-
Notifications
You must be signed in to change notification settings - Fork 2
Expand file tree
/
Copy pathproc.c
More file actions
213 lines (210 loc) · 7.57 KB
/
proc.c
File metadata and controls
213 lines (210 loc) · 7.57 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
#include "ntdll_tools.h"
#include <stdio.h>
typedef struct _KSYSTEM_TIME
{
ULONG LowPart;
LONG High1Time;
LONG High2Time;
} KSYSTEM_TIME, *PKSYSTEM_TIME;
#define PROCESSOR_FEATURE_MAX 64
typedef enum _ALTERNATIVE_ARCHITECTURE_TYPE
{
StandardDesign,
NEC98x86,
EndAlternatives
} ALTERNATIVE_ARCHITECTURE_TYPE;
typedef struct _KUSER_SHARED_DATA {
ULONG TickCountLowDeprecated;
ULONG TickCountMultiplier;
KSYSTEM_TIME InterruptTime;
KSYSTEM_TIME SystemTime;
KSYSTEM_TIME TimeZoneBias;
USHORT ImageNumberLow;
USHORT ImageNumberHigh;
WCHAR NtSystemRoot[260];
ULONG MaxStackTraceDepth;
ULONG CryptoExponent;
ULONG TimeZoneId;
ULONG LargePageMinimum;
ULONG AitSamplingValue;
ULONG AppCompatFlag;
ULONGLONG RNGSeedVersion;
ULONG GlobalValidationRunlevel;
LONG TimeZoneBiasStamp;
ULONG NtBuildNumber;
NT_PRODUCT_TYPE NtProductType;
BOOLEAN ProductTypeIsValid;
BOOLEAN Reserved0[1];
USHORT NativeProcessorArchitecture;
ULONG NtMajorVersion;
ULONG NtMinorVersion;
BOOLEAN ProcessorFeatures[PROCESSOR_FEATURE_MAX];
ULONG Reserved1;
ULONG Reserved3;
ULONG TimeSlip;
ALTERNATIVE_ARCHITECTURE_TYPE AlternativeArchitecture;
ULONG BootId;
LARGE_INTEGER SystemExpirationDate;
ULONG SuiteMask;
BOOLEAN KdDebuggerEnabled;
union {
UCHAR MitigationPolicies;
struct {
UCHAR NXSupportPolicy : 2;
UCHAR SEHValidationPolicy : 2;
UCHAR CurDirDevicesSkippedForDlls : 2;
UCHAR Reserved : 2;
};
};
USHORT CyclesPerYield;
ULONG ActiveConsoleId;
ULONG DismountCount;
ULONG ComPlusPackage;
ULONG LastSystemRITEventTickCount;
ULONG NumberOfPhysicalPages;
BOOLEAN SafeBootMode;
union {
UCHAR VirtualizationFlags;
struct {
UCHAR ArchStartedInEl2 : 1;
UCHAR QcSlIsSupported : 1;
};
};
UCHAR Reserved12[2];
union {
ULONG SharedDataFlags;
struct {
ULONG DbgErrorPortPresent : 1;
ULONG DbgElevationEnabled : 1;
ULONG DbgVirtEnabled : 1;
ULONG DbgInstallerDetectEnabled : 1;
ULONG DbgLkgEnabled : 1;
ULONG DbgDynProcessorEnabled : 1;
ULONG DbgConsoleBrokerEnabled : 1;
ULONG DbgSecureBootEnabled : 1;
ULONG DbgMultiSessionSku : 1;
ULONG DbgMultiUsersInSessionSku : 1;
ULONG DbgStateSeparationEnabled : 1;
ULONG SpareBits : 21;
} DUMMYSTRUCTNAME2;
} DUMMYUNIONNAME2;
ULONG DataFlagsPad[1];
ULONGLONG TestRetInstruction;
LONGLONG QpcFrequency;
ULONG SystemCall;
ULONG Reserved2;
ULONGLONG FullNumberOfPhysicalPages;
ULONGLONG SystemCallPad[1];
union {
KSYSTEM_TIME TickCount;
ULONG64 TickCountQuad;
struct {
ULONG ReservedTickCountOverlay[3];
ULONG TickCountPad[1];
} DUMMYSTRUCTNAME;
} DUMMYUNIONNAME3;
ULONG Cookie;
ULONG CookiePad[1];
