Executing User Mode App From Driver

NTDEV
1

Hi all,

Is there any method to call a user mode app from my
driver. That is , I have an application say
“C:\Test.exe”. I just want to execute this program in
user mode from my driver.

Is this possible under win NT/2000???

Regards
Suja.

Do You Yahoo!?
Check out Yahoo! Shopping and Yahoo! Auctions for all of
your unique holiday gifts! Buy at http://shopping.yahoo.com
or bid at http://auctions.yahoo.com

You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

2

try using the undocumented call ZwCreateProcess.

— SUJA JAMES wrote: > Hi
all,
>
> Is there any method to call a user mode app from my
> driver. That is , I have an application say
> “C:\Test.exe”. I just want to execute this program
> in
> user mode from my driver.
>
> Is this possible under win NT/2000???
>
> Regards
> Suja.
>
>
> Do You Yahoo!?
> Check out Yahoo! Shopping and Yahoo! Auctions for
> all of
> your unique holiday gifts! Buy at
> http://shopping.yahoo.com
> or bid at http://auctions.yahoo.com
>
> —
> You are currently subscribed to ntdev as:
> xxxxx@yahoo.com
> To unsubscribe send a blank email to
leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

______________________
For Stock Quotes, Finance News, Insurance, Tax Planners, Mutual Funds…
Visit http://in.finance.yahoo.com/


You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

3

Hi

Thanks for the reply…
can anyone give more info about ZwCreateProcess.
I have the following prototype. Is this correct?

ZwCreateProcess (
OUT PHANDLE ProcessHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN HANDLE ParentProcessHandle,
IN BOOLEAN InheritObjectTable,
IN HANDLE SectionHandle,
IN HANDLE DebugPort,
IN HANDLE ExceptionPort
);
What all the parameters I have to fill for executing
C:\Test.exe.

Regards
Suja.

— sajeev sas wrote:
> try using the undocumented call ZwCreateProcess.
>
> — SUJA JAMES wrote: > Hi
> all,
> >
> > Is there any method to call a user mode app from
> my
> > driver. That is , I have an application say
> > “C:\Test.exe”. I just want to execute this program
> > in
> > user mode from my driver.
> >
> > Is this possible under win NT/2000???
> >
> > Regards
> > Suja.
> >
> >
> > Do You Yahoo!?
> > Check out Yahoo! Shopping and Yahoo! Auctions for
> > all of
> > your unique holiday gifts! Buy at
> > http://shopping.yahoo.com
> > or bid at http://auctions.yahoo.com
> >
> > —
> > You are currently subscribed to ntdev as:
> > xxxxx@yahoo.com
> > To unsubscribe send a blank email to
> leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
>
>
______________________
> For Stock Quotes, Finance News, Insurance, Tax
> Planners, Mutual Funds…
> Visit http://in.finance.yahoo.com/
>
> —
> You are currently subscribed to ntdev as:
> xxxxx@yahoo.com
> To unsubscribe send a blank email to
leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

__________________________________________________
Do You Yahoo!?
Check out Yahoo! Shopping and Yahoo! Auctions for all of
your unique holiday gifts! Buy at http://shopping.yahoo.com
or bid at http://auctions.yahoo.com


You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

4

Check out this link

http://www.ntdev.org/archive/ntdev9907/msg0268.html

Best Regards,

Britto.E.V (Engineer - Software)
SCM Microsystems India (P) Ltd.,
Chennai.

"A pessimist sees the difficulty in every opportunity; an optimist sees the
opportunity in every difficulty. "

  • Sir Winston Churchill (1874-1965)

SUJA JAMES
om>
Sent by: cc: xxxxx@yahoo.com
xxxxx@lis Subject: [ntdev] Re: Executing User Mode App
ts.osr.com From Driver

12/11/2001 01:11 PM
Please respond to “NT
Developers Interest
List”

Hi

Thanks for the reply…
can anyone give more info about ZwCreateProcess.
I have the following prototype. Is this correct?

