Hi,
Can anyone tell me whether IRP_MJ_CREATE will be issued when the driver executes ZwCreateProcess.
regards,
venu.d
No. IRP_MJ_CREATE is connected to file creation. It has little to do with processes.
-p
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@patni.com
Sent: Thursday, February 22, 2007 9:39 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] ZwCreateProcess and IRP_MJ_CREATE
Hi,
Can anyone tell me whether IRP_MJ_CREATE will be issued when the driver executes ZwCreateProcess.
regards,
venu.d
Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
if there is no irp_mj_create is issued, then how the executable file will be opened?
could you suggest any other methods to trap the executable that is loaded using ‘ZwcreateProcess’.
I feel that when the execuatable is about to load, the i/o manager will issue an IRP on the exe file.
could you give some information on this.
thanks,
venu
> I feel that when the execuatable is about to load, the i/o manager will
issue an IRP on the exe file.
You feel right, but ZwCreateProcess is not interested in files. Win32’s
“CreateProcess” works something like that:
ZwOpenFile -> ZwCreateSection -> ZwCreateProcess -> ZwCreateThread
So, the image is already opened and mapped when ZwCreateProcess is called.
I think that ZwCreateProcess in kernel mode is not documented at all. So, I
would never do this. Instead, use a user-mode helper service which will start
the child process on some event from the driver.
–
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
wrote in message news:xxxxx@ntdev…
> Hi,
>
> Can anyone tell me whether IRP_MJ_CREATE will be issued when the driver
executes ZwCreateProcess.
>
> regards,
> venu.d
>
> if there is no irp_mj_create is issued, then how the executable file will be
opened?
CreateFile with FILE_EXECUTE in DesiredAccess
CreateFileMapping aka NtCreateSection with SEC_IMAGE
NtCreateProcess with the handle returned by NtCreateSection
could you suggest any other methods to trap the executable that is loaded
using
‘ZwcreateProcess’.
The only way to solve this is to hook (yes, I’m a hooking hater, but
nevertheless there is no hooking-less methods to do this) NtCreateSection in
the kernel and look at any calls with SEC_IMAGE on them.
–
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
Yep, this is correct. I know preciesely how to tackle this one, but I’m
going to have (probably) hard time to justify this for vista. And soon I
will have to tackle this for vista. So I’ve a very indifferent feeling about
this altogether.
-pro
On 2/23/07, Maxim S. Shatskih wrote:
>
> I think that ZwCreateProcess in kernel mode is not documented at all.
> So, I
> would never do this. Instead, use a user-mode helper service which will
> start
> the child process on some event from the driver.
>
> –
> Maxim Shatskih, Windows DDK MVP
> StorageCraft Corporation
> xxxxx@storagecraft.com
> http://www.storagecraft.com
>
> wrote in message news:xxxxx@ntdev…
> > Hi,
> >
> > Can anyone tell me whether IRP_MJ_CREATE will be issued when the driver
> executes ZwCreateProcess.
> >
> > regards,
> > venu.d
> >
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
> ----------
From: xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com] on behalf of Maxim S. Shatskih[SMTP:xxxxx@storagecraft.com]
Reply To: Windows System Software Devs Interest List
Sent: Friday, February 23, 2007 5:34 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] ZwCreateProcess and IRP_MJ_CREATE> could you suggest any other methods to trap the executable that is loaded
using
>‘ZwcreateProcess’.The only way to solve this is to hook (yes, I’m a hooking hater, but
nevertheless there is no hooking-less methods to do this) NtCreateSection in
the kernel and look at any calls with SEC_IMAGE on them.
Do you mean load image and process create notification routines don’t work in this case?
Best regards,
Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]
>Do you mean load image and process create notification routines don’t work in
this case?
They work, but, if you will need to abort the process creation from this
routine, you will need to do another severely undocumented things. They do not
provide documented ways to abort.
–
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
Maxim,
I think that ZwCreateProcess in kernel mode is not documented at all
It is not only undocumented - it is just not exported by ntoskrnl.exe, because it is not meant to be used by drivers. Although you can try to use it either directly (the address is available from SSDT)
or like {mov eax,index lea edx, parameters int 0x2E), apparently, you will have some “issues” to resolve. To make things worse, these “issues” may vary from one OS flavour to another, and change
with every service pack. Therefore, as you already pointed out, using it from the kernel is not so good idea, at least in a commercial product…
The only way to solve this is to hook (yes, I’m a hooking hater, but
nevertheless there is no hooking-less methods to do this) NtCreateSection in
the kernel and look at any calls with SEC_IMAGE on them.