LONGLONG ConsoleSessionForegroundProcessId;
ULONGLONG TimeUpdateLock;
ULONGLONG BaselineSystemTimeQpc;
ULONGLONG BaselineInterruptTimeQpc;
ULONGLONG QpcSystemTimeIncrement;
ULONGLONG QpcInterruptTimeIncrement;
UCHAR QpcSystemTimeIncrementShift;
UCHAR QpcInterruptTimeIncrementShift;
USHORT UnparkedProcessorCount;
ULONG EnclaveFeatureMask[4];
ULONG TelemetryCoverageRound;
USHORT UserModeGlobalLogger[16];
ULONG ImageFileExecutionOptions;
ULONG LangGenerationCount;
ULONGLONG Reserved4;
ULONGLONG InterruptTimeBias;
ULONGLONG QpcBias;
ULONG ActiveProcessorCount;
UCHAR ActiveGroupCount;
UCHAR Reserved9;
union {
USHORT QpcData;
struct {
UCHAR QpcBypassEnabled;
UCHAR QpcReserved;
};
};
// LARGE_INTEGER TimeZoneBiasEffectiveStart;
// LARGE_INTEGER TimeZoneBiasEffectiveEnd;
// XSTATE_CONFIGURATION XState;
// KSYSTEM_TIME FeatureConfigurationChangeStamp;
// ULONG Spare;
// ULONG64 UserPointerAuthMask;
// XSTATE_CONFIGURATION XStateArm64;
// ULONG Reserved10[210];
} KUSER_SHARED_DATA, *PKUSER_SHARED_DATA;
PKUSER_SHARED_DATA SharedData = (PKUSER_SHARED_DATA)(0x7FFE0000);
void create_process(char *ascii_path)
{
// assume ascii_path is like "\??\C:\Windows\System32\notepad.exe"
if (strncmp(ascii_path, "\\??\\", 4) != 0)
{
printf("Invalid path format. Must start with \\??\\\n");
return;
}
ANSI_STRING AnsiString;
RtlInitAnsiString(&AnsiString, ascii_path);
UNICODE_STRING nt_path;
RtlAnsiStringToUnicodeString(&nt_path, &AnsiString, TRUE);
UNICODE_STRING win32_path = { 0 };
RtlInitUnicodeString(&win32_path, nt_path.Buffer + 4);
UNICODE_STRING dll_path;
RtlInitUnicodeString(&dll_path, SharedData->NtSystemRoot);
PRTL_USER_PROCESS_PARAMETERS proc_param;
WCHAR Env[2] = { 0, 0 };
NTSTATUS status = RtlCreateProcessParameters(&proc_param, &win32_path, &dll_path, NULL, Env, NULL, &nt_path, 0, 0, 0);
if (!NT_SUCCESS(status))
{
printf("RtlCreateProcessParameters failed: 0x%X\n", RtlNtStatusToDosError(status));
return;
}
wprintf(L"nt_path: %wZ\n", &nt_path);
RTL_USER_PROCESS_INFORMATION proc_info = {0};
status = RtlCreateUserProcess(
&nt_path,
OBJ_CASE_INSENSITIVE,
proc_param,
NULL,
NULL,
NULL,
TRUE, // current cwd
NULL,
NULL,
&proc_info
);
if (!NT_SUCCESS(status))
{
printf("RtlCreateUserProcess failed: 0x%X\n", RtlNtStatusToDosError(status));
return;
}
switch (proc_info.ImageInformation.SubSystemType)
{
case 1:
printf("Creating a Native type of process.\n");
break;
case 2:
printf("Creating a GUI type of process.\n");
break;
case 3:
printf("Creating a Console type of process.\n");
break;
default:
printf("Creating an Unknown type of process.\n");
break;
}
status = NtResumeThread(proc_info.ThreadHandle, NULL);
if (!NT_SUCCESS(status))
{
printf("NtResumeThread failed: 0x%X\n", RtlNtStatusToDosError(status));
return;
}
printf("Process created successfully. Handle: 0x%X\n", proc_info.ProcessHandle);
}