About ...ZwCreateProcess

Could you help me with some questions

a) Is this the correct prototype for ZwCreateProcess

NTSTATUS ZwCreateProcess(PHANDLE ProcessHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
HANDLE ParentProcessHandle,
BOOLEAN InheritObjectTable,
HANDLE SectionHandle,
HANDLE DebugPort,
HANDLE ExceptionPort)

b) What does the kernel do with the SectionHandle parameters to
ZwCreateProcess

c) Is it possible to increase the amount of stack space available for a
driver thread

a)
Yep, the prototype is correct.
Here it is again with the IN OUT Params. :slight_smile:

NTSTATUS ZwCreateProcess(
OUT PHANDLE ProcessHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN HANDLE InheritFromProcessHandle,
IN BOOLEAN InheritHandles,
IN HANDLE SectionHandle OPTIONAL,
IN HANDLE DebugPort OPTIONAL,
IN HANDLE ExceptionPort OPTIONAL);

b)
The SectionHandle parameter is an optional handle to an image section
which grants the SECTION_MAP_EXECUTE access. If set to zero, the process
inherits address space from the process referred by
InheritFromProcessHandle.
In Win 2K the lowest bit when set, says that the process should not be
associated
with the job of the InheritFromProcessHandle process.

c)
I guess can be done by creating a usermode stack and attaching it to the
thread after
creating it using ZwCreateThread. Might have to use the
ZwAllocateVirtualMemory
and ZwProtectVirtualMemory, but then it allocates the mem in the user mode
address
range which might not solve your request. Might have to use other functions.
I might
be wrong in this answer. Let other guru’s in this list, please help us.

Suresh Ponnusami,
Internet Security Consultant,
nSecure Software (P) Ltd.,
Bangalore - 71

----- Original Message -----
From: “Kim DJ”
Subject: [ntdev] About …ZwCreateProcess

> Could you help me with some questions
>
> a) Is this the correct prototype for ZwCreateProcess
>
> NTSTATUS ZwCreateProcess(PHANDLE ProcessHandle,
> ACCESS_MASK DesiredAccess,
> POBJECT_ATTRIBUTES ObjectAttributes,
> HANDLE ParentProcessHandle,
> BOOLEAN InheritObjectTable,
> HANDLE SectionHandle,
> HANDLE DebugPort,
> HANDLE ExceptionPort)
>
> b) What does the kernel do with the SectionHandle parameters to
> ZwCreateProcess
>
> c) Is it possible to increase the amount of stack space available for a
> driver thread
>

C) No. You cannot increase or change kernel stacks for a thread. Please
don’t attempt this, it’s full of holes.
If you really need more stack space, consider posting work to a worker
thread which will get a fresh stack.
Ravi

-----Original Message-----
From: Suresh Ponnusami [mailto:xxxxx@nsecure.net]
Sent: Wednesday, October 30, 2002 1:01 AM
To: NT Developers Interest List
Subject: [ntdev] Re: About …ZwCreateProcess

a)
Yep, the prototype is correct.
Here it is again with the IN OUT Params. :slight_smile:

NTSTATUS ZwCreateProcess(
OUT PHANDLE ProcessHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN HANDLE InheritFromProcessHandle,
IN BOOLEAN InheritHandles,
IN HANDLE SectionHandle OPTIONAL,
IN HANDLE DebugPort OPTIONAL,
IN HANDLE ExceptionPort OPTIONAL);

b)
The SectionHandle parameter is an optional handle to an image section
which grants the SECTION_MAP_EXECUTE access. If set to zero, the process
inherits address space from the process referred by
InheritFromProcessHandle. In Win 2K the lowest bit when set, says that
the process should not be associated with the job of the
InheritFromProcessHandle process.

c)
I guess can be done by creating a usermode stack and attaching it to the
thread after creating it using ZwCreateThread. Might have to use the
ZwAllocateVirtualMemory and ZwProtectVirtualMemory, but then it
allocates the mem in the user mode address range which might not solve
your request. Might have to use other functions. I might be wrong in
this answer. Let other guru’s in this list, please help us.

Suresh Ponnusami,
Internet Security Consultant,
nSecure Software (P) Ltd.,
Bangalore - 71

----- Original Message -----
From: “Kim DJ”
Subject: [ntdev] About …ZwCreateProcess

> Could you help me with some questions
>
> a) Is this the correct prototype for ZwCreateProcess
>
> NTSTATUS ZwCreateProcess(PHANDLE ProcessHandle,
> ACCESS_MASK DesiredAccess,
> POBJECT_ATTRIBUTES ObjectAttributes,
> HANDLE ParentProcessHandle,
> BOOLEAN InheritObjectTable,
> HANDLE SectionHandle,
> HANDLE DebugPort,
> HANDLE ExceptionPort)
>
> b) What does the kernel do with the SectionHandle parameters to
> ZwCreateProcess
>
> c) Is it possible to increase the amount of stack space available for

> a driver thread
>


You are currently subscribed to ntdev as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to %%email.unsub%%

Expanding the stack is something I’ve wondered about, eg, copying the
stack at procedure entry to a larger area and using a little inline
assembler to point ESP to that area, and of course reversing at
procedure exit. But the technique might get sticky in exception
handling, since the old stack pointer might be squirreled away somewhere
that SEH uses.

What are the known holes?


If replying by e-mail, please remove “nospam.” from the address.

James Antognini