Create a process from within driver ?

Dear all ,

Is there a legal way to launch an application from within a driver ? I 've encountered “ZwTerminateProcess” , but no documentation
describes the creation of a process. Goal is to launch an small EXE that collects some information in user mode that cannot be
retrieved in kernel mode. After delivering the info to the driver ( i.e. via IOCTL calls ) it will exit. I don’t like the idea to
create a service for this or to launch an application at boot time. There is already running enough garbage on peoples computers.
Also , the driver will only need the information very occasionally and it may happen that it will not need it during every logon
session.

Thanks ,

Christiaan

As far as legal, that would be a great big no. Not in any way shape or
form. In addition, in my personal opinion, while there are some exports
that sound like they have potential - in particular,
RtlCreateUserProcess (or something like that) - nothing exported from
the kernel will do this; in the specific case of RtlCreateUserProcess,
it is part of the initialization code, and is long gone by the time
Win32 is up and running (it is used to launch SMSS, I believe).

There are a couple hideous hacks that do achieve this to some extent.
While they are clever, they are still horrendously unstable. If you
wish, the information is out there, but you desperately do not want to
do anything like this.

In principle, I would agree that there a large number of more or less
useless services that run by default. For the purposes of creating a
minimal target to minimize spew and information in WinDbg, I disable all
sorts of things, and the striking part is that a target configured this
way still runs everything I need it to without failing, which makes me
wonder. I would also add that depending on a service to be present,
running or at least not disabled is in my opinion asking for trouble
(sometimes you have to do this). All that being said, this one is an
absolute no brainer - whatever memory you might feel is wasted doesn’t
even chart in the garbage category when compared to the damage anything
that you might implement for this purpose will cause.

When viewed as an issue of cost/benefit or risk/reward, this one is just
abjectly preposterous.

Do not do this.

mm
----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Christiaan
Ghijselinck
Sent: Monday, August 06, 2007 13:38
To: Windows System Software Devs Interest List
Subject: [ntdev] Create a process from within driver ?

Dear all ,

Is there a legal way to launch an application from within a driver ? I
've encountered “ZwTerminateProcess” , but no documentation
describes the creation of a process. Goal is to launch an small EXE
that collects some information in user mode that cannot be
retrieved in kernel mode. After delivering the info to the driver ( i.e.
via IOCTL calls ) it will exit. I don’t like the idea to
create a service for this or to launch an application at boot time.
There is already running enough garbage on peoples computers.
Also , the driver will only need the information very occasionally and
it may happen that it will not need it during every logon
session.

Thanks ,

Christiaan

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Thanks Martin , I expected this kind of answer. I just wonder why the ‘ZwTerminateProcess’ is there , and even documented … My
personal opion is that the possibility of lauching a process from kernel mode would open a big world to the device driver writers
… My problem is not the memory the program would take when it has to start at boot time , but rather the additional communication
to trigger the application to provide the info. And what if the program gets killed from within task manager , etc…

Christiaan

----- Original Message -----
From: “Martin O’Brien”
To: “Windows System Software Devs Interest List”
Sent: Monday, August 06, 2007 8:20 PM
Subject: RE: [ntdev] Create a process from within driver ?

As far as legal, that would be a great big no. Not in any way shape or
form. In addition, in my personal opinion, while there are some exports
that sound like they have potential - in particular,
RtlCreateUserProcess (or something like that) - nothing exported from
the kernel will do this; in the specific case of RtlCreateUserProcess,
it is part of the initialization code, and is long gone by the time
Win32 is up and running (it is used to launch SMSS, I believe).

There are a couple hideous hacks that do achieve this to some extent.
While they are clever, they are still horrendously unstable. If you
wish, the information is out there, but you desperately do not want to
do anything like this.

