Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/momo5502/sogen/llms.txt

Use this file to discover all available pages before exploring further.

The process_context class maintains the complete state of an emulated Windows process, including threads, handles, memory structures, and Windows-specific objects.

Overview

This class serves as the central hub for process-level resources in the Windows emulator. It manages:
  • Process Environment Block (PEB) and process parameters
  • Thread lifecycle and synchronization
  • Handle tables for kernel objects (files, events, sections, etc.)
  • User-mode objects (windows, desktops)
  • Atoms and window classes
  • WOW64 support for 32-bit applications

Constructor

process_context(
    x86_64_emulator& emu,
    memory_manager& memory,
    utils::clock& clock,
    callbacks& cb
)
emu
x86_64_emulator&
Reference to the CPU emulator instance
memory
memory_manager&
Reference to the memory manager for allocations
clock
utils::clock&
System clock for time-related operations
cb
callbacks&
Callback functions for thread lifecycle events

Methods

setup

Initializes the process context with all necessary Windows structures. 
void setup(
    x86_64_emulator& emu,
    memory_manager& memory,
    registry_manager& registry,
    file_system& file_system,
    windows_version_manager& version,
    const application_settings& app_settings,
    const mapped_module& executable,
    const mapped_module& ntdll,
    const apiset::container& apiset_container,
    const mapped_module* ntdll32 = nullptr
)
emu
x86_64_emulator&
CPU emulator instance
memory
memory_manager&
Memory manager for virtual address space
registry
registry_manager&
Windows registry emulation
file_system
file_system&
Virtual file system for path translation
version
windows_version_manager&
Windows version information provider
app_settings
const application_settings&
Application-specific configuration
executable
const mapped_module&
The main executable module
ntdll
const mapped_module&
The ntdll.dll module
apiset_container
const apiset::container&
API set schema container for module redirection
ntdll32
const mapped_module*
default:"nullptr"
Optional 32-bit ntdll for WOW64 processes

create_thread

Creates a new emulated thread in the process. 
handle create_thread(
    memory_manager& memory,
    uint64_t start_address,
    uint64_t argument,
    uint64_t stack_size,
    uint32_t create_flags,
    bool initial_thread = false
)
memory
memory_manager&
Memory manager for thread stack allocation
start_address
uint64_t
Entry point address for the thread
argument
uint64_t
Parameter passed to the thread function
stack_size
uint64_t
Size of the thread stack in bytes
create_flags
uint32_t
Thread creation flags (e.g., CREATE_SUSPENDED)
initial_thread
bool
default:"false"
Whether this is the process’s initial thread
Returns: A handle to the newly created thread.

Atom Management

Atoms are globally unique string identifiers used by Windows for window classes and other purposes.

find_atom

std::optional<uint16_t> find_atom(std::u16string_view name)
Searches for an existing atom by name.
name
std::u16string_view
The atom name to search for
Returns: The atom ID if found, or std::nullopt otherwise.

add_or_find_atom

uint16_t add_or_find_atom(std::u16string name)
Adds a new atom or returns existing one, incrementing reference count.
name
std::u16string
The atom name to add or find
Returns: The atom ID (new or existing).

delete_atom

bool delete_atom(const std::u16string& name)
bool delete_atom(uint16_t atom_id)
Decrements the reference count and removes the atom if it reaches zero.
name
const std::u16string&
The atom name to delete (first overload)
atom_id
uint16_t
The atom ID to delete (second overload)
Returns: true if the atom was deleted, false otherwise.

get_atom_name

const std::u16string* get_atom_name(uint16_t atom_id) const
Retrieves the name associated with an atom ID.
atom_id
uint16_t
The atom ID to look up
Returns: Pointer to the atom name, or nullptr if not found.

