Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTDEV

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Before Posting...

Please check out the Community Guidelines in the Announcements and Administration Category.

About ...ZwCreateProcess

OSR_Community_UserOSR_Community_User Member Posts: 110,217
Could you help me with some questions

a) Is this the correct prototype for ZwCreateProcess

NTSTATUS ZwCreateProcess(PHANDLE ProcessHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
HANDLE ParentProcessHandle,
BOOLEAN InheritObjectTable,
HANDLE SectionHandle,
HANDLE DebugPort,
HANDLE ExceptionPort)

b) What does the kernel do with the SectionHandle parameters to
ZwCreateProcess

c) Is it possible to increase the amount of stack space available for a
driver thread

Comments

  • OSR_Community_UserOSR_Community_User Member Posts: 110,217
    a)
    Yep, the prototype is correct.
    Here it is again with the IN OUT Params. :-)

    NTSTATUS ZwCreateProcess(
    OUT PHANDLE ProcessHandle,
    IN ACCESS_MASK DesiredAccess,
    IN POBJECT_ATTRIBUTES ObjectAttributes,
    IN HANDLE InheritFromProcessHandle,
    IN BOOLEAN InheritHandles,
    IN HANDLE SectionHandle OPTIONAL,
    IN HANDLE DebugPort OPTIONAL,
    IN HANDLE ExceptionPort OPTIONAL);

    b)
    The SectionHandle parameter is an optional handle to an image section
    which grants the SECTION_MAP_EXECUTE access. If set to zero, the process
    inherits address space from the process referred by
    InheritFromProcessHandle.
    In Win 2K the lowest bit when set, says that the process should not be
    associated
    with the job of the InheritFromProcessHandle process.

    c)
    I guess can be done by creating a usermode stack and attaching it to the
    thread after
    creating it using ZwCreateThread. Might have to use the
    ZwAllocateVirtualMemory
    and ZwProtectVirtualMemory, but then it allocates the mem in the user mode
    address
    range which might not solve your request. Might have to use other functions.
    I might
    be wrong in this answer. Let other guru's in this list, please help us.

    Suresh Ponnusami,
    Internet Security Consultant,
    nSecure Software (P) Ltd.,
    Bangalore - 71

    ----- Original Message -----
    From: "Kim DJ" <[email protected]>
    Subject: [ntdev] About ...ZwCreateProcess


    > Could you help me with some questions
    >
    > a) Is this the correct prototype for ZwCreateProcess
    >
    > NTSTATUS ZwCreateProcess(PHANDLE ProcessHandle,
    > ACCESS_MASK DesiredAccess,
    > POBJECT_ATTRIBUTES ObjectAttributes,
    > HANDLE ParentProcessHandle,
    > BOOLEAN InheritObjectTable,
    > HANDLE SectionHandle,
    > HANDLE DebugPort,
    > HANDLE ExceptionPort)
    >
    > b) What does the kernel do with the SectionHandle parameters to
    > ZwCreateProcess
    >
    > c) Is it possible to increase the amount of stack space available for a
    > driver thread
    >
  • OSR_Community_UserOSR_Community_User Member Posts: 110,217
    C) No. You cannot increase or change kernel stacks for a thread. Please
    don't attempt this, it's full of holes.
    If you really need more stack space, consider posting work to a worker
    thread which will get a fresh stack.
    Ravi

    -----Original Message-----
    From: Suresh Ponnusami [mailto:[email protected]]
    Sent: Wednesday, October 30, 2002 1:01 AM
    To: NT Developers Interest List
    Subject: [ntdev] Re: About ...ZwCreateProcess



    a)
    Yep, the prototype is correct.
    Here it is again with the IN OUT Params. :-)

    NTSTATUS ZwCreateProcess(
    OUT PHANDLE ProcessHandle,
    IN ACCESS_MASK DesiredAccess,
    IN POBJECT_ATTRIBUTES ObjectAttributes,
    IN HANDLE InheritFromProcessHandle,
    IN BOOLEAN InheritHandles,
    IN HANDLE SectionHandle OPTIONAL,
    IN HANDLE DebugPort OPTIONAL,
    IN HANDLE ExceptionPort OPTIONAL);

    b)
    The SectionHandle parameter is an optional handle to an image section
    which grants the SECTION_MAP_EXECUTE access. If set to zero, the process
    inherits address space from the process referred by
    InheritFromProcessHandle. In Win 2K the lowest bit when set, says that
    the process should not be associated with the job of the
    InheritFromProcessHandle process.

    c)
    I guess can be done by creating a usermode stack and attaching it to the
    thread after creating it using ZwCreateThread. Might have to use the
    ZwAllocateVirtualMemory and ZwProtectVirtualMemory, but then it
    allocates the mem in the user mode address range which might not solve
    your request. Might have to use other functions. I might be wrong in
    this answer. Let other guru's in this list, please help us.

    Suresh Ponnusami,
    Internet Security Consultant,
    nSecure Software (P) Ltd.,
    Bangalore - 71

    ----- Original Message -----
    From: "Kim DJ" <[email protected]>
    Subject: [ntdev] About ...ZwCreateProcess


    > Could you help me with some questions
    >
    > a) Is this the correct prototype for ZwCreateProcess
    >
    > NTSTATUS ZwCreateProcess(PHANDLE ProcessHandle,
    > ACCESS_MASK DesiredAccess,
    > POBJECT_ATTRIBUTES ObjectAttributes,
    > HANDLE ParentProcessHandle,
    > BOOLEAN InheritObjectTable,
    > HANDLE SectionHandle,
    > HANDLE DebugPort,
    > HANDLE ExceptionPort)
    >
    > b) What does the kernel do with the SectionHandle parameters to
    > ZwCreateProcess
    >
    > c) Is it possible to increase the amount of stack space available for

    > a driver thread
    >




    ---
    You are currently subscribed to ntdev as: [email protected]
    To unsubscribe send a blank email to %%email.unsub%%
  • James_AntogniniJames_Antognini Member Posts: 263
    Expanding the stack is something I've wondered about, eg, copying the
    stack at procedure entry to a larger area and using a little inline
    assembler to point ESP to that area, and of course reversing at
    procedure exit. But the technique might get sticky in exception
    handling, since the old stack pointer might be squirreled away somewhere
    that SEH uses.

    What are the known holes?

    --
    If replying by e-mail, please remove "nospam." from the address.

    James Antognini
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. Sign in or register to get started.

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Internals & Software Drivers 15 November 2021 Live, Online
Writing WDF Drivers 24 January 2022 Live, Online
Developing Minifilters 7 February 2022 Live, Online
Kernel Debugging 21 March 2022 Live, Online