即ntdll.dll)
PspInitPhase1 --》 st = PspInitializeSystemDll (); --》 st = PspLookupSystemDllEntryPoint (dll_entrypoint,(PVOID) &PspSystemDll.LoaderInitRoutine); --》 return LookupEntryPoint (PspSystemDll.DllBase, NameOfEntryPoint,AddressOfEntryPoint);
10.在进入PspInitPhase1时,IDLE其实已初始化完成了,可参看下面windbg,和3处的Process比较
kd> x nt!*PsIdle* 808a5e20 nt!PsIdleProcess = 0x80898d80 // 和3处生成的Process指向一样
文章作者:hgy413
本文地址:https://hgy413.com/2946.html
版权所有 © 转载时必须以链接形式注明作者和原始出处!
Hi there to all, it’s really a good for me to pay a visit this website, it includes helpful Information.
We are a group of volunteers and opening a new scheme in our community.
Your web site offered us with valuable information to work on. You have done an impressive
job and our whole community will be thankful to you.
This design is incredible! You most certainly know how to keep a reader entertained.
Between your wit and your videos, I was almost moved to start my own blog
(well, almost…HaHa!) Wonderful job. I really loved what you had to say, and
more than that, how you presented it. Too cool!
This is really interesting, You are a very skilled blogger.
I have joined your feed and look forward to seeking more of
your excellent post. Also, I’ve shared your website in my social networks!
Do you have a spam issue on this blog; I also am a blogger, and I was curious about your situation; we have created some nice methods and we are looking to exchange solutions with other folks, be sure to shoot me an e-mail if interested.
I pay a quick visit each day some blogs and blogs to read content,
except this website offers quality based posts.
Howdy! Do you know if they make any plugins to assist with Search Engine Optimization?
I’m trying to get my blog to rank for some targeted keywords but I’m not seeing very good
gains. If you know of any please share. Thanks!
If some one desires to be updated with most up-to-date technologies then he must be go to see this web page and be up to
date everyday.
Can I simply just say what a comfort to discover somebody who
genuinely understands what they’re talking about
on the web. You actually know how to bring an issue to light
and make it important. A lot more people should read this
and understand this side of your story. It’s surprising you’re not more
popular because you surely possess the gift.
Hi I am so delighted I found your website, I really found you by accident, while I
was searching on Bing for something else, Anyways I am here now and would just
like to say thanks a lot for a marvelous post and a
all round enjoyable blog (I also love the theme/design), I don’t
have time to go through it all at the minute but I have book-marked it and
also included your RSS feeds, so when I have time I will be back to read more, Please do keep up the fantastic b.
I’m impressed, I have to admit. Seldom do I come across a blog
that’s both equally educative and amusing, and let me tell you, you have hit the nail on the head.
The problem is something which not enough folks are speaking intelligently about.
I’m very happy that I came across this in my search for
something concerning this.
I blog often and I genuinely thank you for your content.
Your article has really peaked my interest. I am going to take a note of your site and
keep checking for new information about once per week.
I opted in for your RSS feed as well.
Hey! Do you know if they make any plugins to assist with SEO?
I’m trying to get my blog to rank for some targeted keywords but I’m not seeing very good
results. If you know of any please share. Appreciate it!
Woah! I’m really enjoying the template/theme of this site.
It’s simple, yet effective. A lot of times it’s tough to get that “perfect balance” between user friendliness and appearance.
I must say that you’ve done a great job with this. Also, the blog loads extremely fast for me
on Internet explorer. Excellent Blog!
cheers a great deal this site will be official plus relaxed
Deference to author, some superb entropy.
Incredible quest there. What occurred after? Take care!
Hello, just wanted to mention, I enjoyed this blog post.
It was practical. Keep on posting!
i5wed thanks considerably this amazing site is actually elegant in addition to laid-back
Index Search Villas and lofts for rental, search by region, find
during first minutes a villa rented by city, a variety of
rooms lofts and villas. Be stunned at the wonderful pictures and
data that they have to provide you. The website is
a center for all of you the ads from the field, bachelorette party?
Enjoy someone who leaves Israel? Whatever the explanation you will need
to rent a villa for a potential event or just
friends recreation appropriate for any age. The website is also
the middle of rooms with the hour, which is already
another subject, for lovers who are seeking a lavish room equipped for
discreet entertainment by using a spouse or lover. Regardless of the you want, the 0LOFT website makes a search for you to identify rentals for loft villas and rooms throughout Israel,
North South and Gush Dan.
