如何将Windows进程的创建与终止操作描述为一个长尾?
- 内容介绍
- 文章标签
- 相关推荐
本文共计786个文字,预计阅读时间需要4分钟。
创建一个进程概述+如图,创建一个进程主要分为两部分:用户态部分和内核态部分。如果我们想了解一个进程是如何被创建的,我们可以使用WinDbg来查看从用户态到内核态都调用了什么。
创建一个进程 总述如图,创建一个进程主要分为两部分,用户态部分和内核部分。
既然我们想看看一个进程是怎么被创建的,那我们就用 WinDbg 来看看从用户态到内核态都调用了什么:
第一步:我们先看看 nt 下有哪些方法跟创建进程相关的
0: kd> x nt!*CreateProcess*
fffff802`55d8a218 nt!PspSetCreateProcessNotifyRoutine (void)
fffff802`55cd9714 nt!ExpWnfCreateProcessContext (void)
fffff802`55dd9a2f nt!PspCreateProcess$filt$0 (void)
fffff802`55be24f4 nt!PspDeleteCreateProcessContext (void)
fffff802`55c40ed0 nt!MmCreateProcessAddressSpace (void)
fffff802`55dbd430 nt!PspCreateProcess (void)
fffff802`5594fb10 nt!ViCreateProcessCallback (void)
fffff802`55fdaaa4 nt!ViCreateProcessCallbackInternal (ViCreateProcessCallbackInternal)
fffff802`55f04550 nt!NtCreateProcessEx (NtCreateProcessEx)
fffff802`55fd1ce0 nt!VerifierPsSetCreateProcessNotifyRoutineEx (VerifierPsSetCreateProcessNotifyRoutineEx)
fffff802`559f4bf0 nt!ZwCreateProcessEx (ZwCreateProcessEx)
fffff802`56349360 nt!pXdvPsSetCreateProcessNotifyRoutineEx = <no type information>
fffff802`55cfd12c nt!PspValidateCreateProcessProtection (PspValidateCreateProcessProtection)
fffff802`55d89ea0 nt!PsSetCreateProcessNotifyRoutineEx (PsSetCreateProcessNotifyRoutineEx)
fffff802`5632e9d4 nt!PspCreateProcessNotifyRoutineCount = <no type information>
fffff802`55d89f00 nt!PsSetCreateProcessNotifyRoutineEx2 (PsSetCreateProcessNotifyRoutineEx2)
fffff802`5632e9d8 nt!PspCreateProcessNotifyRoutineExCount = <no type information>
fffff802`55d8a050 nt!PsSetCreateProcessNotifyRoutine (PsSetCreateProcessNotifyRoutine)
fffff802`55ed2e70 nt!MiCreateProcessDefaultAweInfo (MiCreateProcessDefaultAweInfo)
fffff802`55be0d1c nt!PspBuildCreateProcessContext (PspBuildCreateProcessContext)
fffff802`559f5970 nt!ZwCreateProcess (ZwCreateProcess)
fffff802`562ec260 nt!PspCreateProcessNotifyRoutine = <no type information>
fffff802`55fd1cc0 nt!VerifierPsSetCreateProcessNotifyRoutine (VerifierPsSetCreateProcessNotifyRoutine)
fffff802`56349378 nt!pXdvPsSetCreateProcessNotifyRoutine = <no type information>
fffff802`55f044c0 nt!NtCreateProcess (NtCreateProcess)
第二步:我们选择 nt!MmCreateProcessAddressSpace 打上断点(不要问我为啥选这个,实在不会选,就直接 bm nt!CreateProcess)
0: kd> bu nt!MmCreateProcessAddressSpace
Breakpoint 2 hit
nt!MmCreateProcessAddressSpace:
fffff802`55c40ed0 488bc4 mov rax,rsp
0: kd> k
# Child-SP RetAddr Call Site
00 ffff928c`4e5a7b48 fffff802`55d08608 nt!MmCreateProcessAddressSpace
01 ffff928c`4e5a7b50 fffff802`55cff75a nt!PspAllocateProcess+0x13ec
02 ffff928c`4e5a82c0 fffff802`55a096b5 nt!NtCreateUserProcess+0xa1a
03 ffff928c`4e5a8a90 00007ff8`cfc2e634 nt!KiSystemServiceCopyEnd+0x25
