Hello! I’m writing a driver, which should start an application from ring0.
It is very important, that the app runs as SYSTEM account.
Finally i read alot of process creation, but I still have one problem:
After I have created section, process and thread I see my process in the taskmanager list, running as SYSTEM; but even though I Resume the thread I get following error:
0xc0000142 (STATUS_DLL_INIT_FAILURE)
But the process found the dll’s, because if I renamed for e.g. msvcr80.dll I got the message that the dll, couldn’t be found in my dll paths.
I read something about the kernel32.dll failing if it isn’t able to access the desktop (winsta0\default).
My question now: Does anyone know what I could have made wrong, or does anyone has an idea how to solve my problem?
Hello! I’m writing a driver, which should start an application from ring0.
It is very important, that the app runs as SYSTEM account.
Finally i read alot of process creation, but I still have one problem:
After I have created section, process and thread I see my process in the taskmanager list, running as SYSTEM; but even though I Resume the thread I get following error:
0xc0000142 (STATUS_DLL_INIT_FAILURE)
But the process found the dll’s, because if I renamed for e.g. msvcr80.dll I got the message that the dll, couldn’t be found in my dll paths.
I read something about the kernel32.dll failing if it isn’t able to access the desktop (winsta0\default).
My question now: Does anyone know what I could have made wrong, or does anyone has an idea how to solve my problem?
One thing that you made wrong: attempt to run win32 binary in the
kernel. This won’t work. Can you make it a normal service instead of a
kernel process?
Why do you think that you need to do this? The closest that you’re going to get is to signal an already-running service to create the process on behalf.
There are a lot of user mode guts that won’t be “wired up” correctly if you’re not going through CreateProcess, such as the csrss connection. The way these work internally has changed several times in the past few OS releases and so reimplementing this logic yourself is not going to work in any sort of reasonable fashion.
S
-----Original Message-----
From: xxxxx@kse-soft.net Sent: Monday, March 30, 2009 23:31 To: Windows System Software Devs Interest List Subject: [ntdev] Execute a system process from ring0
Hello! I’m writing a driver, which should start an application from ring0. It is very important, that the app runs as SYSTEM account. Finally i read alot of process creation, but I still have one problem:
After I have created section, process and thread I see my process in the taskmanager list, running as SYSTEM; but even though I Resume the thread I get following error: 0xc0000142 (STATUS_DLL_INIT_FAILURE) But the process found the dll’s, because if I renamed for e.g. msvcr80.dll I got the message that the dll, couldn’t be found in my dll paths. I read something about the kernel32.dll failing if it isn’t able to access the desktop (winsta0\default).
My question now: Does anyone know what I could have made wrong, or does anyone has an idea how to solve my problem?
The problem is following:
This is an NDIS driver, which watches over the ethernet connection like a firewall.
If theres something going wrong in the network for e.g. a virus then I can close all ports except
of one port which retrieves commands for executing updates.
I know how to do this with an APC and an WinExec call in “explorer.exe” but I cannot run updates
because the normal user does not has the required rights.
Writing a service for executing the file would be a solution, but I wanted to try doing this from kernel mode.
But when there is no other solution than writing a service, I have to do this…
>SYSTEM; but even though I Resume the thread I get following error:
0xc0000142 (STATUS_DLL_INIT_FAILURE)
Break into the target process very early before it fails, and edit the “show snaps” global variable in ntdll to be nonzero. I think it is called LdrShowSnaps or something like this.
This will turn on huge amounts of debug outprints from the DLL loader in ntdll.
Also you can set a breakpoint to Nt/ZwRaiseHardError - IIRC all process initialization errors are going there.
> Break into the target process very early before it fails, and edit the “show snaps” global variable in
ntdll to be nonzero. I think it is called LdrShowSnaps or something like this. This will turn on huge
amounts of debug outprints from the DLL loader in ntdll. Also you can set a breakpoint to
Nt/ZwRaiseHardError - IIRC all process initialization errors are going there.
Wow thats pretty cool, but where do I find the address of this variable?
I read something about fs:[30]+68 but I dont think, that this is right…
I wanted to test this with olly, but it seems that olly isn’t able to break before loading the ntdll.
It does only break on the debug breakpoint on address 0x7c91120f…
>> Break into the target process very early before it fails, and edit the “show snaps” global variable in
> ntdll to be nonzero. I think it is called LdrShowSnaps or something like this. This will turn on huge
> amounts of debug outprints from the DLL loader in ntdll. Also you can set a breakpoint to
> Nt/ZwRaiseHardError - IIRC all process initialization errors are going there.
Wow thats pretty cool, but where do I find the address of this variable?
x ntdll!*snap*
I wanted to test this with olly, but it seems that olly isn’t able to break before loading the ntdll.
> Wow thats pretty cool, but where do I find the address of this variable?
>
x ntdll!*snap*
> I wanted to test this with olly, but it seems that olly isn’t able to break before loading the ntdll.
>
What is olly?
OllyDbg. A very interesting and competent user-mode assembly-level
debugger. It has some very interesting features, but its biggest
problem is that it doesn’t understand the Microsoft symbol format.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
On 4/1/09, Tim Roberts wrote: > Maxim S. Shatskih wrote: >>> Wow thats pretty cool, but where do I find the address of this variable? >>> >> >> x ntdll!snap >> >>> I wanted to test this with olly, but it seems that olly isn’t able to >>> break before loading the ntdll. >>> >> >> What is olly? >> > > OllyDbg. A very interesting and competent user-mode assembly-level > debugger. It has some very interesting features, but its biggest > problem is that it doesn’t understand the Microsoft symbol format. > > – > Tim Roberts, xxxxx@probo.com > Providenza & Boekelheide, Inc.
tim ollydbg understands symbol formats provided you patch a _fnmerge and SymSetSearchPath call in the symbol loading code path
or you can find a modified commandline plugin which has an option to load individual symbol file for modules (LoadPdb C:\blah\blah\blah.dll