ZwCreateProcess (
OUT PHANDLE ProcessHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN HANDLE ParentProcessHandle,
IN BOOLEAN InheritObjectTable,
IN HANDLE SectionHandle,
IN HANDLE DebugPort,
IN HANDLE ExceptionPort
);
What all the parameters I have to fill for executing
C:\Test.exe.

Regards
Suja.

— sajeev sas wrote:
> try using the undocumented call ZwCreateProcess.
>
> — SUJA JAMES wrote: > Hi
> all,
> >
> > Is there any method to call a user mode app from
> my
> > driver. That is , I have an application say
> > “C:\Test.exe”. I just want to execute this program
> > in
> > user mode from my driver.
> >
> > Is this possible under win NT/2000???
> >
> > Regards
> > Suja.
> >
> >
> > Do You Yahoo!?
> > Check out Yahoo! Shopping and Yahoo! Auctions for
> > all of
> > your unique holiday gifts! Buy at
> > http://shopping.yahoo.com
> > or bid at http://auctions.yahoo.com
> >
> > —
> > You are currently subscribed to ntdev as:
> > xxxxx@yahoo.com
> > To unsubscribe send a blank email to
> leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
>
>
______________________
> For Stock Quotes, Finance News, Insurance, Tax
> Planners, Mutual Funds…
> Visit http://in.finance.yahoo.com/
>
> —
> You are currently subscribed to ntdev as:
> xxxxx@yahoo.com
> To unsubscribe send a blank email to
leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

__________________________________________________
Do You Yahoo!?
Check out Yahoo! Shopping and Yahoo! Auctions for all of
your unique holiday gifts! Buy at http://shopping.yahoo.com
or bid at http://auctions.yahoo.com


You are currently subscribed to ntdev as: xxxxx@scmmicro.co.in
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com


You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

5

Hi
I used the following code and I am getting the error
message “Indicates the specified procedure address
cannot found in the DLL” while starting the driver.
Also, its not hitting my driver entry .
Does anyone know why???..

#include <ntddk.h>
#include “ntifs.h”

NTSTATUS
DriverEntry(
IN PDRIVER_OBJECT DriverObject,
IN PUNICODE_STRING RegistryPath
)
{

UNICODE_STRING FileName;
ULONG FileNameLength;
PHANDLE ProcessHandle;
OBJECT_ATTRIBUTES ObjectAttributes;
WCHAR PathPrefix =
L"\SystemRoot\system32\drivers\test.exe";

DriverObject->DriverUnload = DriverUnloads;

FileNameLength = sizeof(PathPrefix) ;
FileName.Buffer = ExAllocatePool(NonPagedPool,

FileNameLength);

if (FileName.Buffer == NULL)
{
return STATUS_INSUFFICIENT_RESOURCES;
}

FileName.Length = sizeof(PathPrefix) -
sizeof(WCHAR);
FileName.MaximumLength = (USHORT)FileNameLength;
RtlMoveMemory (FileName.Buffer, PathPrefix,
sizeof(PathPrefix));
InitializeObjectAttributes ( &ObjectAttributes,
&FileName,
OBJ_CASE_INSENSITIVE,
NULL,
NULL );

ZwCreateProcess (
&ProcessHandle,
PROCESS_ALL_ACCESS,//DesiredAccess,
&ObjectAttributes ,
NtCurrentProcess(), //ParentProcessHandle,
TRUE,//InheritObjectTable,
0,//SectionHandle,
0,//DebugPort,
0//ExceptionPort
);

