Re: CreateProcess parameter interception at NtCreateSection

I don't think that there will be a very elegant / reliable solution to this
problem, BTW, simply due to how process creation works.

The Win32 layer provides the illusion that creating the process, pushing
parameters into it, and creating the first thread are all an atomic
operation, but this is really broken up into multiple distinct steps, and
there is no single kernel call that will receive all of the information you
would need.

The usual flow would be something like this (in the current implementation
and subject to change in future releases):

NtCreateFile(ExePath)
NtCreateSection(File)
NtCreateProcess/NtCreateProcessEx(...)
.... write parameters into the process with NtAllocateVirtualMemory /
NtWriteVirtualMemory, including RTL_USER_PROCESS_PARAMETERS ...
NtCreateThread() // create the first thread
NtResumeThread() // start the first thread running unless we are using
CREATE_SUSPENDED

So, as you can see, there isn't really any one kernel call to intercept that
will just handily give you the information that you are looking for anyway -
and in any case, the process parameters structure isn't even built in the
typical case of kernel32 creating a process for CreateProcess until after
the process is created.

I think perhaps you shouldd rethink what you are trying to accomplish.

<cehupper@xxxxxxxxx> wrote in message
news:1147374861.897193.237700@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Very good point. Thanks.



.

Relevant Pages

  • Re: Get PID From Handle Just After NtCreateProcess
    ... I believe the the pid of a process hasn't been allocated until the ... first thread of a process is about to execute...if this is true then you ... > I want to get the Process ID given its handle (while in Kernel mode). ... > ULONG PBILength = sizeof; ...
    (microsoft.public.win32.programmer.kernel)
  • Re: [PATCH 2/2] Add support for in-kernel process creation during restart
    ... process creation more easy. ... This information (and the pids of children) is already available in ... why do you want to start the container in the kernel? ...
    (Linux-Kernel)
  • Re: help with huge memory consumption??
    ... 'process creation' being much slower than 'thread creation' ... would be a strong hint at a deficiency in the kernel. ... was the reason to use threads. ... implemented with the same system mechanism (things the kernel sees as ...
    (comp.os.linux.development.system)
  • Re: Start-up Xilkernel on Microblaze
    ... first thread after xil_kernel_main. ... kernel configuration. ... Note the kernel initialization time is dependent on the numbers you have ...
    (comp.arch.fpga)
  • Re: [Devel] Re: [PATCH 0/9] OpenVZ kernel based checkpointing/restart
    ... process creation. ... Pretty sure Dave prefers user-space. ... I'd say the thing to do is push the core API that supports single-thread ... kernel, and let the arguments for and against that stand on their own. ...
    (Linux-Kernel)
Quantcast