Creating and terminating the usermode processes from a kernel mode driver

Hi,

I am developing Windows NT file system Filter driver. I need to create a Usermode process from this filter driver inorder to access the physical memory outside the range of Kernel Mode (2GB user/2GB Kerenl or 1GB/Kernel/3GB User). I am creating the process by following steps:
1.get the Handle to the Executable file by call ZwCreateFile().
2.Create a section Obejct for the the executable file using the file handle by call NtCreateSection()(which is undocumented).
3. Call NtCreateProcess() function(which is undocumented) with the section object created.

The process is created and is shown when execute a command proc in SoftIce.

Now if I try to kill the process using NtTerminateProcess()(Which is undocumented) it blueScreens. So How do I kill the process?

Does any body know if I am doing the process creation stuff correctly? Also Does any body know what I have to do before I call NtTerminateProcess().
Also does any body know what are the correct parameters for creating the section and creating process. Plese Help me.


Prakash Bilodi
Interactive Silicon Inc
7719,WoodHollow Drive,Suite 100
Austin,Texas-78731

>3. Call NtCreateProcess() function(which is undocumented) with the section

object created.

You must also call NtCreateThread() to create at least a single thread in
this
process.
Also you must queue an undocumented APC to the thread to call the DLL init
routines.
Also you must build a STARTUPINFO for this process.
Also you must register it in CSRSS…
…and, I suspect, many more things.

Max

1 Like

Has any body done this kind of experiment? If yes could you please tell me
how to proceed of getting the Undocumented stuff?

Regards
Prakash Bilodi
----- Original Message -----
From: Maxim S. Shatskih
To: File Systems Developers Interest List
Sent: Friday, February 25, 2000 5:05 PM
Subject: [ntfsd] Re: Creating and terminating the usermode processes from a
kernel mode driver

> >3. Call NtCreateProcess() function(which is undocumented) with the
section
> >object created.
>
> You must also call NtCreateThread() to create at least a single thread in
> this
> process.
> Also you must queue an undocumented APC to the thread to call the DLL init
> routines.
> Also you must build a STARTUPINFO for this process.
> Also you must register it in CSRSS…
> …and, I suspect, many more things.
>
> Max
>
>
> —
> You are currently subscribed to ntfsd as: xxxxx@interactivesi.com
> To unsubscribe send a blank email to $subst(‘Email.Unsub’)
>
>