Processes, Threads, and Jobs

# TLDR My research on processes, threads and jobs in window internals ## Process A process in simpliest term is a executing program such as (teams.exe, agents.msi) Each process provides the resource need to execute the program it has virtual address space, executable code, security context, unique process id, environment variables, priority class and at least one thread of execution, each process start with a single thread that is call primary thread but can create any additional thread from any of its thread All threads of a process share its virtual address. In addition each thread maintain exception handlers a schedule priority, thread local storage and a thread identifier and a set of structures the system will use to save the thread context until it is scheduled A process is usually defined as an instance of a running program that consists of two components: - A kernel object uses to manage the process this also keep statistical information about the process - An address space that contain all the executable or dynamic link library ![image](https://hackmd.io/_uploads/r1pjbD7MC.png) If we take a look at the diagram we can see that when a user creates a process it uses a simple win API function call `createProcess` which resides in `kernel32.dll` and creates a process in the same context and token as a user. Here is the code structure of c++ and c# In c++ ```= BOOL creationResult; creationResult = CreateProcess( NULL, // No module name (use command line) cmdLine, // Command line NULL, // Process handle not inheritable NULL, // Thread handle not inheritable FALSE, // Set handle inheritance to FALSE NORMAL_PRIORITY_CLASS | CREATE_NEW_CONSOLE | CREATE_NEW_PROCESS_GROUP, // creation flags NULL, // Use parent's environment block NULL, // Use parent's starting directory &startupInfo, // Pointer to STARTUPINFO structure &processInformation); // Pointer to PROCESS_INFORMATION structure ``` In C# ```= [DllImport("kernel32.dll", SetLastError=true, CharSet=CharSet.Auto)] static extern bool CreateProcess( string lpApplicationName, string lpCommandLine, ref SECURITY_ATTRIBUTES lpProcessAttributes, ref SECURITY_ATTRIBUTES lpThreadAttributes, bool bInheritHandles, uint dwCreationFlags, IntPtr lpEnvironment, string lpCurrentDirectory, [In] ref STARTUPINFO lpStartupInfo, out PROCESS_INFORMATION lpProcessInformation); ``` The createProcess is use and abused by malwares that utilizes technique like creating and modifying system process and process injection technique Using this API the create process run in context and of calling process. Execution continues with a call to createProcessInternals() which is responsible for actually creating the user-mode process. Structure of createProcessInternals() ```= BOOL WINAPI CreateProcessInternalA(HANDLE hToken, LPCSTR lpApplicationName, LPSTR lpCommandLine, LPSECURITY_ATTRIBUTES lpProcessAttributes, LPSECURITY_ATTRIBUTES lpThreadAttributes, BOOL bInheritHandles, DWORD dwCreationFlags, LPVOID lpEnvironment, LPCSTR lpCurrentDirectory, LPSTARTUPINFOA lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation, PHANDLE hNewToken ) ``` Then it calls the NtCreateUserProcess() which resides in ntdll.dll make the transition from user mode to kernel mode The code ```= NTSTATUS NTAPI NtCreateUserProcess ( PHANDLE ProcessHandle, PHANDLE ThreadHandle, ACCESS_MASK ProcessDesiredAccess, ACCESS_MASK ThreadDesiredAccess, POBJECT_ATTRIBUTES ProcessObjectAttributes, POBJECT_ATTRIBUTES ThreadObjectAttributes, ULONG ProcessFlags, ULONG ThreadFlags, PRTL_USER_PROCESS_PARAMETERS ProcessParameters, PPROCESS_CREATE_INFO CreateInfo, PPROCESS_ATTRIBUTE_LIST AttributeList ); ``` After this transition will happen to kernel mode which will call the NtCreateUserProcess. There are also many other API in dlls. One of them is Advapi.dll also known as Advanced window 32 base API which is located in %SYSTEM% sub-folder this is also responsible for window registry, restarting and shutting down system, starting and stopping, creating window service and managing window accounts There are some api inside advapi like CreateProcessWithLogon that starts a new process open an applications uses a passedID and password Another api is CreateProcessWithTokenW that is used to create a process with a specific user's token ## Thread A thread is the basic unit to which the operations system allocates processor time. In another term thread is independence executable path inside a process. Another definition a thread is a single sequence stream within a process. A thread can execute any part of the process code, including part currently being executed by another thread. A thread is an entity within a process that windows scheduled for execution a thread has several components: - The content of CPU registers representing the state of processor - Two stack one for the thread to use while executing in kernel mode and one to use in user mode - A private storage area called thread-local storage for use by subsystems, run time libraries and dll - A unique thread id Looking at the simpliest creation function `CreateThread` this function create a thread in the current process and accepting the following arguments: - An optional security attributes structure - An optional stack size - A function pointer - Optional arguments - Optionals flags. Why do we need threads? - Run in parallel with it's own cpu state and stack share address space of the process and the environment - Share common data so they do not need to use inter-process communication - Priority can be assigned to the thread just like process - Each has its own thread control block What is a PCB(thread control block)? PCB represents threads generated in a process contains information about a thread: - Thread id the unique identifiers of a thread - Thread state the stage of a thread changes as progresses throw the system - CPU information everything an OS need to know about that thread such as how far that thead has progressed through the system - Thread priority the priority of a thread - A pointer point to the process that triggered that thread - A pointer point to thread create by that thread Inside a thread there are two kind of threads which is: - Kernel level thread - User level thread ### 1. User level thread This is a thread was created without using system call command it was created when user run a program that has nothing to do with operating system in another word you can understand it as a factory there are a bunch of worker who can work independence without asking the CEO(operating system) ### 2. Kernel level thread This is a kind of thread that using operating system it has the up to date information about the thread ## Jobs A job is a concept of used to group together process for management and control purposes. A job typically consists of one or more related processes, and it is often used to apply policies or restrictions to this group of processes. There are some key points to the jobs in operating system: - Process Grouping: A job typically contains a group of related processes that perform a specific task or are related to each other in some way. - Resource Management: Jobs allow for the management of system resources, such as memory, CPU time, or devices, among the processes within the same job. - Security and Permission: Permissions and restrictions can be applied to a job, such as access rights to resources, data, or other processes on the system. - Process Control: Jobs can be used to control the startup, pause, resume, and termination of processes within them. - Error Handling and Logging: Jobs provide mechanisms for handling error situations and logging events or notifications related to processes within the job. We can understand as follow job in computer taking input from user, process the data and return the result and can be divided into serveral task taking input as one task, processing the data as another task, outputting as another task These tasks are further executed in small processes. The task of taking input has a number of processes involved. First of all, the user enters the information. Then that information is converted to binary language.