return STATUS_SUCCESS;
}// End of DriverEntry

>
>
> Hi
>
> Thanks for the reply…
> can anyone give more info about ZwCreateProcess.
> I have the following prototype. Is this correct?
>
> ZwCreateProcess (
> OUT PHANDLE ProcessHandle,
> IN ACCESS_MASK DesiredAccess,
> IN POBJECT_ATTRIBUTES ObjectAttributes
> OPTIONAL,
> IN HANDLE ParentProcessHandle,
> IN BOOLEAN InheritObjectTable,
> IN HANDLE SectionHandle,
> IN HANDLE DebugPort,
> IN HANDLE ExceptionPort
> );
> What all the parameters I have to fill for executing
> C:\Test.exe.
>
> Regards
> Suja.
>
> — sajeev sas wrote:
> > try using the undocumented call ZwCreateProcess.
> >
> > — SUJA JAMES wrote: >
> Hi
> > all,
> > >
> > > Is there any method to call a user mode app from
> > my
> > > driver. That is , I have an application say
> > > “C:\Test.exe”. I just want to execute this
> program
> > > in
> > > user mode from my driver.
> > >
> > > Is this possible under win NT/2000???
> > >
> > > Regards
> > > Suja.
> > >
> > >
>
> > > Do You Yahoo!?
> > > Check out Yahoo! Shopping and Yahoo! Auctions
> for
> > > all of
> > > your unique holiday gifts! Buy at
> > > http://shopping.yahoo.com
> > > or bid at http://auctions.yahoo.com
> > >
> > > —
> > > You are currently subscribed to ntdev as:
> > > xxxxx@yahoo.com
> > > To unsubscribe send a blank email to
> > leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
> >
> >
>
______________________
> > For Stock Quotes, Finance News, Insurance, Tax
> > Planners, Mutual Funds…
> > Visit http://in.finance.yahoo.com/
> >
> > —
> > You are currently subscribed to ntdev as:
> > xxxxx@yahoo.com
> > To unsubscribe send a blank email to
> leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
>
>
>
> Do You Yahoo!?
> Check out Yahoo! Shopping and Yahoo! Auctions for
> all of
> your unique holiday gifts! Buy at
> http://shopping.yahoo.com
> or bid at http://auctions.yahoo.com
>
> —
> You are currently subscribed to ntdev as:
> xxxxx@scmmicro.co.in
> To unsubscribe send a blank email to
> leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
>
>
>
>
> —
> You are currently subscribed to ntdev as:
> xxxxx@yahoo.com
> To unsubscribe send a blank email to
leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com


Do You Yahoo!?
Check out Yahoo! Shopping and Yahoo! Auctions for all of
your unique holiday gifts! Buy at http://shopping.yahoo.com
or bid at http://auctions.yahoo.com


You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com</ntddk.h>

6

Hello

First of all ZwCreateProcess/NtCreateProcess is not exported by kernel, you
may try to call it only getting address by ordinal from System Service
Descriptor Table. However, I’m about sure that you will see crash or no
working after this call, I have not time for research, but if you take a
look on CreateProcess routine in kernel32.dll you will see that process
creation is not limited to NtCreateProcess call.

Good Luck,

Vadim

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of SUJA JAMES
Sent: Tuesday, December 11, 2001 1:54 PM
To: NT Developers Interest List
Subject: [ntdev] Re: Executing User Mode App From Driver

Hi
I used the following code and I am getting the error
message “Indicates the specified procedure address
cannot found in the DLL” while starting the driver.
Also, its not hitting my driver entry .
Does anyone know why???..

#include <ntddk.h>
#include “ntifs.h”

NTSTATUS
DriverEntry(
IN PDRIVER_OBJECT DriverObject,
IN PUNICODE_STRING RegistryPath
)
{

UNICODE_STRING FileName;
ULONG FileNameLength;
PHANDLE ProcessHandle;
OBJECT_ATTRIBUTES ObjectAttributes;
WCHAR PathPrefix =
L"\SystemRoot\system32\drivers\test.exe";

DriverObject->DriverUnload = DriverUnloads;

FileNameLength = sizeof(PathPrefix) ;
FileName.Buffer = ExAllocatePool(NonPagedPool,

FileNameLength);

if (FileName.Buffer == NULL)
{
return STATUS_INSUFFICIENT_RESOURCES;
}

FileName.Length = sizeof(PathPrefix) -
sizeof(WCHAR);
FileName.MaximumLength = (USHORT)FileNameLength;
RtlMoveMemory (FileName.Buffer, PathPrefix,
sizeof(PathPrefix));
InitializeObjectAttributes ( &ObjectAttributes,
&FileName,
OBJ_CASE_INSENSITIVE,
NULL,
NULL );

