Đang chuẩn bị nút TẢI XUỐNG, xin hãy chờ
Tải xuống
sợi, và công việc của Windows chức năng được liệt kê để bạn có thể theo đuổi thêm thông tin về sử dụng của họ. Bởi vì các quy trình và chủ đề rất nhiều các thành phần cảm ứng trong Windows, một số từ ngữ và cấu trúc dữ liệu (chẳng hạn như bộ làm việc, các đối tượng và | 348 Windows Internals Fifth Edition hand a tool like WinDbg in kernel debugging mode which uses kernel-mode infrastructure to obtain this information will be able to display complete information. See the experiment in the thread internals section on how Process Explorer behaves when confronted with a protected process such as Audiodg.exe. Note As mentioned in Chapter 1 to perform local kernel debugging you must boot in debugging mode enabled by using bcdedit debug on or by using the Msconfig advanced boot options . This protects against debugger-based attacks on protected processes and the Protected Media Path PMP . When booted in debugging mode high-definition content playback will not work for example attempting to play MPEG2 media such as a DVD will result in an access violation inside the media player this is by design . Limiting these access rights reliably allows the kernel to sandbox a protected process from user-mode access. On the other hand because a protected process is indicated by a flag in the EPROCESS block an administrator can still load a kernel-mode driver that disables this bit. However this would be a violation of the PMP model and considered malicious and such a driver would likely eventually be blocked from loading on a 64-bit system because the kernel-mode code-signing policy prohibits the digital signing of malicious code. Even on 32-bit systems the driver has to be recognized by PMP policy or else the playback will be halted. This policy is implemented by Microsoft and not by any kernel detection. This block would require manual action from Microsoft to identify the signature as malicious and update the kernel. Flow of CreateProcess So far in this chapter you ve seen the structures that are part of a process and the API functions with which you and the operating system can manipulate processes. You ve also found out how you can use tools to view how processes interact with your system. But how did those processes come into being and how do