KnownDLLs Management

KnownDLLs are preloaded system DLLs cached as section objects.

build_knowndlls_section_table

template <typename T>
void build_knowndlls_section_table(
    registry_manager& registry,
    const file_system& file_system,
    const apiset_map& apiset,
    const windows_path& system_root,
    bool is_32bit
)
Builds the KnownDLLs section table from registry configuration.
registry
registry_manager&
Registry manager to read KnownDLLs list
file_system
const file_system&
File system for resolving DLL paths
apiset
const apiset_map&
API set schema for module redirection
system_root
const windows_path&
Windows system directory path
is_32bit
bool
Whether to build 32-bit or 64-bit KnownDLLs table

get_knowndll_section_by_name

std::optional<section> get_knowndll_section_by_name(
    const std::u16string& name,
    bool is_32bit
) const
Retrieves a KnownDLL section object by name.
name
const std::u16string&
DLL name (e.g., “kernel32.dll”)
is_32bit
bool
Whether to search in 32-bit or 64-bit table
Returns: The section object if found.

add_knowndll_section

void add_knowndll_section(
    const std::u16string& name,
    const section& section,
    bool is_32bit
)
Adds a section to the KnownDLLs cache.

has_knowndll_section

bool has_knowndll_section(
    const std::u16string& name,
    bool is_32bit
) const
Checks if a KnownDLL section exists.

get_handle_store

generic_handle_store* get_handle_store(handle handle)
Retrieves the appropriate handle store for a given handle.
handle
handle
The handle to look up
Returns: Pointer to the handle store, or nullptr if not found.

get_live_thread_count

size_t get_live_thread_count() const
Returns: The number of currently active threads.

Serialization

void serialize(utils::buffer_serializer& buffer) const
void deserialize(utils::buffer_deserializer& buffer)
Serialization support for saving/loading process state.

Public Members

WOW64 Support

is_wow64_process
bool
Flag indicating if this is a 32-bit process running under WOW64

Process State

exit_status
std::optional<NTSTATUS>
Process exit status code (set when process terminates)

Memory Structures

peb64
emulator_object<PEB64>
64-bit Process Environment Block
process_params64
emulator_object<RTL_USER_PROCESS_PARAMETERS64>
64-bit process parameters (command line, environment, etc.)
peb32
std::optional<emulator_object<PEB32>>
32-bit PEB for WOW64 processes
process_params32
std::optional<emulator_object<RTL_USER_PROCESS_PARAMETERS32>>
32-bit process parameters for WOW64

Critical Addresses

ntdll_image_base
uint64_t
Base address of ntdll.dll
ldr_initialize_thunk
uint64_t
Address of LdrInitializeThunk (thread entry point)
rtl_user_thread_start
uint64_t
Address of RtlUserThreadStart
ki_user_apc_dispatcher
uint64_t
Address of KiUserApcDispatcher
ki_user_exception_dispatcher
uint64_t
Address of KiUserExceptionDispatcher

Handle Stores

events
handle_store<handle_types::event, event>
Event object handle store
files
handle_store<handle_types::file, file>
File handle store
sections
handle_store<handle_types::section, section>
Section object handle store
devices
handle_store<handle_types::device, io_device_container>
Device handle store
semaphores
handle_store<handle_types::semaphore, semaphore>
Semaphore handle store
threads
handle_store<handle_types::thread, emulator_thread>
Thread handle store
windows
user_handle_store<handle_types::window, window>
Window handle store (user-mode handles)
desktops
handle_store<handle_types::desktop, desktop>
Desktop handle store

Thread Management

active_thread
emulator_thread*
Pointer to the currently executing thread
spawned_thread_count
uint32_t
Total number of threads created

Usage Example

// Create process context
process_context::callbacks callbacks;
callbacks.on_thread_create = [](handle h, emulator_thread& thr) {
    printf("Thread created: %p\n", h.value);
};

process_context context(emu, memory, clock, callbacks);

// Setup the process
context.setup(emu, memory, registry, fs, version, settings,
              executable_module, ntdll_module, apiset);

// Create a thread
auto thread_handle = context.create_thread(
    memory,
    0x140001000,  // entry point
    0,            // argument
    0x40000,      // 256KB stack
    0,            // no special flags
    true          // initial thread
);

// Add an atom
auto atom_id = context.add_or_find_atom(u"MyWindowClass");

// Look up a handle store
if (auto* store = context.get_handle_store(some_handle)) {
    // Work with the handle store
}

See Also

Build docs developers (and LLMs) love

Get started for freeTalk to us