ZwCreateProcess (
&ProcessHandle,
PROCESS_ALL_ACCESS,//DesiredAccess,
&ObjectAttributes ,
NtCurrentProcess(), //ParentProcessHandle,
TRUE,//InheritObjectTable,
0,//SectionHandle,
0,//DebugPort,
0//ExceptionPort
);

return STATUS_SUCCESS;
}// End of DriverEntry

>
>
> Hi
>
> Thanks for the reply…
> can anyone give more info about ZwCreateProcess.
> I have the following prototype. Is this correct?
>
> ZwCreateProcess (
> OUT PHANDLE ProcessHandle,
> IN ACCESS_MASK DesiredAccess,
> IN POBJECT_ATTRIBUTES ObjectAttributes
> OPTIONAL,
> IN HANDLE ParentProcessHandle,
> IN BOOLEAN InheritObjectTable,
> IN HANDLE SectionHandle,
> IN HANDLE DebugPort,
> IN HANDLE ExceptionPort
> );
> What all the parameters I have to fill for executing
> C:\Test.exe.
>
> Regards
> Suja.
>
> — sajeev sas wrote:
> > try using the undocumented call ZwCreateProcess.
> >
> > — SUJA JAMES wrote: >
> Hi
> > all,
> > >
> > > Is there any method to call a user mode app from
> > my
> > > driver. That is , I have an application say
> > > “C:\Test.exe”. I just want to execute this
> program
> > > in
> > > user mode from my driver.
> > >
> > > Is this possible under win NT/2000???
> > >
> > > Regards
> > > Suja.
> > >
> > >
>
> > > Do You Yahoo!?
> > > Check out Yahoo! Shopping and Yahoo! Auctions
> for
> > > all of
> > > your unique holiday gifts! Buy at
> > > http://shopping.yahoo.com
> > > or bid at http://auctions.yahoo.com
> > >
> > > —
> > > You are currently subscribed to ntdev as:
> > > xxxxx@yahoo.com
> > > To unsubscribe send a blank email to
> > leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
> >
> >
>
______________________
> > For Stock Quotes, Finance News, Insurance, Tax
> > Planners, Mutual Funds…
> > Visit http://in.finance.yahoo.com/
> >
> > —
> > You are currently subscribed to ntdev as:
> > xxxxx@yahoo.com
> > To unsubscribe send a blank email to
> leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
>
>
>
> Do You Yahoo!?
> Check out Yahoo! Shopping and Yahoo! Auctions for
> all of
> your unique holiday gifts! Buy at
> http://shopping.yahoo.com
> or bid at http://auctions.yahoo.com
>
> —
> You are currently subscribed to ntdev as:
> xxxxx@scmmicro.co.in
> To unsubscribe send a blank email to
> leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
>
>
>
>
> —
> You are currently subscribed to ntdev as:
> xxxxx@yahoo.com
> To unsubscribe send a blank email to
leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com


Do You Yahoo!?
Check out Yahoo! Shopping and Yahoo! Auctions for all of
your unique holiday gifts! Buy at http://shopping.yahoo.com
or bid at http://auctions.yahoo.com


You are currently subscribed to ntdev as: xxxxx@pcausa.com
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com


You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com</ntddk.h>

7

> can anyone give more info about ZwCreateProcess.

I have the following prototype. Is this correct?

ZwCreateProcess (
OUT PHANDLE ProcessHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN HANDLE ParentProcessHandle,
IN BOOLEAN InheritObjectTable,
IN HANDLE SectionHandle,
IN HANDLE DebugPort,
IN HANDLE ExceptionPort
);
What all the parameters I have to fill for executing
C:\Test.exe.

I remember seeing a book in bookstore that documents such undocumented calls.
I don’t remember the author’s name, but there exists only one such book.

Do You Yahoo!?
Check out Yahoo! Shopping and Yahoo! Auctions for all of
your unique holiday gifts! Buy at http://shopping.yahoo.com
or bid at http://auctions.yahoo.com

You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

8

> I remember seeing a book in bookstore that documents such undocumented calls.

I don’t remember the author’s name, but there exists only one such book.

