How to use ZwCreateProcessEx (and ZwOpenFile)?

Yoshi · November 10, 2013, 11:55:33 PM

Great afternoon MASM users

For a certain reason i have to use the winapi ZwCreateProcessEx to create a new process. So i don't want to use CreateFile such winapi's, but only ZwCreateProcessEx.

My question is how to use ZwCreateProcessEx in masm?

I found out that ZwCreateProcessEx need a sectionHandle to create a file. To obtain this sectionHandle, a new section must be created with ZwCreateSection. To create a new section, a file must be openend first with ZwOpenFile.

So let's say we want to open "C:\Users\A\Desktop\calc.exe". This ANSI string should be converted to UNICODE.

For some reason the ZwOpenFile api failed and thus not able to execute ZwCreateSection and thus ZwCreateProcess will fails too.

dedndave · November 11, 2013, 02:13:35 AM

Quote from: Yoshi on November 10, 2013, 11:55:33 PM
For a certain reason i have to use the winapi ZwCreateProcessEx to create a new process.
So i don't want to use CreateFile such winapi's, but only ZwCreateProcessEx.

could you elaborate on "certain reason" ?
why won't CreateProcess do the job ?

Yoshi · November 11, 2013, 02:36:57 AM

CreateProcess will work, but i need ZwCreateProcess because it is much more faster.

dedndave · November 11, 2013, 02:39:08 AM

faster ? ;)

dedndave · November 11, 2013, 02:44:49 AM

when i google NtCreateProcessEx/ZwCreateProcessEx, all i see are hooks and hacks
you have a better reason ?

Yoshi · November 11, 2013, 02:46:30 AM

Yes it is faster and better to use it direcly instead of using CreateProcess. And your wrong

no hacks or hooks.

However, do you have any solution in your mind?

dedndave · November 11, 2013, 02:49:18 AM

hSection is optional - try passing NULL

dedndave · November 11, 2013, 02:51:26 AM

still, i have to wonder what process you are launching so many times that the speed is an issue

Yoshi · November 11, 2013, 02:53:55 AM

passing hsection to NULL won't work, already tried.

Im sure when i can execute ZwOpenFile succesfully, then all the problems should be fixed.

so the main struggle right now if to return succesfull from ZwOpenFile. Right now ZwOpenFile returns INVALID_PARAMETER with the example from the first post.

dedndave · November 11, 2013, 03:09:22 AM

i am not too sure about RtlDosPathNameToNtPathName
just create a UNICODE path, prepended with '\\?\'

Code Select

;tchr macro by qWord
tchr    MACRO   lbl,args:VARARG
    IFDEF __UNICODE__
        UCSTR lbl,args
    ELSE
        lbl db args
    ENDIF
        ENDM

    .DATA

tchr szFileName,'\\?\C:\Users\A\Desktop\calc.exe',0

EDIT: by the way, that assumes you have defined __UNICODE__ prior to the macro :P
you could just use the UCSTR macro, otherwise
i haven't tried opening a prepended filename with ANSI

Yoshi · November 11, 2013, 06:08:36 AM

thank you very much dedndave!

however im still not able to open a file using ZwOpenFile.

edit; problem solved by huntingspace, thanks dude!

also thanks to you dedndave

The MASM Forum

News:

How to use ZwCreateProcessEx (and ZwOpenFile)?

Yoshi

dedndave

Yoshi

dedndave

dedndave

Yoshi

dedndave

dedndave

Yoshi

dedndave

Yoshi