One day Don suggested that it can probably be done is FS filter. Therefore, I tried an experiment. Maybe I just did something wrong, but my ‘PreAcquireForSectionSynchronization’ callback just did not seem to get invoked upon executable section creation…
Therefore, hooking ZwCreateSection() in SSDT seems to be the only option that works…
Anton Bassov
On a side note, this would be a waste when 64 bit porting would be required.
I do have a problem to revert all of these that I’m seeing in couple
drivers. These are codes left from previous developer(s).
Also I was looking at the docs related to PatchGuard, and I could not find
anything in concrete form what APIs are available to circumvent some of
these nasty hacking. May be I missed out some of the docs, but I would
appreciate if someone can give some input about these APIs. I know there is
a discussion board. And I know the registry call back is available.
Before I try to get help, I would like to know what is/are available as of
today ( x64 specific), so that I can formulate what needed to be done, and
what are available, then proceed with …
-pro
On 2/24/07, xxxxx@hotmail.com wrote:
>
> Maxim,
>
> >I think that ZwCreateProcess in kernel mode is not documented at all
>
> It is not only undocumented - it is just not exported by ntoskrnl.exe,
> because it is not meant to be used by drivers. Although you can try to use
> it either directly (the address is available from SSDT)
> or like {mov eax,index lea edx, parameters int 0x2E), apparently, you will
> have some “issues” to resolve. To make things worse, these “issues” may vary
> from one OS flavour to another, and change
> with every service pack. Therefore, as you already pointed out, using it
> from the kernel is not so good idea, at least in a commercial product…
>
>
> > The only way to solve this is to hook (yes, I’m a hooking hater, but
> > nevertheless there is no hooking-less methods to do this)
> NtCreateSection in
> > the kernel and look at any calls with SEC_IMAGE on them.
>
> One day Don suggested that it can probably be done is FS filter.
> Therefore, I tried an experiment. Maybe I just did something wrong, but my
> ‘PreAcquireForSectionSynchronization’ callback just did not seem to get
> invoked upon executable section creation…
>
> Therefore, hooking ZwCreateSection() in SSDT seems to be the only option
> that works…
>
> Anton Bassov
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
G’day,
In a file system minifilter driver, in the callback for
IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION, we have access to
AcquireForSectionSynchronization parameter.
A check like below, seems working fine in windows XP SP2:
If(AcquireForSectionSynchronization.SyncType == SyncTypeCreateSection &&
AcquireForSectionSynchronization.PageProtection == PAGE_EXECUTE )
However, it is not as accurate as NtCreateSection hooks. Because I have seen
callback condition to be to be true many times although there is no process
execution. It seems to be properly catching executable image mappings all
the time though.
Although they may be circumstantial, here are some examples,
1 - Windows Explorer sends a Window message to some application having a
tray icon, this callback is called as if there is a process creation.
2- OpenProcess(and/or Read/WriteVirtualMemory) calls between processes
causes the same,
Well. This is the only thing we will be able to use in Vista x64 if we want
kernel level filtering for executable loading in our commercial products.
Hope this helps,
Egemen TAS
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@hotmail.com
Sent: Saturday, February 24, 2007 12:29 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] ZwCreateProcess and IRP_MJ_CREATE
Maxim,
I think that ZwCreateProcess in kernel mode is not documented at all
It is not only undocumented - it is just not exported by ntoskrnl.exe,
because it is not meant to be used by drivers. Although you can try to use
it either directly (the address is available from SSDT)
or like {mov eax,index lea edx, parameters int 0x2E), apparently, you will
have some “issues” to resolve. To make things worse, these “issues” may vary
from one OS flavour to another, and change
with every service pack. Therefore, as you already pointed out, using it
from the kernel is not so good idea, at least in a commercial product…
The only way to solve this is to hook (yes, I’m a hooking hater, but
nevertheless there is no hooking-less methods to do this) NtCreateSection
in
the kernel and look at any calls with SEC_IMAGE on them.
One day Don suggested that it can probably be done is FS filter. Therefore,
I tried an experiment. Maybe I just did something wrong, but my
‘PreAcquireForSectionSynchronization’ callback just did not seem to get
invoked upon executable section creation…
Therefore, hooking ZwCreateSection() in SSDT seems to be the only option
that works…
Anton Bassov
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
In current version of Vista, only registry callbacks and minifilter drivers
are available. So if hooking is a must, the only feasible solution is user
space hooking. For a commercial product ofcourse.
Egemen
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Prokash Sinha
Sent: Saturday, February 24, 2007 1:19 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] ZwCreateProcess and IRP_MJ_CREATE
On a side note, this would be a waste when 64 bit porting would be required.