WINDOWS NT/2000 Native API reference
Gary Nebbet
ISBN 1-57870-199-6

Do You Yahoo!?
Check out Yahoo! Shopping and Yahoo! Auctions for all of
your unique holiday gifts! Buy at http://shopping.yahoo.com
or bid at http://auctions.yahoo.com

You are currently subscribed to ntdev as: xxxxx@setengineering.com
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

9

No without a huge PITA and dirty hackery.
CreateProcess is a very complex function, it does lots of things.
Doing all of this stuff correctly from the driver can be very painful.

Have a helper user mode app which will call Win32’s CreateProcess is much simpler.

Max

----- Original Message -----
From: “SUJA JAMES”
To: “NT Developers Interest List”
Sent: Tuesday, December 11, 2001 8:00 AM
Subject: [ntdev] Executing User Mode App From Driver

> Hi all,
>
> Is there any method to call a user mode app from my
> driver. That is , I have an application say
> “C:\Test.exe”. I just want to execute this program in
> user mode from my driver.
>
> Is this possible under win NT/2000???
>
> Regards
> Suja.
>
> __________________________________________________
> Do You Yahoo!?
> Check out Yahoo! Shopping and Yahoo! Auctions for all of
> your unique holiday gifts! Buy at http://shopping.yahoo.com
> or bid at http://auctions.yahoo.com
>
> —
> You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
>


You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

10

Windows NT/2000 Native API Reference - Gary Nebbett

Jason

Ntdev Reader @lists.osr.com on 12/11/2001 12:41:44 PM

Please respond to “NT Developers Interest List”

Sent by: xxxxx@lists.osr.com

To: “NT Developers Interest List”
cc:
Subject: [ntdev] Re: Executing User Mode App From Driver

> can anyone give more info about ZwCreateProcess.
> I have the following prototype. Is this correct?
>
> ZwCreateProcess (
> OUT PHANDLE ProcessHandle,
> IN ACCESS_MASK DesiredAccess,
> IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
> IN HANDLE ParentProcessHandle,
> IN BOOLEAN InheritObjectTable,
> IN HANDLE SectionHandle,
> IN HANDLE DebugPort,
> IN HANDLE ExceptionPort
> );
> What all the parameters I have to fill for executing
> C:\Test.exe.

I remember seeing a book in bookstore that documents such undocumented
calls.
I don’t remember the author’s name, but there exists only one such book.

__________________________________________________
Do You Yahoo!?
Check out Yahoo! Shopping and Yahoo! Auctions for all of
your unique holiday gifts! Buy at http://shopping.yahoo.com
or bid at http://auctions.yahoo.com


You are currently subscribed to ntdev as: lavoie@us.ibm.com
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com


You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

11

> working after this call, I have not time for research, but if you take a

look on CreateProcess routine in kernel32.dll you will see that process
creation is not limited to NtCreateProcess call.

Before NtCreateProcess, NtCreateFile/NtCreateSection(SEC_IMAGE) are called.
After NtCreateProcess, NtCreateThread is called, the PEB values like the MSVCRT handle table are written to the new process by
WriteProcessMemory, then the process and the thread are registered in CSRSS for console stuff, then IIRC an APC is queued to the
thread to call LdrpInitializeProcess, then the thread is unfrozen.

David Solomon has a more detailed description in his book.

Max

You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

12

> > ZwCreateProcess (

> OUT PHANDLE ProcessHandle,
> IN ACCESS_MASK DesiredAccess,
> IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
> IN HANDLE ParentProcessHandle,
> IN BOOLEAN InheritObjectTable,
> IN HANDLE SectionHandle,
> IN HANDLE DebugPort,
> IN HANDLE ExceptionPort
> );
> What all the parameters I have to fill for executing
> C:\Test.exe.

NtCreateFile(&hFile, “C:\Test.exe”)
NtCreateSection(&hFile, SEC_IMAGE…)
NtCreateProcess(&hProcess, …, hSection…)
NtCreateThread(hProcess…)

That’s not all, the process must register itself in CSRSS, and this is undocumented.

Max

You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com