What is a Windows Process?

A windows process is a program or application that is running on a Windows machine. A process can be started by either by a User or by the system itself.

The process consumes resources such as memory, disk space, and processor time to complete a task.

Process Threads

Windows processers are made up of one or more threads that are all running concurrently. A thread is a set of instructions that can be executed independently within a process. Threads within a process can communicate and share data. Threads are scheduled for execution by the operating system and managed in the context of a process.

Process Memory

Windows processes also use memory to store data and instructions. Memory is allocated to a process when it is created and the amount that is allocated can be set by the process itself. The operating system manages memory using both Virtual & Physical memory. Virtual address space are divided into pages which are then allocated to a process.

Memory Types

• Private Memory - Private to the process, dedicated to only the single one. Cannot be shared by other processes.
• Mapped Memory - Shared between two or more processes, but protected from modifying it. Eg - shared libraries, shared memory segments and shared files.
• Image Memory - Contains the code and data of an executable file. Often contains DLL.

Process Environment Block (PEB)

PEB is a data structure in windows that contains information about the process such as it’s parameters, startup information, allocated heap information, etc. It is used by the operating system to store information about processes as they are running. It also stores the PID (Process ID).

Every process created has it’s own PEB data structure, that will contain its own set of information about it.

PEB Structure

typedef struct _PEB {
  BYTE                          Reserved1[2];
  BYTE                          BeingDebugged;
  BYTE                          Reserved2[1];
  PVOID                         Reserved3[2];
  PPEB_LDR_DATA                 Ldr;
  PRTL_USER_PROCESS_PARAMETERS  ProcessParameters;
  PVOID                         Reserved4[3];
  PVOID                         AtlThunkSListPtr;
  PVOID                         Reserved5;
  ULONG                         Reserved6;
  PVOID                         Reserved7;
  ULONG                         Reserved8;
  ULONG                         AtlThunkSListPtr32;
  PVOID                         Reserved9[45];
  BYTE                          Reserved10[96];
  PPS_POST_PROCESS_INIT_ROUTINE PostProcessInitRoutine;
  BYTE                          Reserved11[128];
  PVOID                         Reserved12[1];
  ULONG                         SessionId;
} PEB, *PPEB;

• BeingDebugged - Flag in the PEB Structure that indicates whether the process is being debugged or not. 1 - TRUE - Debugged. 0 - FALSE - NOT.
• Ldr - Pointer to PEB_LDR_DATA structure in the PEB. Includes list of the DLLs loaded in the process. Base Address and size of the modules.

typedef struct _PEB_LDR_DATA {
  BYTE       Reserved1[8];
  PVOID      Reserved2[3];
  LIST_ENTRY InMemoryOrderModuleList;
} PEB_LDR_DATA, *PPEB_LDR_DATA;

Ldr can be leveraged to find the base address of a particular DLL, as well as which function resides within its memory space.