XR3X

Jump to content


Photo

Open own process using ZwOpenFile


  • You cannot start a new topic
  • Please log in to reply
16 replies to this topic

#1 Tony

Tony

    Intermediate Member

  • Associate
  • Reputation: 145
    Very Good
  • 270 posts
Contributor

Posted 11 November 2013 - 03:00 PM

Great day HH

 

I got a problem. I want to open its own executable using ZwOpenFile. I almost got it working, but the return status is STATUS_ACCES_DENIED

 

Is there anyone who could help me with this?

 

password = project


Edited by BullDog, 11 November 2013 - 11:16 PM.
attachment removed by request from author


#2 LeFF

LeFF

    Advanced Member

  • Moderator
  • Reputation: 457
    Very Good
  • 426 posts
Contributor

Posted 11 November 2013 - 05:00 PM

file is being locked by windows loader when the process is created and until the process exits, you can open it for reading only...


  • Tony likes this

#3 Hess

Hess

    Intelligence Service

  • Loyalist
  • Reputation: 766
    Excellent
  • 2,821 posts
  • LocationBelgrade
Contributor

Posted 11 November 2013 - 05:02 PM

If I am not wrong , and I think that I am not , path and executable is in DOS 8.3 file format , so , at least one string is replaced with ~ , so , this is probably key for error , it wont work this way. :S Based upon LeFF post just before mine , You must exit Your process before launch , so , You'll probably have to add one more routine for opening successfully.



#4 Tony

Tony

    Intermediate Member

  • Associate
  • Reputation: 145
    Very Good
  • 270 posts
Contributor

Posted 11 November 2013 - 05:37 PM

@LeFF

 

Thanks for the info. Actually my goal is to create a new process. Ofcourse I can use CreateProcessA, but this calls at some point ZwCreateProcessEx. To use ZwCreateProcessEx, the current file needs to be openend using ZwOpenFile. So in fact the current file open itself to create a new process using ZwCreateProcessEx.

 

Any idea how to use ZwCreateProcessEx in asm without using the winapi CreateProcess?

 

@Hess

you're wrong buddy. As i said above :)



#5 Hess

Hess

    Intelligence Service

  • Loyalist
  • Reputation: 766
    Excellent
  • 2,821 posts
  • LocationBelgrade
Contributor

Posted 11 November 2013 - 06:12 PM

It looks that You misunderstood me , I was thinking also for creating new process , and , what about using directly ZwCreateProcessEx ? As it will be called by any meanings. :) Or , simply study how to make Your own API ? :)


  • Tony likes this

#6 Tony

Tony

    Intermediate Member

  • Associate
  • Reputation: 145
    Very Good
  • 270 posts
Contributor

Posted 11 November 2013 - 07:52 PM

Using ZwCreateProcessEx needs a section handle to work. To obtain such handle, a section must be created. To create a section, the process must be openend. Thats why i need ZwOpenProcess ;)


  • Hess likes this

#7 Hess

Hess

    Intelligence Service

  • Loyalist
  • Reputation: 766
    Excellent
  • 2,821 posts
  • LocationBelgrade
Contributor

Posted 12 November 2013 - 12:35 AM

I can't recall to who I suggested to use several API's which will a bit harden work , but output will be useful. :)



#8 Tony

Tony

    Intermediate Member

  • Associate
  • Reputation: 145
    Very Good
  • 270 posts
Contributor

Posted 12 November 2013 - 07:07 AM

Doesn't matter Hess, problems looks to be solved ;)


  • Hess likes this

#9 Hess

Hess

    Intelligence Service

  • Loyalist
  • Reputation: 766
    Excellent
  • 2,821 posts
  • LocationBelgrade
Contributor

Posted 12 November 2013 - 11:57 AM

Doesn't matter Hess, problems looks to be solved ;)

Then , great , I see You have asked that Your attachment gets deleted , btw , I've tested it with my method and also got running , just it gets more than 3072 bytes. :)



#10 Tony

Tony

    Intermediate Member

  • Associate
  • Reputation: 145
    Very Good
  • 270 posts
Contributor

Posted 12 November 2013 - 10:45 PM

So the new process is succesfully created. However, this new process should be the child-process of the main process. Right now the created process is not the child of the parent. Any one who knows a fix for that?



#11 Hess

Hess

    Intelligence Service

  • Loyalist
  • Reputation: 766
    Excellent
  • 2,821 posts
  • LocationBelgrade
Contributor

Posted 13 November 2013 - 02:08 PM

You mean Arma style or different ? :)


  • Tony likes this

#12 Tony

Tony

    Intermediate Member

  • Associate
  • Reputation: 145
    Very Good
  • 270 posts
Contributor

Posted 13 November 2013 - 02:38 PM

Yes arma style :P

 

Arma is creating a child process. This is what i want to do in user/kernel mode programming



#13 Hess

Hess

    Intelligence Service

  • Loyalist
  • Reputation: 766
    Excellent
  • 2,821 posts
  • LocationBelgrade
Contributor

Posted 13 November 2013 - 05:08 PM

"Father process" actually debugs child process and keeps eye on it , so it can't be tampered. Oh , I should keep my moth shut in past , no more Arma , please !!!! :( :P :)



#14 Tony

Tony

    Intermediate Member

  • Associate
  • Reputation: 145
    Very Good
  • 270 posts
Contributor

Posted 13 November 2013 - 08:16 PM

Yes, Hess, I know how arma works :)

 

The only problem I got is to create a process with the mentioned winapi's and set this new process as child.



#15 Hess

Hess

    Intelligence Service

  • Loyalist
  • Reputation: 766
    Excellent
  • 2,821 posts
  • LocationBelgrade
Contributor

Posted 13 November 2013 - 09:47 PM

Then , You know it's API and how can You recreate them just from opposite side , just like You reverse them. :S Huh , who hit me to talk about arma ! :S :( :)



#16 Jochen

Jochen

    Member

  • Associate
  • Reputation: 63
    Good
  • 37 posts
Contributor

Posted 15 November 2013 - 12:42 PM

@tony Could you send me the SRC by PM ? i might be able to help you ;)


  • Tony likes this

#17 Hess

Hess

    Intelligence Service

  • Loyalist
  • Reputation: 766
    Excellent
  • 2,821 posts
  • LocationBelgrade
Contributor

Posted 15 November 2013 - 12:50 PM

I have to quote myself here since , most people misundersood me:

 

I can't recall to who I suggested to use several API's which will a bit harden work , but output will be useful. :)

This is new approach in Arma since v9 of it , it is not so good recognized anymore. :)