Skip to content

Processes

PEB: Process Environment Block refers to the structure in memory that holds information about a specific user-mode process. see it with command > !peb

TCB: Thread Control Block is a field inside ETHREAD called Tcb, and it is of type KTHREAD. PCB: Process Control Block is a theoretical term referring to all the kernel-level information of a process. In Windows, it maps to the entire EPROCESS structure.

_EPROCESS |_KPROCES |ThreadListHead | _ETHREAD | _ETHREAD |_KTHREAD

PPL

PPL: A kernel security feature that blocks memory reads/injection into sensitive processes like lsass.exe. Even admin-level tools can't access PPL processes without a bypass.

!process 0 0 [name]
dt nt!\_EPROCESS [addr] Protection

to see if the lsass.exe is PPL: 

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Lsa"

Only specific processes are marked as PPL at launch. to turn it off or on from spesfic process:

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v RunAsPPL /t REG_DWORD /d 0 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v RunAsPPL /t REG_DWORD /d 0 /f

🔹PPL Runtime bypass: PPLKiller

createprocess flow

CreateProcessInternalW in kernel32.dll is called first. It validates arguments like lpApplicationName, lpCommandLine, and dwCreationFlags (e.g., CREATE_SUSPENDED, CREATE_NEW_CONSOLE). It resolves the EXE path (adds .exe if missing) using BasepSearchPath, and prepares internal structs like STARTUPINFO and UNICODE_STRING. (stage 1)

It opens the file with NtOpenFile, reads the PE headers, and checks IMAGE_OPTIONAL_HEADER.Subsystem to decide if it's a GUI or console app. It also runs AppCompat logic (shims) if needed. (stage 2)

Next, it calls RtlCreateUserProcess in ntdll.dll, which wraps the syscall NtCreateUserProcess. That hands execution into kernel mode. (stage 3)

Inside the kernel, NtCreateUserProcess calls PspAllocateProcess to create the EPROCESS and PspAllocateThread for the initial ETHREAD. It maps the executable image using MmCreateSection and MmMapViewOfSection. (stage 4)

The system sets up the user-mode address space: base image, stack, TEB, and PEB. The entry point is set to LdrInitializeThunk, which will run user-mode loader logic later. (stage 4 continued)

If the process is a GUI app, it connects to csrss.exe using CsrClientConnectToServer, and initializes the LPC channel. If it's a console app, a console is created or inherited using BasepCreateConsole. (stage 5)

The kernel finishes setting up the thread: KeInitThread initializes KTHREAD, and PspInsertThread links it to the scheduler. Thread context is set to start at RtlUserThreadStart. (stage 6)

If not created suspended, NtResumeThread is called, and execution starts at the entry point defined in the PE header. The loader runs, main() starts, and the parent process is notified. (stage 7)