I do have a problem to revert all of these that I’m seeing in couple
drivers. These are codes left from previous developer(s).
Also I was looking at the docs related to PatchGuard, and I could not find
anything in concrete form what APIs are available to circumvent some of
these nasty hacking. May be I missed out some of the docs, but I would
appreciate if someone can give some input about these APIs. I know there is
a discussion board. And I know the registry call back is available.
Before I try to get help, I would like to know what is/are available as of
today ( x64 specific), so that I can formulate what needed to be done, and
what are available, then proceed with …
-pro
On 2/24/07, xxxxx@hotmail.com wrote:
Maxim,
>I think that ZwCreateProcess in kernel mode is not documented at all
It is not only undocumented - it is just not exported by ntoskrnl.exe,
because it is not meant to be used by drivers. Although you can try to use
it either directly (the address is available from SSDT)
or like {mov eax,index lea edx, parameters int 0x2E), apparently, you will
have some “issues” to resolve. To make things worse, these “issues” may vary
from one OS flavour to another, and change
with every service pack. Therefore, as you already pointed out, using it
from the kernel is not so good idea, at least in a commercial product…
> The only way to solve this is to hook (yes, I’m a hooking hater, but
> nevertheless there is no hooking-less methods to do this) NtCreateSection
in
> the kernel and look at any calls with SEC_IMAGE on them.
One day Don suggested that it can probably be done is FS filter. Therefore,
I tried an experiment. Maybe I just did something wrong, but my
‘PreAcquireForSectionSynchronization’ callback just did not seem to get
invoked upon executable section creation…
Therefore, hooking ZwCreateSection() in SSDT seems to be the only option
that works…
Anton Bassov
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
— Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256 To unsubscribe, visit the List
Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
This is cetainly an extreemly valuable information. Thanks much.
I’ve at least one filter driver (fsfd) that is doing this just to redirect
to an fsd that works in a distributed sense, and as time comes I will try
this. Eventually I would like to get rid of any service descriptor table
patching, TDI and NDIS patching.
-pro
On 2/24/07, Egemen Tas wrote:
>
> G’day,
>
> In a file system minifilter driver, in the callback for
> IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION, we have access to
> AcquireForSectionSynchronization parameter.
>
> A check like below, seems working fine in windows XP SP2:
> If(AcquireForSectionSynchronization.SyncType == SyncTypeCreateSection &&
> AcquireForSectionSynchronization.PageProtection == PAGE_EXECUTE )
>
>
> However, it is not as accurate as NtCreateSection hooks. Because I have
> seen
> callback condition to be to be true many times although there is no
> process
> execution. It seems to be properly catching executable image mappings all
> the time though.
>
> Although they may be circumstantial, here are some examples,
>
> 1 - Windows Explorer sends a Window message to some application having a
> tray icon, this callback is called as if there is a process creation.
>
> 2- OpenProcess(and/or Read/WriteVirtualMemory) calls between processes
> causes the same,
>
>
> Well. This is the only thing we will be able to use in Vista x64 if we
> want
> kernel level filtering for executable loading in our commercial products.
>
>
> Hope this helps,
> Egemen TAS
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of
> xxxxx@hotmail.com
> Sent: Saturday, February 24, 2007 12:29 PM
> To: Windows System Software Devs Interest List
> Subject: RE:[ntdev] ZwCreateProcess and IRP_MJ_CREATE
>
> Maxim,
>
> >I think that ZwCreateProcess in kernel mode is not documented at all
>
> It is not only undocumented - it is just not exported by ntoskrnl.exe,
> because it is not meant to be used by drivers. Although you can try to
> use
> it either directly (the address is available from SSDT)
> or like {mov eax,index lea edx, parameters int 0x2E), apparently, you will
> have some “issues” to resolve. To make things worse, these “issues” may
> vary
> from one OS flavour to another, and change
> with every service pack. Therefore, as you already pointed out, using it
> from the kernel is not so good idea, at least in a commercial product…
>
>
> > The only way to solve this is to hook (yes, I’m a hooking hater, but
> > nevertheless there is no hooking-less methods to do this)
> NtCreateSection
> in
> > the kernel and look at any calls with SEC_IMAGE on them.
>
> One day Don suggested that it can probably be done is FS filter.
> Therefore,
> I tried an experiment. Maybe I just did something wrong, but my
> ‘PreAcquireForSectionSynchronization’ callback just did not seem to get
> invoked upon executable section creation…
>
> Therefore, hooking ZwCreateSection() in SSDT seems to be the only option
> that works…
>
> Anton Bassov
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>