News:

Masm32 SDK description, downloads and other helpful links
Message to All Guests

Main Menu

Help with NtCreateSection

Started by guga, June 29, 2014, 01:46:19 PM

Previous topic - Next topic

guga

Someone knows what is the structure returned by SectionHandle argument of the function NtCreateSection?

While trying to make a safeexitprocess function i ended to rewrite CreateToolhelp32Snapshot to make it work on Win NT....During the development i found that it uses NtCreateSection and it outputs some structure that is a map of the code responsable for loading a dll, for example. It maps the caller function and provides a good view of the caller that loaded a file.

to create the snapshot of the section this is used:


; LARGE_INTEGER Structure
[MaximumSize:
MaximumSize.LowPart: D$ 0 <-------------THis must be computed 1st. So, If you zero it, the result will be error
MaximumSize.HiPart: D$ 0]

    call 'ntdll.NtCreateSection' D@SectionHandle, &STANDARD_RIGHTS_REQUIRED__&SECTION_MAP_READ__&SECTION_MAP_WRITE__&SECTION_QUERY,
                                 &NULL, MaximumSize, &PAGE_READWRITE, &SEC_COMMIT, &NULL


Where D@SectionHandle is a pointer to a variable that will holds the structure. (It must be zeroed 1st)

One of the members of the structure are a pointer to SYSTEM_PROCESS_INFORMATION.NextEntryOffset member of the structure SYSTEM_PROCESS_INFORMATION

But, the resultant value seems to be a array of Dwords that are no more then a structure. 3 or 4 Dword before the end is the Real EntryPoint of the caller.

Below seems that it is, in fact, returning a structure. The NTCreateSection is a variation (or derivated) from MmCreateSection which contains a structure called "Section"
http://gate.upm.ro/os/LABs/Windows_OS_Internals_Curriculum_Resource_Kit-ACADEMIC/WindowsResearchKernel-WRK/WRK-v1.2/base/ntos/mm/creasect.c

Does someone knows what are the members of this structure ??
Coding in Assembly requires a mix of:
80% of brain, passion, intuition, creativity
10% of programming skills
10% of alcoholic levels in your blood.

My Code Sites:
http://rosasm.freeforums.org
http://winasm.tripod.com

guga

Ok, i guess i found it..It seems to be a structure with these values:


typedef struct _SECTION {
    MMADDRESS_NODE Address;
    PSEGMENT Segment;
    LARGE_INTEGER SizeOfSection;
    union {
        ULONG LongFlags;
        MMSECTION_FLAGS Flags;
    } u;
    MM_PROTECTION_MASK InitialPageProtection;
} SECTION, *PSECTION;
Coding in Assembly requires a mix of:
80% of brain, passion, intuition, creativity
10% of programming skills
10% of alcoholic levels in your blood.

My Code Sites:
http://rosasm.freeforums.org
http://winasm.tripod.com

dedndave

are you writing a driver ?
if not.....

http://msdn.microsoft.com/en-us/library/windows/hardware/ff566428%28v=vs.85%29.aspx

as far as i can tell, Section or pSectionHandle is a pointer to a DWORD-sized HANDLE variable

guga

Hi dave. No, i´not writting a driver.This is a test i´m making on a replacement for ExitProcess function. Since the function starts from a dll (that terminates the caller) mine versions uses CreateToolhelp32Snapshot to safelly terminate the application.

But, since CreateToolhelp32Snapshot don´t exists in NT4, i´m rebuilding this function (also learning a bit how to work with the NT Internal functions. I`m amazed how much information we can achieve through CreateToolhelp32Snapshot, NtQuerySystemInformation, NtCreateSection etc)

ABout NtCreateSection although the documentation said it is a Pointer to a Handle, i´m not convinced since during debugging i can see that the pointer seems to be part of a structure. I´ll make further tests to make sure.

Below have something about NTCreateSection that maybe worth to read
http://www.codeproject.com/Articles/11985/Hooking-the-native-API-and-controlling-process-cre

If i´m not mistaken it is a wrapper to MmCreateSection function inside ntoskrnl.exe
Coding in Assembly requires a mix of:
80% of brain, passion, intuition, creativity
10% of programming skills
10% of alcoholic levels in your blood.

My Code Sites:
http://rosasm.freeforums.org
http://winasm.tripod.com

guga

OK, i guess i found it :):):):) :icon_mrgreen: :icon_mrgreen:

This is not a handle at all. This is part of a structure. I compiled the Windows Research Kernel, and once analyzed on Ida...here is the Section "handle" from NTCreateSection



Tomorrow i´ll try to figure it out which structure this damn thing is.


The returned "handle" seems to be created from a structure;

        CapturedSize = __PAIR__(v9, v8);
        result = MmCreateSection(
                   &Section,
                   DesiredAccess,
                   ObjectAttributes,
                   (_LARGE_INTEGER *)&CapturedSize,
                   SectionPageProtection,
                   i,
                   v14,
                   v15);
        if ( result >= 0 )
          break;
        if ( result != -1073741740 || RetryCount >= 3 )
          return result;
        ++RetryCount;
        KeDelayExecutionThread(0, 0, &MmHalfSecond);
        v15 = 0;
        v14 = FileHandle;
      }
      v10 = Section;
      v11 = **((_DWORD **)Section + 5);
      if ( v11 )
      {
        v12 = *(_FILE_OBJECT **)(v11 + 36);
        if ( v12 )
          CcZeroEndOfLastPage(v12);
      }
      Status = ObInsertObject(v10, 0, DesiredAccess, 0, 0, &Handle);



And inside "ObInsertObject" we have

ReturnStatus = ObpChargeQuotaForObject((_OBJECT_HEADER *)v6, (_OBJECT_TYPE *)ObjectType, (char *)&Handle + 3); <----- ???


Anyway...I´ll take a look at it tomorrow. (It´s 05:30 AM here :icon_mrgreen:) I just want to know which structure is responsable for creating this handle/member so i can port it properly
Coding in Assembly requires a mix of:
80% of brain, passion, intuition, creativity
10% of programming skills
10% of alcoholic levels in your blood.

My Code Sites:
http://rosasm.freeforums.org
http://winasm.tripod.com