Print Page - How to use ZwCreateProcessEx (and ZwOpenFile)?

Title: How to use ZwCreateProcessEx (and ZwOpenFile)?
Post by: Yoshi on November 10, 2013, 11:55:33 PM

Great afternoon MASM users :biggrin:

For a certain reason i have to use the winapi ZwCreateProcessEx to create a new process. So i don't want to use CreateFile such winapi's, but only ZwCreateProcessEx.

My question is how to use ZwCreateProcessEx in masm?

I found out that ZwCreateProcessEx need a sectionHandle to create a file. To obtain this sectionHandle, a new section must be created with ZwCreateSection. To create a new section, a file must be openend first with ZwOpenFile.

So let's say we want to open "C:\Users\A\Desktop\calc.exe". This ANSI string should be converted to UNICODE.

For some reason the ZwOpenFile api failed and thus not able to execute ZwCreateSection and thus ZwCreateProcess will fails too.

Title: Re: How to use ZwCreateProcessEx (and ZwOpenFile)?
Post by: dedndave on November 11, 2013, 02:13:35 AM

Quote from: Yoshi on November 10, 2013, 11:55:33 PM
For a certain reason i have to use the winapi ZwCreateProcessEx to create a new process.
So i don't want to use CreateFile such winapi's, but only ZwCreateProcessEx.

could you elaborate on "certain reason" ?
why won't CreateProcess do the job ?

Title: Re: How to use ZwCreateProcessEx (and ZwOpenFile)?
Post by: Yoshi on November 11, 2013, 02:36:57 AM

CreateProcess will work, but i need ZwCreateProcess because it is much more faster.

Title: Re: How to use ZwCreateProcessEx (and ZwOpenFile)?
Post by: dedndave on November 11, 2013, 02:39:08 AM

faster ? ;)

Title: Re: How to use ZwCreateProcessEx (and ZwOpenFile)?
Post by: dedndave on November 11, 2013, 02:44:49 AM

when i google NtCreateProcessEx/ZwCreateProcessEx, all i see are hooks and hacks
you have a better reason ?

Title: Re: How to use ZwCreateProcessEx (and ZwOpenFile)?
Post by: Yoshi on November 11, 2013, 02:46:30 AM

Yes it is faster and better to use it direcly instead of using CreateProcess. And your wrong :eusa_snooty:
no hacks or hooks.

However, do you have any solution in your mind?

Title: Re: How to use ZwCreateProcessEx (and ZwOpenFile)?
Post by: dedndave on November 11, 2013, 02:49:18 AM

hSection is optional - try passing NULL

Title: Re: How to use ZwCreateProcessEx (and ZwOpenFile)?
Post by: dedndave on November 11, 2013, 02:51:26 AM

still, i have to wonder what process you are launching so many times that the speed is an issue

Title: Re: How to use ZwCreateProcessEx (and ZwOpenFile)?
Post by: Yoshi on November 11, 2013, 02:53:55 AM

passing hsection to NULL won't work, already tried.

Im sure when i can execute ZwOpenFile succesfully, then all the problems should be fixed.

so the main struggle right now if to return succesfull from ZwOpenFile. Right now ZwOpenFile returns INVALID_PARAMETER with the example from the first post.

Title: Re: How to use ZwCreateProcessEx (and ZwOpenFile)?
Post by: dedndave on November 11, 2013, 03:09:22 AM

i am not too sure about RtlDosPathNameToNtPathName
just create a UNICODE path, prepended with '\\?\'

Code Select

;tchr macro by qWord
tchr    MACRO   lbl,args:VARARG
    IFDEF __UNICODE__
        UCSTR lbl,args
    ELSE
        lbl db args
    ENDIF
        ENDM

    .DATA

tchr szFileName,'\\?\C:\Users\A\Desktop\calc.exe',0

EDIT: by the way, that assumes you have defined __UNICODE__ prior to the macro :P
you could just use the UCSTR macro, otherwise
i haven't tried opening a prepended filename with ANSI

Title: Re: How to use ZwCreateProcessEx (and ZwOpenFile)?
Post by: Yoshi on November 11, 2013, 06:08:36 AM

thank you very much dedndave!

however im still not able to open a file using ZwOpenFile.

edit; problem solved by huntingspace, thanks dude!

also thanks to you dedndave

The MASM Forum

General => The Workshop => Topic started by: Yoshi on November 10, 2013, 11:55:33 PM