Reverse Engineering Roadmap

Operating System (OS) processes

Written by

admin

in

What is a Process in an Operating System?

A process is an instance of a program in execution. It includes:

  • The executable program code.
  • Current activity (Program Counter, registers).
  • Stack (temporary data like function parameters).
  • Heap (dynamically allocated memory).
  • Data section (global/static variables).
  • OS context (such as process ID, priority, state).

WINDOWS PROCESSES (32-bit and 64-bit)

Key Characteristics

  • Process creation: Via CreateProcess() API.
  • Each process has a unique process ID.
  • Each has its own virtual address space, handle table, security context, and environment block.
  • Thread-based: Windows processes contain one or more threads.

32-bit Windows (x86)

Memory Layout

  • 4 GB virtual address space per process.
    • 2 GB for user mode (default).
    • 2 GB for kernel mode.
    • Can be configured to 3 GB user / 1 GB kernel with /3GB switch in boot.ini.

Process Constraints

  • Limited address space (important for memory-heavy apps).
  • Can only load 32-bit DLLs.
  • Cannot run 64-bit code.

64-bit Windows (x64)

Memory Layout

  • Theoretically supports 16 TB of virtual memory.
    • Usually 8 TB user space / 8 TB kernel space.
  • Can run both 32-bit and 64-bit processes using WoW64 (Windows-on-Windows 64-bit) subsystem.

Advantages

  • Larger address space (important for large databases, CAD tools).
  • ASLR (Address Space Layout Randomization) is more effective.
  • Improved DEP (Data Execution Prevention) support.
  • Can load both 32-bit and 64-bit executables (32-bit through WoW64).

Tools & Commands

  • Task Manager (Ctrl + Shift + Esc)
  • tasklist / taskkill
  • Process Explorer (Sysinternals)
  • wmic process (deprecated in latest Windows)
  • Get-Process (PowerShell)

LINUX PROCESSES (32-bit and 64-bit)

Key Characteristics

  • Created via fork() / exec() system calls.
  • Represented in the kernel as task_struct.
  • Each has its own PID, UID, memory space, and open file descriptors.
  • Process hierarchy is maintained (e.g., parent-child relationships).

32-bit Linux (x86)

Memory Layout

  • Typically 4 GB virtual address space.
    • 3 GB user space / 1 GB kernel space (default).
    • Can vary depending on kernel config.

Constraints

  • Limited to ~3 GB memory per process.
  • Cannot access 64-bit registers (limits performance and addressability).
  • Cannot run 64-bit binaries.

64-bit Linux (x86_64)

Memory Layout

  • Theoretically supports 256 TB virtual address space.
    • Actual user/kernel split may vary.
  • Can run both 32-bit and 64-bit binaries (if multilib is enabled).
  • Uses ELF64 format for binaries.

Features

  • Larger address space.
  • Supports native 64-bit instructions.
  • Can address more RAM (beyond 4 GB).
  • Kernel uses task_struct to manage process information.
  • Can access high-performance features like HugePages, NUMA, and ASLR enhancements.

Tools & Commands

  • ps, top, htop, pidstat
  • kill, nice, renice, killall
  • /proc/<pid>/ – contains full process metadata
  • strace, lsof, gdb – for deeper inspection

MAC OS PROCESSES (32-bit and 64-bit)

Key Characteristics

  • macOS is based on XNU kernel (hybrid of Mach and BSD).
  • Process creation through fork(), exec(), and posix_spawn().
  • Uses Mach tasks and threads under the hood.
  • All applications are 64-bit as of macOS Catalina (10.15).

32-bit macOS (pre-10.15)

Memory Layout

  • Standard 4 GB address space per process.
  • System-wide transition to 64-bit started around OS X Leopard (10.5).
  • Could run both 32-bit and 64-bit apps on Intel Macs (with proper compatibility frameworks).

Constraints

  • Memory limitations (especially for media apps).
  • Deprecated by Apple.
  • Many newer libraries and APIs are 64-bit only.

64-bit macOS (10.7+)

Memory Layout

  • Full support for 64-bit processes and system libraries.
  • As of macOS Catalina, 32-bit apps are no longer supported.
  • Uses Mach-O 64 binary format.
  • System frameworks (AppKit, Cocoa) all require 64-bit compliance.

Features

  • ASLR, SIP (System Integrity Protection), DEP, sandboxing.
  • Robust thread/process control via launchd, Activity Monitor, or ps.
  • Uses dyld for dynamic library loading (like Linux’s ld.so).

Tools & Commands

  • Activity Monitor (GUI)
  • ps, top, htop (CLI)
  • launchctl – for managing services/processes
  • dtruss, fs_usage, vmmap, sample – debugging tools
  • /proc/ is not present; uses sysctl, /usr/bin/stat, and other BSD-style tools.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

More posts