FastLife Posted August 30, 2014 Share Posted August 30, 2014 (edited) Hello tuts4you, According to this source, I created a program which executes the windows regedit.exe ( it can be any file you want ), using NtCreateProcess.The process is indeed created without any errors, but that process is never executed... Is there anyone who does know why?Project.rar Edited September 5, 2014 by FastLife Link to comment
simple Posted August 30, 2014 Share Posted August 30, 2014 Post source here link fails for me Link to comment
FastLife Posted August 30, 2014 Author Share Posted August 30, 2014 (edited) pmmed Edited September 5, 2014 by FastLife Link to comment
simple Posted August 30, 2014 Share Posted August 30, 2014 for me this code works fine on xp, but not 7 & 8. my guess is pre vista vs post vista kernel behaviors in Zw proc functions. personally, i wouldnt use Rtl, Zw, or any ntddk functions in user mode code. dont know why u use this method (this wont evade security softwares), but CreateProcess(), ShellExec(), system(), etc are easier and more reliable. RtlCreateUserProcess() can be called from user code style like this but same as ZwCreateProc - behaviour isnt guarnteed 1 Link to comment
atom0s Posted August 30, 2014 Share Posted August 30, 2014 On Win7/8 the issue may be due to using 'THREAD_ALL_ACCESS'. Try using the specific flags you need instead. Or set the debug token for your process before hand. 2 Link to comment
FastLife Posted August 30, 2014 Author Share Posted August 30, 2014 @simple, using this method makes my application a lot faster, but unfortunately clearly its unstable and a lot of work @atom0s, a specified any flag available for this parameter, but all the same result as before. Link to comment
atom0s Posted August 31, 2014 Share Posted August 31, 2014 Then check the returns of each function to find where the code is failing. 1 Link to comment
FastLife Posted August 31, 2014 Author Share Posted August 31, 2014 Then check the returns of each function to find where the code is failing. Thats the whole problem, EVERY API returns status success Link to comment
Peter Ferrie Posted September 5, 2014 Share Posted September 5, 2014 Did you ResumeThread() on the main thread? Link to comment
Peter Ferrie Posted September 26, 2014 Share Posted September 26, 2014 The problem is in your CsrClientCallServer() call (it's returning 0xc0000005). If you look at the LPC structure on Windows 7, you'll see that the size is 0xb8 instead of 0x24, so your structure is missing a lot of information that is expected to be there. 2 Link to comment
Lostin Posted September 27, 2014 Share Posted September 27, 2014 Some NT Undocumented functions are not reliable to use as their structure might change. Like Peter mentioned. 1 Link to comment
simple Posted September 27, 2014 Share Posted September 27, 2014 CsrClientCallServer() is replaced by CsrClientConnectToServer(), I'll leave reversing Vista, 7, 8, 8.1 to you to find out exactly where. There's a long list of reasons CsrClientCall/ConnectServer() can go wrong when used like this. In tuts4you fashion you've hidden your source code - but the original code came from Win 2000/NT Native API Reference by Gary Nebbet in example 6.1? You might want to try this more modern forking example - http://doxygen.scilab.org/5.3/d0/d8f/forkWindows_8c_source.html#l00216 - as all of these functions should work on post vista kernels. I've had success with something very similar on Win7x64 1 Link to comment
FastLife Posted September 28, 2014 Author Share Posted September 28, 2014 Peter, thank you for your help! Indeed the buffer passed to CsrClientCallServer was too small for windows 7. That function returns true now, but however, the process of regedit.exe is still not created/opened/showed. Seems there is still something not right....? Link to comment
simple Posted October 2, 2014 Share Posted October 2, 2014 The good kernel dev forums are private, but you may want to post this to the osr lists for more answers. Link to comment
Peter Ferrie Posted October 3, 2014 Share Posted October 3, 2014 You probably need to include the capture buffers. There's an API to fill them in for you. I didn't dig too deeply into the fields that are filled, but there are quite a few of them. Link to comment
FastLife Posted October 9, 2014 Author Share Posted October 9, 2014 Thank you guys! But i decided to use just CreateProcess, instead of Zw, its too much work... Link to comment
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now