Someone knows what is the structure returned by SectionHandle argument of the function NtCreateSection?
While trying to make a safeexitprocess function i ended to rewrite CreateToolhelp32Snapshot to make it work on Win NT....During the development i found that it uses NtCreateSection and it outputs some structure that is a map of the code responsable for loading a dll, for example. It maps the caller function and provides a good view of the caller that loaded a file.
to create the snapshot of the section this is used:
; LARGE_INTEGER Structure
[MaximumSize:
MaximumSize.LowPart: D$ 0 <-------------THis must be computed 1st. So, If you zero it, the result will be error
MaximumSize.HiPart: D$ 0]
call 'ntdll.NtCreateSection' D@SectionHandle, &STANDARD_RIGHTS_REQUIRED__&SECTION_MAP_READ__&SECTION_MAP_WRITE__&SECTION_QUERY,
&NULL, MaximumSize, &PAGE_READWRITE, &SEC_COMMIT, &NULL
Where D@SectionHandle is a pointer to a variable that will holds the structure. (It must be zeroed 1st)
One of the members of the structure are a pointer to SYSTEM_PROCESS_INFORMATION.NextEntryOffset member of the structure SYSTEM_PROCESS_INFORMATION
But, the resultant value seems to be a array of Dwords that are no more then a structure. 3 or 4 Dword before the end is the Real EntryPoint of the caller.
Below seems that it is, in fact, returning a structure. The NTCreateSection is a variation (or derivated) from MmCreateSection which contains a structure called "Section"
http://gate.upm.ro/os/LABs/Windows_OS_Internals_Curriculum_Resource_Kit-ACADEMIC/WindowsResearchKernel-WRK/WRK-v1.2/base/ntos/mm/creasect.c
Does someone knows what are the members of this structure ??
Ok, i guess i found it..It seems to be a structure with these values:
typedef struct _SECTION {
MMADDRESS_NODE Address;
PSEGMENT Segment;
LARGE_INTEGER SizeOfSection;
union {
ULONG LongFlags;
MMSECTION_FLAGS Flags;
} u;
MM_PROTECTION_MASK InitialPageProtection;
} SECTION, *PSECTION;
are you writing a driver ?
if not.....
http://msdn.microsoft.com/en-us/library/windows/hardware/ff566428%28v=vs.85%29.aspx (http://msdn.microsoft.com/en-us/library/windows/hardware/ff566428%28v=vs.85%29.aspx)
as far as i can tell, Section or pSectionHandle is a pointer to a DWORD-sized HANDLE variable
Hi dave. No, i´not writting a driver.This is a test i´m making on a replacement for ExitProcess function. Since the function starts from a dll (that terminates the caller) mine versions uses CreateToolhelp32Snapshot to safelly terminate the application.
But, since CreateToolhelp32Snapshot don´t exists in NT4, i´m rebuilding this function (also learning a bit how to work with the NT Internal functions. I`m amazed how much information we can achieve through CreateToolhelp32Snapshot, NtQuerySystemInformation, NtCreateSection etc)
ABout NtCreateSection although the documentation said it is a Pointer to a Handle, i´m not convinced since during debugging i can see that the pointer seems to be part of a structure. I´ll make further tests to make sure.
Below have something about NTCreateSection that maybe worth to read
http://www.codeproject.com/Articles/11985/Hooking-the-native-API-and-controlling-process-cre
If i´m not mistaken it is a wrapper to MmCreateSection function inside ntoskrnl.exe
OK, i guess i found it :):):):) :icon_mrgreen: :icon_mrgreen:
This is not a handle at all. This is part of a structure. I compiled the Windows Research Kernel, and once analyzed on Ida...here is the Section "handle" from NTCreateSection
(http://i59.tinypic.com/119mj9u.jpg)
Tomorrow i´ll try to figure it out which structure this damn thing is.
The returned "handle" seems to be created from a structure;
CapturedSize = __PAIR__(v9, v8);
result = MmCreateSection(
&Section,
DesiredAccess,
ObjectAttributes,
(_LARGE_INTEGER *)&CapturedSize,
SectionPageProtection,
i,
v14,
v15);
if ( result >= 0 )
break;
if ( result != -1073741740 || RetryCount >= 3 )
return result;
++RetryCount;
KeDelayExecutionThread(0, 0, &MmHalfSecond);
v15 = 0;
v14 = FileHandle;
}
v10 = Section;
v11 = **((_DWORD **)Section + 5);
if ( v11 )
{
v12 = *(_FILE_OBJECT **)(v11 + 36);
if ( v12 )
CcZeroEndOfLastPage(v12);
}
Status = ObInsertObject(v10, 0, DesiredAccess, 0, 0, &Handle);
And inside "ObInsertObject" we have
ReturnStatus = ObpChargeQuotaForObject((_OBJECT_HEADER *)v6, (_OBJECT_TYPE *)ObjectType, (char *)&Handle + 3); <----- ???
Anyway...I´ll take a look at it tomorrow. (It´s 05:30 AM here :icon_mrgreen:) I just want to know which structure is responsable for creating this handle/member so i can port it properly
ok - i misunderstood the docs :P
http://msdn.microsoft.com/en-us/library/windows/hardware/ff565438%28v=vs.85%29.aspx (http://msdn.microsoft.com/en-us/library/windows/hardware/ff565438%28v=vs.85%29.aspx)