04 00000000`02aac598 00007ff8`cd818e73 ntdll!NtCreateUserProcess+0x14
05 00000000`02aac5a0 00007ff8`cd8171a6 KERNELBASE!CreateProcessInternalW+0xfe3
06 00000000`02aadb70 00007ff8`ced4cbb4 KERNELBASE!CreateProcessW+0x66
07 00000000`02aadbe0 00007ff8`cb56152d KERNEL32!CreateProcessWStub+0x54
08 00000000`02aadc40 00007ff8`cb4f6722 windows_storage!CInvokeCreateProcessVerb::CallCreateProcess+0x2cd
09 00000000`02aadef0 00007ff8`cb55a75c windows_storage!CInvokeCreateProcessVerb::_PrepareAndCallCreateProcess+0x2d6
0a 00000000`02aadf70 00007ff8`cb55a583 windows_storage!CInvokeCreateProcessVerb::_TryCreateProcess+0x3c
0b 00000000`02aadfa0 00007ff8`cb55a46d windows_storage!CInvokeCreateProcessVerb::Launch+0xef
0c 00000000`02aae040 00007ff8`cb599dc4 windows_storage!CInvokeCreateProcessVerb::Execute+0x5d
0d 00000000`02aae080 00007ff8`cb481d87 windows_storage!CBindAndInvokeStaticVerb::InitAndCallExecute+0x214
0e 00000000`02aae100 00007ff8`cb4f5787 windows_storage!CBindAndInvokeStaticVerb::TryCreateProcessDdeHandler+0x63
0f 00000000`02aae180 00007ff8`cb54586d windows_storage!CBindAndInvokeStaticVerb::Execute+0x1e7
10 00000000`02aae4a0 00007ff8`cb545785 windows_storage!RegDataDrivenCommand::_TryInvokeAssociation+0xad
11 00000000`02aae500 00007ff8`ce152b22 windows_storage!RegDataDrivenCommand::_Invoke+0x141
12 00000000`02aae570 00007ff8`ce1529da SHELL32!CRegistryVerbsContextMenu::_Execute+0xce
13 00000000`02aae5e0 00007ff8`ce15630c SHELL32!CRegistryVerbsContextMenu::InvokeCommand+0xaa
14 00000000`02aae8e0 00007ff8`ce15618d SHELL32!HDXA_LetHandlerProcessCommandEx+0x10c
15 00000000`02aae9f0 00007ff8`cb93be08 SHELL32!CDefFolderMenu::InvokeCommand+0x13d
16 00000000`02aaed50 00007ff8`cb93c7b6 windows_storage!CShellLink::_InvokeDirect+0x1d0
17 00000000`02aaf070 00007ff8`cb93945a windows_storage!CShellLink::_ResolveAndInvoke+0x202
18 00000000`02aaf230 00007ff8`ce15630c windows_storage!CShellLink::InvokeCommand+0x1aa
19 00000000`02aaf310 00007ff8`ce15618d SHELL32!HDXA_LetHandlerProcessCommandEx+0x10c
1a 00000000`02aaf420 00007ff8`ce3709d5 SHELL32!CDefFolderMenu::InvokeCommand+0x13d
1b 00000000`02aaf780 00007ff8`ce6244f9 SHELL32!SHInvokeCommandOnContextMenu2+0x1f5
1c 00000000`02aaf9c0 00007ff8`ceeec3f9 SHELL32!s_DoInvokeVerb+0xc9
1d 00000000`02aafa30 00007ff8`ced47034 shcore!_WrapperThreadProc+0xe9
1e 00000000`02aafb10 00007ff8`cfbe2651 KERNEL32!BaseThreadInitThunk+0x14
1f 00000000`02aafb40 00000000`00000000 ntdll!RtlUserThreadStart+0x21
如上 Windbg 输出的结果所示,正是描述了从用户态的 CreateProcess → 内核态的 NtCreateUserProcess. 其他链路,比如 CreateProcessAsTokenW 我们也可以验证下,这里就不做赘述。
用户态部分,包含一些我们常用到的方法:CreateProcess, CreateProcessAsUser, CreateProcessWithLogonW, CreateProcessAsTokenW.
