Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTFSD

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Before Posting...

Please check out the Community Guidelines in the Announcements and Administration Category.

Creating and terminating the usermode processes from a kernel mode driver

OSR_Community_UserOSR_Community_User Member Posts: 110,217
Hi,

I am developing Windows NT file system Filter driver. I need to create a Usermode process from this filter driver inorder to access the physical memory outside the range of Kernel Mode (2GB user/2GB Kerenl or 1GB/Kernel/3GB User). I am creating the process by following steps:
1.get the Handle to the Executable file by call ZwCreateFile().
2.Create a section Obejct for the the executable file using the file handle by call NtCreateSection()(which is undocumented).
3. Call NtCreateProcess() function(which is undocumented) with the section object created.

The process is created and is shown when execute a command proc in SoftIce.

Now if I try to kill the process using NtTerminateProcess()(Which is undocumented) it blueScreens. So How do I kill the process?

Does any body know if I am doing the process creation stuff correctly? Also Does any body know what I have to do before I call NtTerminateProcess().
Also does any body know what are the correct parameters for creating the section and creating process. Plese Help me.


----------------------
Prakash Bilodi
Interactive Silicon Inc
7719,WoodHollow Drive,Suite 100
Austin,Texas-78731

Comments

  • OSR_Community_UserOSR_Community_User Member Posts: 110,217
    >3. Call NtCreateProcess() function(which is undocumented) with the section
    >object created.

    You must also call NtCreateThread() to create at least a single thread in
    this
    process.
    Also you must queue an undocumented APC to the thread to call the DLL init
    routines.
    Also you must build a STARTUPINFO for this process.
    Also you must register it in CSRSS....
    ...and, I suspect, many more things.

    Max
  • OSR_Community_UserOSR_Community_User Member Posts: 110,217
    Has any body done this kind of experiment? If yes could you please tell me
    how to proceed of getting the Undocumented stuff?

    Regards
    Prakash Bilodi
    ----- Original Message -----
    From: Maxim S. Shatskih <[email protected]>
    To: File Systems Developers Interest List <[email protected]>
    Sent: Friday, February 25, 2000 5:05 PM
    Subject: [ntfsd] Re: Creating and terminating the usermode processes from a
    kernel mode driver


    > >3. Call NtCreateProcess() function(which is undocumented) with the
    section
    > >object created.
    >
    > You must also call NtCreateThread() to create at least a single thread in
    > this
    > process.
    > Also you must queue an undocumented APC to the thread to call the DLL init
    > routines.
    > Also you must build a STARTUPINFO for this process.
    > Also you must register it in CSRSS....
    > ...and, I suspect, many more things.
    >
    > Max
    >
    >
    > ---
    > You are currently subscribed to ntfsd as: [email protected]
    > To unsubscribe send a blank email to $subst('Email.Unsub')
    >
    >
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Developing Minifilters 24 May 2021 Live, Online
Writing WDF Drivers 14 June 2021 Live, Online
Internals & Software Drivers 2 August 2021 Live, Online
Kernel Debugging 27 Sept 2021 Live, Online