Jump-start your project by learning from devs who
write Windows drivers and file systems every day.
Take an OSR seminar!

OSR is Hiring! Click here to find out more.

Upcoming OSR Seminars:
Kernel Debugging & Crash Analysis for Windows Lab, Santa Clara, CA 9-13 September, 2013
Upcoming OSR Seminars:
Windows Internals & Software Drivers Lab, Santa Clara, CA 16-20 September, 2013
Writing WDF Drivers for Windows Lab, Boston/Waltham, MA 7-11 October, 2013
Developing File Systems for Windows, Seattle, WA 5-8 November, 2013

Go Back   OSR Online Lists > ntdev
link About ...ZwCreateProcess
Welcome, Guest
You must login to post to this list
  Message 1 of 4  
30 Oct 02 02:44
ntdev member 9866
xxxxxx@hanseo.ac.kr
Join Date:
Posts To This List: 13
About ...ZwCreateProcess
Could you help me with some questions a) Is this the correct prototype for ZwCreateProcess NTSTATUS ZwCreateProcess(PHANDLE ProcessHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, HANDLE ParentProcessHandle, BOOLEAN InheritObjectTable, HANDLE SectionHandle, HANDLE DebugPort, HANDLE ExceptionPort) b) What does the kernel do with the SectionHandle parameters to ZwCreateProcess c) Is it possible to increase the amount of stack space available for a driver thread
  Message 2 of 4  
30 Oct 02 04:07
ntdev member 9911
xxxxxx@nsecure.net
Join Date:
Posts To This List: 3
Re: About ...ZwCreateProcess
a) Yep, the prototype is correct. Here it is again with the IN OUT Params. :-) NTSTATUS ZwCreateProcess( OUT PHANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, IN HANDLE InheritFromProcessHandle, IN BOOLEAN InheritHandles, IN HANDLE SectionHandle OPTIONAL, IN HANDLE DebugPort OPTIONAL, IN HANDLE ExceptionPort OPTIONAL); b) The SectionHandle parameter is an optional handle to an image section which grants the SECTION_MAP_EXECUTE access. If set to zero, the process inherits address space from the process referred by InheritFromProcessHandle. In Win 2K the lowest bit when set, says that the process should not be associated with the job of the InheritFromProcessHandle process. c) I guess can be done by creating a usermode stack and attaching it to the thread after creating it using ZwCreateThread. Might have to use the ZwAllocateVirtualMemory and ZwProtectVirtualMemory, but then it allocates the mem in the user mode address range which might not solve your request. Might have to use other functions. I might be wrong in this answer. Let other guru's in this list, please help us. Suresh Ponnusami, Internet Security Consultant, nSecure Software (P) Ltd., Bangalore - 71 ----- Original Message ----- From: "Kim DJ" <xxxxx@hanseo.ac.kr> Subject: [ntdev] About ...ZwCreateProcess > Could you help me with some questions > > a) Is this the correct prototype for ZwCreateProcess > > NTSTATUS ZwCreateProcess(PHANDLE ProcessHandle, > ACCESS_MASK DesiredAccess, > POBJECT_ATTRIBUTES ObjectAttributes, > HANDLE ParentProcessHandle, > BOOLEAN InheritObjectTable, <...excess quoted lines suppressed...>
  Message 3 of 4  
30 Oct 02 12:08
ntdev member 9100
xxxxxx@windows.microsoft.com
Join Date:
Posts To This List: 41
Re: About ...ZwCreateProcess
C) No. You cannot increase or change kernel stacks for a thread. Please don't attempt this, it's full of holes. If you really need more stack space, consider posting work to a worker thread which will get a fresh stack. Ravi -----Original Message----- From: Suresh Ponnusami [mailto:xxxxx@nsecure.net] Sent: Wednesday, October 30, 2002 1:01 AM To: NT Developers Interest List Subject: [ntdev] Re: About ...ZwCreateProcess a) Yep, the prototype is correct. Here it is again with the IN OUT Params. :-) NTSTATUS ZwCreateProcess( OUT PHANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, IN HANDLE InheritFromProcessHandle, IN BOOLEAN InheritHandles, IN HANDLE SectionHandle OPTIONAL, IN HANDLE DebugPort OPTIONAL, IN HANDLE ExceptionPort OPTIONAL); b) The SectionHandle parameter is an optional handle to an image section which grants the SECTION_MAP_EXECUTE access. If set to zero, the process inherits address space from the process referred by InheritFromProcessHandle. In Win 2K the lowest bit when set, says that the process should not be associated with the job of the InheritFromProcessHandle process. c) I guess can be done by creating a usermode stack and attaching it to the thread after creating it using ZwCreateThread. Might have to use the ZwAllocateVirtualMemory and ZwProtectVirtualMemory, but then it allocates the mem in the user mode address range which might not solve your request. Might have to use other functions. I might be wrong in this answer. Let other guru's in this list, please help us. Suresh Ponnusami, Internet Security Consultant, nSecure Software (P) Ltd., Bangalore - 71 ----- Original Message ----- From: "Kim DJ" <xxxxx@hanseo.ac.kr> Subject: [ntdev] About ...ZwCreateProcess > Could you help me with some questions > > a) Is this the correct prototype for ZwCreateProcess > > NTSTATUS ZwCreateProcess(PHANDLE ProcessHandle, > ACCESS_MASK DesiredAccess, > POBJECT_ATTRIBUTES ObjectAttributes, > HANDLE ParentProcessHandle, > BOOLEAN InheritObjectTable, <...excess quoted lines suppressed...> --- You are currently subscribed to ntdev as: xxxxx@windows.microsoft.com To unsubscribe send a blank email to %%email.unsub%%
  Message 4 of 4  
30 Oct 02 16:36
James Antognini
xxxxxx@mindspring.nospam.com
Join Date: 09 Oct 2002
Posts To This List: 243
Re: About ...ZwCreateProcess
Expanding the stack is something I've wondered about, eg, copying the stack at procedure entry to a larger area and using a little inline assembler to point ESP to that area, and of course reversing at procedure exit. But the technique might get sticky in exception handling, since the old stack pointer might be squirreled away somewhere that SEH uses. What are the known holes? -- If replying by e-mail, please remove "nospam." from the address. James Antognini
Posting Rules  
You may not post new threads
You may not post replies
You may not post attachments
You must login to OSR Online AND be a member of the ntdev list to be able to post.

All times are GMT -5. The time now is 01:24.

Contact Us - Osr Online Homepage - Top

Copyright ©2012, OSR Open Systems Resources, Inc.
Based on vBulletin Copyright ©2000 - 2005, Jelsoft Enterprises Ltd.
Modified under license