NtCreateProcess not executing process?

[FastLife]

Hello tuts4you,

 

According to this source, I created a program which executes the windows regedit.exe ( it can be any file you want ), using NtCreateProcess.

The process is indeed created without any errors, but that process is never executed... Is there anyone who does know why?

Project.rar

Edited September 5, 2014 by FastLife

[simple]

Post source here link fails for me

[FastLife]

pmmed

Edited September 5, 2014 by FastLife

[simple]

for me this code works fine on xp, but not 7 & 8. my guess is pre vista vs post vista kernel behaviors in Zw proc functions.

 

personally, i wouldnt use Rtl, Zw, or any ntddk functions in user mode code.

 

dont know why u use this method (this wont evade security softwares), but CreateProcess(), ShellExec(), system(), etc are easier and more reliable. RtlCreateUserProcess() can be called from user code style like this but same as ZwCreateProc - behaviour isnt guarnteed

[atom0s]

On Win7/8 the issue may be due to using 'THREAD_ALL_ACCESS'. Try using the specific flags you need instead. Or set the debug token for your process before hand.

[FastLife]

@simple, using this method makes my application a lot faster, but unfortunately clearly its unstable and a lot of work

 

@atom0s, a specified any flag available for this parameter, but all the same result as before.

[atom0s]

Then check the returns of each function to find where the code is failing.

[FastLife]

Then check the returns of each function to find where the code is failing.

 

Thats the whole problem, EVERY API returns status success

[Peter Ferrie]

Did you ResumeThread() on the main thread?

[FastLife]

Yes I did.

[Peter Ferrie]

The problem is in your CsrClientCallServer() call (it's returning 0xc0000005).

If you look at the LPC structure on Windows 7, you'll see that the size is 0xb8 instead of 0x24, so your structure is missing a lot of information that is expected to be there.

[Lostin]

Some NT Undocumented functions are not reliable to use as their structure might change. Like Peter mentioned.

[simple]

CsrClientCallServer() is replaced by CsrClientConnectToServer(), I'll leave reversing Vista, 7, 8, 8.1 to you to find out exactly where. There's a long list of reasons CsrClientCall/ConnectServer() can go wrong when used like this.

 

In tuts4you fashion you've hidden your source code - but the original code came from Win 2000/NT Native API Reference by Gary Nebbet in example 6.1? You might want to try this more modern forking example - http://doxygen.scilab.org/5.3/d0/d8f/forkWindows_8c_source.html#l00216 - as all of these functions should work on post vista kernels. I've had success with something very similar on Win7x64

[FastLife]

Peter, thank you for your help! Indeed the buffer passed to CsrClientCallServer was too small for windows 7. That function returns true now, but however, the process of regedit.exe is still not created/opened/showed. Seems there is still something not right....?

[simple]

The good kernel dev forums are private, but you may want to post this to the osr lists for more answers.

[Peter Ferrie]

You probably need to include the capture buffers. There's an API to fill them in for you.

I didn't dig too deeply into the fields that are filled, but there are quite a few of them.

[FastLife]

Thank you guys! But i decided to use just CreateProcess, instead of Zw, its too much work...