Welcome to Israel. In this escort directory section, you will find Israel escorts.
Euro Girls Escort is the most trusted escort directory and one of many biggest 21girlz directory.
All content and photos are regularly checked and updated with real
photos. This ensures, that most escort Ads are usually updated and provides you the most effective experience.
This section of the catalogue features luxury companions providing escort services.
Israel escorts works in elite escort agencies, as an independent escorts or in local strip
clubs, dancing clubs, brothels, lap-dance bars and cabarets.
A lot of the high class ladies do travel worldwide. You may also want to use call girl services –
these escort girls can either work incall or outcall.
Such elite escorts might be invited to a hotel room or
you can visit them inside their place.
thanks considerably this amazing site is usually conventional in addition to informal
Excellent post. I used to be checking continuously
I take care of such information much.
this weblog and I am inspired! Extremely useful info specially the closing
section
I was seeking this certain info for a very long time.
Thank you and good luck.
Index Search Villas and lofts for rent, search by region, find during first minutes a villa rented by city,
a number of rooms lofts and villas. Be afraid of
the photographs and knowledge that the site has to offer
you. The site is a center for you all the ads from the field, bachelorette party?
Spend playtime with a buddy who leaves Israel? Whatever the rationale it’s important
to rent a villa for an upcoming event or just a gaggle recreation ideal for any age.
The site is also the center of rooms because of the hour,
which is definitely another subject, for lovers who are looking for
a deluxe room equipped for discreet entertainment which
has a spouse or lover. Whatever you are interested in, the
0LOFT website creates a find you to identify rentals for loft villas
and rooms throughout Israel, North South and Gush Dan.
Hello, just wanted to tell you, I liked this post.
It was helpful. Keep on posting!
Admiring the time and energy you put into your site
and detailed information you present. It’s good to come across a blog every once
in a while that isn’t the same out of date rehashed material.
Great read! I’ve saved your site and I’m including your RSS feeds to
my Google account.
thanks a lot considerably this excellent website will be professional as
well as simple
Index Search Villas and lofts for rental, search by region, find during first minutes a villa rented by city, a range
of rooms lofts and villas. Be in awe of the pictures and data
that they have to provide you. The website is a center for everybody the
ads in the field, bachelorette party? Play with a friend who leaves Israel?
Regardless of the the reason why you need to rent a villa for
a future event or maybe a bunch recreation appropriate
for any age. The site is also center of rooms by way of the hour,
which is already another subject, for lovers who are seeking an expensive room equipped for discreet entertainment
by using a spouse or lover. No matter what you are looking at, the
0LOFT website constitutes a search for you to find rentals for
loft villas and rooms throughout Israel, North South and Gush Dan.
i5wed thanks a lot a good deal this web site is actually professional and also casual
Cincinnati Bengals Live Stream
appreciate it a lot this excellent website is actually elegant plus simple
Kansas City Chiefs Live Stream
Houston Texans Live Stream
Philadelphia Eagles live stream
Dallas Cowboys Live Stream
Buffalo bills live stream
New York Giants live stream
Index Search Villas and lofts to rent, search by
region, find during first minutes a villa to book by city, various
Thanks for finally writing about > blog topic < Liked it!
I am really glad to glance at this web site posts which consists of plenty of useful information, thanks for providing such
statistics.
Saved as a favorite, I like your website!
Excellent beat ! I would like to apprentice while you amend your website, how can i subscribe
for a blog web site? The account aided me a acceptable
deal. I had been tiny bit acquainted of this your broadcast provided bright clear concept
Hi there! Quick question that’s completely off topic.
Do you know how to make your site mobile friendly?
My website looks weird when viewing from my iphone4.
I’m trying to find a theme or plugin that might be able to correct this problem.
If you have any recommendations, please share.
Thank you!
Attractive section of content. I just stumbled upon your weblog and in accession capital to assert that I acquire in fact enjoyed
account your blog posts. Any way I will be subscribing to
your feeds and even I achievement you access consistently quickly.
This information is worth everyone’s attention. When can I find out more?
Heya i am for the first time here. I came across this board
and I in finding It really helpful & it helped me out much.
I’m hoping to provide one thing back and aid others such as you helped me.
When I originally commented I clicked the “Notify me when new comments are added”
checkbox and now each time a comment is added I get several emails with the same
comment. Is there any way you can remove people from that service?
Cheers!