而内核部分,则都是通过 NT 下的 NtCreateUserProcess 来进行创建。
本文共计786个文字,预计阅读时间需要4分钟。
创建一个进程概述+如图,创建一个进程主要分为两部分:用户态部分和内核态部分。如果我们想了解一个进程是如何被创建的,我们可以使用WinDbg来查看从用户态到内核态都调用了什么。
创建一个进程 总述如图,创建一个进程主要分为两部分,用户态部分和内核部分。
既然我们想看看一个进程是怎么被创建的,那我们就用 WinDbg 来看看从用户态到内核态都调用了什么:
第一步:我们先看看 nt 下有哪些方法跟创建进程相关的
0: kd> x nt!*CreateProcess*
fffff802`55d8a218 nt!PspSetCreateProcessNotifyRoutine (void)
fffff802`55cd9714 nt!ExpWnfCreateProcessContext (void)
fffff802`55dd9a2f nt!PspCreateProcess$filt$0 (void)
fffff802`55be24f4 nt!PspDeleteCreateProcessContext (void)
fffff802`55c40ed0 nt!MmCreateProcessAddressSpace (void)
fffff802`55dbd430 nt!PspCreateProcess (void)
fffff802`5594fb10 nt!ViCreateProcessCallback (void)
fffff802`55fdaaa4 nt!ViCreateProcessCallbackInternal (ViCreateProcessCallbackInternal)
fffff802`55f04550 nt!NtCreateProcessEx (NtCreateProcessEx)
fffff802`55fd1ce0 nt!VerifierPsSetCreateProcessNotifyRoutineEx (VerifierPsSetCreateProcessNotifyRoutineEx)
fffff802`559f4bf0 nt!ZwCreateProcessEx (ZwCreateProcessEx)
fffff802`56349360 nt!pXdvPsSetCreateProcessNotifyRoutineEx = <no type information>
fffff802`55cfd12c nt!PspValidateCreateProcessProtection (PspValidateCreateProcessProtection)
fffff802`55d89ea0 nt!PsSetCreateProcessNotifyRoutineEx (PsSetCreateProcessNotifyRoutineEx)
fffff802`5632e9d4 nt!PspCreateProcessNotifyRoutineCount = <no type information>
fffff802`55d89f00 nt!PsSetCreateProcessNotifyRoutineEx2 (PsSetCreateProcessNotifyRoutineEx2)
fffff802`5632e9d8 nt!PspCreateProcessNotifyRoutineExCount = <no type information>
fffff802`55d8a050 nt!PsSetCreateProcessNotifyRoutine (PsSetCreateProcessNotifyRoutine)
fffff802`55ed2e70 nt!MiCreateProcessDefaultAweInfo (MiCreateProcessDefaultAweInfo)
fffff802`55be0d1c nt!PspBuildCreateProcessContext (PspBuildCreateProcessContext)
fffff802`559f5970 nt!ZwCreateProcess (ZwCreateProcess)
fffff802`562ec260 nt!PspCreateProcessNotifyRoutine = <no type information>
fffff802`55fd1cc0 nt!VerifierPsSetCreateProcessNotifyRoutine (VerifierPsSetCreateProcessNotifyRoutine)
fffff802`56349378 nt!pXdvPsSetCreateProcessNotifyRoutine = <no type information>
fffff802`55f044c0 nt!NtCreateProcess (NtCreateProcess)
第二步:我们选择 nt!MmCreateProcessAddressSpace 打上断点(不要问我为啥选这个,实在不会选,就直接 bm nt!CreateProcess)
0: kd> bu nt!MmCreateProcessAddressSpace
Breakpoint 2 hit
nt!MmCreateProcessAddressSpace:
fffff802`55c40ed0 488bc4 mov rax,rsp
0: kd> k
# Child-SP RetAddr Call Site
00 ffff928c`4e5a7b48 fffff802`55d08608 nt!MmCreateProcessAddressSpace
01 ffff928c`4e5a7b50 fffff802`55cff75a nt!PspAllocateProcess+0x13ec
02 ffff928c`4e5a82c0 fffff802`55a096b5 nt!NtCreateUserProcess+0xa1a
03 ffff928c`4e5a8a90 00007ff8`cfc2e634 nt!KiSystemServiceCopyEnd+0x25