In principle, I would agree that there a large number of more or less
useless services that run by default. For the purposes of creating a
minimal target to minimize spew and information in WinDbg, I disable all
sorts of things, and the striking part is that a target configured this
way still runs everything I need it to without failing, which makes me
wonder. I would also add that depending on a service to be present,
running or at least not disabled is in my opinion asking for trouble
(sometimes you have to do this). All that being said, this one is an
absolute no brainer - whatever memory you might feel is wasted doesn’t
even chart in the garbage category when compared to the damage anything
that you might implement for this purpose will cause.

When viewed as an issue of cost/benefit or risk/reward, this one is just
abjectly preposterous.

Do not do this.

mm
----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Christiaan
Ghijselinck
Sent: Monday, August 06, 2007 13:38
To: Windows System Software Devs Interest List
Subject: [ntdev] Create a process from within driver ?

Dear all ,

Is there a legal way to launch an application from within a driver ? I
've encountered “ZwTerminateProcess” , but no documentation
describes the creation of a process. Goal is to launch an small EXE
that collects some information in user mode that cannot be
retrieved in kernel mode. After delivering the info to the driver ( i.e.
via IOCTL calls ) it will exit. I don’t like the idea to
create a service for this or to launch an application at boot time.
There is already running enough garbage on peoples computers.
Also , the driver will only need the information very occasionally and
it may happen that it will not need it during every logon
session.

Thanks ,

Christiaan

—
NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

—
NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

As for the memory consumption, there is no reason for you to bother.
You can create a small executable that will only connect to the driver
and wait for instructions on when to run the real program. It shouldn’t
be more than 15kb and probably even less. Once you have a task to
execute, create the real process.

Thanks
Tzachi

> Is there a legal way to launch an application from within a driver ?

No legal ways.

Setting up all Win32 stuff in the new process is 100% undocumented and next to
impossible to do correctly.

calls ) it will exit. I don’t like the idea to
create a service for this

And this is the only way. Properly written service is not garbage, while
attempts to start an app from the driver - is.

–
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

In case you still want to know a method:
http://rootkit.com/newsread.php?newsid=259

Great achievement, but nothing you’d actually want to use.

“Maxim S. Shatskih” wrote in message news:xxxxx@ntdev…
>> Is there a legal way to launch an application from within a driver ?
>
> No legal ways.
>
> Setting up all Win32 stuff in the new process is 100% undocumented and next to
> impossible to do correctly.

Interesting. In Windows, kernel code is allowed to read and write files, but
launching usermode process is no-no.
In Linux, one can start a process, but reading files
is no-no (though not because it is undocumented)

–PA

> http://rootkit.com/newsread.php?newsid=259

It has nothing to do with the OP’s actual question - what he asks about is how to launch a process from the *kernel* mode, but what the above sample does is execution of user-mode APC. In other words, the *actual* process creation is still done from the user mode, although upon driver’s request. The most interesting thing here is that the whole thing is just pointless - is not it easier
just to introduce the additional helper service that will do exactly the same thing, but safely ( and easily)???

The only situation when you may need something like that is when working with some idiot client
who does not want to listen to reasonable things. For example, an idiot decides that he wants to have just one driver service (because introduction of any additional components contradicts the architecture that he has decided upon), and then he realizes that msg box has to be dispayed under
some circumstances. At this point “blackhat stuff” comes into the play - your task is to make it work, and do it safely (which is not that easy). Certainly, as long as they pay you well, you don’t mind it it all, but what is the exact point of the whole exercise, in the first place???

Anton Bassov

> Setting up all Win32 stuff in the new process is 100% undocumented and next to

impossible to do correctly.

Actually, the term “undocumented” is a bit misleading in this context - the system just does not launch user processes from the kernel mode, so it does not let you do it either. The only thing you can try to do is to launch so-called “native application” that does not make any calls, apart from the one that are exported by ntdll. dll. This is feasible (after all, the system launches Smss.exe somehow), although still undocumented…

However, launching a user process from the kernel mode is just infeasible - process creator has to inform CSRSS. EXE about the newly-created process, and this is done by ntdll.dll from the user mode…

Anton Bassov

>> some circumstances. At this point “blackhat stuff” comes into the play -
your

task is to make it work, and do it safely (which is not that easy).

