Hi,
When doing a sycall on windows from user mode to kernel mode (say calling openfile).
How does the kernel know what EPROCESS he should updated with the handle of the
file that was opened, since whats passed in the syscall doesnt contain any process identifier.
I think what probably happened is that since the CR3 register will stay the same through the call
then some code in the kernel eventually looks into the PEB of the address space pointed to by CR3
and then he knows the process ID and thus can iidentiify the EPROCESS and add to the handle list.
Is this how it works ?
Regadrs
Chrstian
How does windows kernel know the process requesting a syscal
Re: How does windows kernel know the process requesting a sy
I believe, it's simply the current one for that CPU. When the scheduler picks another process/thread to run on a CPU, it updates the pointers to the current process/thread structures.
Re: How does windows kernel know the process requesting a sy
Hi,
>> I believe, it's simply the current one for that CPU.
Oh ok, so the current thread/process executing is still being referenced by the kernel so anything that thread does
i.e open a file etc , he knows what EPROCESS to update based on the current context.
Thanks
>> I believe, it's simply the current one for that CPU.
Oh ok, so the current thread/process executing is still being referenced by the kernel so anything that thread does
i.e open a file etc , he knows what EPROCESS to update based on the current context.
Thanks