04 00000000`02aac598 00007ff8`cd818e73 ntdll!NtCreateUserProcess+0x14
05 00000000`02aac5a0 00007ff8`cd8171a6 KERNELBASE!CreateProcessInternalW+0xfe3
06 00000000`02aadb70 00007ff8`ced4cbb4 KERNELBASE!CreateProcessW+0x66
07 00000000`02aadbe0 00007ff8`cb56152d KERNEL32!CreateProcessWStub+0x54
08 00000000`02aadc40 00007ff8`cb4f6722 windows_storage!CInvokeCreateProcessVerb::CallCreateProcess+0x2cd
09 00000000`02aadef0 00007ff8`cb55a75c windows_storage!CInvokeCreateProcessVerb::_PrepareAndCallCreateProcess+0x2d6
0a 00000000`02aadf70 00007ff8`cb55a583 windows_storage!CInvokeCreateProcessVerb::_TryCreateProcess+0x3c
0b 00000000`02aadfa0 00007ff8`cb55a46d windows_storage!CInvokeCreateProcessVerb::Launch+0xef
0c 00000000`02aae040 00007ff8`cb599dc4 windows_storage!CInvokeCreateProcessVerb::Execute+0x5d
0d 00000000`02aae080 00007ff8`cb481d87 windows_storage!CBindAndInvokeStaticVerb::InitAndCallExecute+0x214
0e 00000000`02aae100 00007ff8`cb4f5787 windows_storage!CBindAndInvokeStaticVerb::TryCreateProcessDdeHandler+0x63
0f 00000000`02aae180 00007ff8`cb54586d windows_storage!CBindAndInvokeStaticVerb::Execute+0x1e7
10 00000000`02aae4a0 00007ff8`cb545785 windows_storage!RegDataDrivenCommand::_TryInvokeAssociation+0xad
11 00000000`02aae500 00007ff8`ce152b22 windows_storage!RegDataDrivenCommand::_Invoke+0x141
12 00000000`02aae570 00007ff8`ce1529da SHELL32!CRegistryVerbsContextMenu::_Execute+0xce
13 00000000`02aae5e0 00007ff8`ce15630c SHELL32!CRegistryVerbsContextMenu::InvokeCommand+0xaa
14 00000000`02aae8e0 00007ff8`ce15618d SHELL32!HDXA_LetHandlerProcessCommandEx+0x10c
15 00000000`02aae9f0 00007ff8`cb93be08 SHELL32!CDefFolderMenu::InvokeCommand+0x13d
16 00000000`02aaed50 00007ff8`cb93c7b6 windows_storage!CShellLink::_InvokeDirect+0x1d0
17 00000000`02aaf070 00007ff8`cb93945a windows_storage!CShellLink::_ResolveAndInvoke+0x202
18 00000000`02aaf230 00007ff8`ce15630c windows_storage!CShellLink::InvokeCommand+0x1aa
19 00000000`02aaf310 00007ff8`ce15618d SHELL32!HDXA_LetHandlerProcessCommandEx+0x10c
1a 00000000`02aaf420 00007ff8`ce3709d5 SHELL32!CDefFolderMenu::InvokeCommand+0x13d
1b 00000000`02aaf780 00007ff8`ce6244f9 SHELL32!SHInvokeCommandOnContextMenu2+0x1f5
1c 00000000`02aaf9c0 00007ff8`ceeec3f9 SHELL32!s_DoInvokeVerb+0xc9
1d 00000000`02aafa30 00007ff8`ced47034 shcore!_WrapperThreadProc+0xe9
1e 00000000`02aafb10 00007ff8`cfbe2651 KERNEL32!BaseThreadInitThunk+0x14
1f 00000000`02aafb40 00000000`00000000 ntdll!RtlUserThreadStart+0x21
如上 Windbg 输出的结果所示,正是描述了从用户态的 CreateProcess → 内核态的 NtCreateUserProcess. 其他链路,比如 CreateProcessAsTokenW 我们也可以验证下,这里就不做赘述。
用户态部分,包含一些我们常用到的方法:CreateProcess, CreateProcessAsUser, CreateProcessWithLogonW, CreateProcessAsTokenW.
而内核部分,则都是通过 NT 下的 NtCreateUserProcess 来进行创建。