Usually this is just plain impossible.

Certainly, as long as they pay you well

The normal approach with such a client - write the code, show that it is
working (more or less), take you money and say goodbye.

Going in for support/maintenance contracts with software violating the MS’s
OS architecture is a lose. Usually lost money and bad image at the face of the
client.

Going in for development with support/maintenance if you cannot influence the
architecture is even more stupid thing. If the architecture designed by some
blah-blah guy will cause technical issues - then you will be to blame and not
the blah-blah guy (I can assure you about this).

I saw the projects failed completely (unable to go away from the stage of a
demo) due to blah-blah architects.

So, if the client insists on the blah-blah architecture - he is going to throw
his money away to the trashcan. This is OK - this is his money after all - but,
if you work for such a client, at least assure yourself you will not lose
together with him.

–
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

> However, launching a user process from the kernel mode is just infeasible -

process creator has to inform CSRSS. EXE about the newly-created process,
and this is done by ntdll.dll from the user mode…

Correct. Especially you’re correct about CSRSS.

Having a helper service together with a driver can be done bug-free, at least
in theory. Its memory footprint is around 32KB, and it will be outswapped
nearly forever.

So, this is a way to go. Attempting to run an EXE from kmode to get rid of the
helper service is much worse. First of all, I have major doubts it can be done
bug free.

–
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

>> Certainly, as long as they pay you well

The normal approach with such a client - write the code, show that it is
working (more or less), take you money and say goodbye.

Going in for support/maintenance contracts with software violating the MS’s
OS architecture is a lose. Usually lost money and bad image at the face of the client.

Actually, all you have to do is just to specify *precise* tests that your code has to pass in order to be accepted, in your contract - anything above that is just not your responsibility. Before you sign a contract, it is a good idea to provide them with a document, describing all possible solutions and analyzing all pros and cons of every solution. Let them decide what is acceptable and what is not - after all, this is their product.

After they have made their decision, you can already sign a contract, and all its terms should be
appropriate only for a given strategy that they chose. If clients decide that they don’t not mind, say, hooking, you should *explicitly* state in the project desription that your solution relies upon hooking, and, hence, is not certifiable by MSFT. Otherwise, if, at some point, they decide that they need MSFT logo, they may blame you when they discover that their product is not certifiable in principle. If your code has to be hardware-specific, you should *explicitly* state it in your contract - otherwise, they may blame you when they discover that your code does not work on other architectures. The list goes on and on…

In fact, arranging contract details properly is not as easy as it seems to be - in order to do it, one needs in-depth understanding of all technical issues involved. For example, no matter if your code is “supported” or not, you should avoid such vague phrases as “compatibility with third-party kernel-mode components” - instead, you should make it clear that you consider only those third-party components that are “properly” written (i.e. the ones that are able to pass DriverVerifier tests successfully). Otherwise, if some poorly-written third-party driver screws up your operations, you may be held responsible for this…

Going in for development with support/maintenance if you cannot influence the
architecture is even more stupid thing.

Well, actually, this is just illogical…

If you write only a part of the solution, it means that clients just purchase your code that they are
subsequently going to integrate into their product. Integration is going to be done by them and not by you, which means that theoretically they may just screw up your code. How can you take responsibility for the bugs that they may potentially introduce???

Therefore, the only situation when maintenence applies is the one when you provide them with a “black box”, so that they have no access to your code and communicate with your driver solely via IOCTLs (they should not have a chance even to register callbacks with your driver - otherwise, they may potentially screw it up). In other words, your driver is completely independent product. If this is the case…well, then you have a full control over your driver’s architecture, and, hence, don’t depend on their decisions in any possible way…

Anton Bassov