I read Windows NT/2000 Native api reference and Inside Windows NT(2nd) about
the flow of win32 creatprocess. I also read the source code of rootkit(www.rootkit.com) for NT4.
One step in createprocess is to inform win32 subsystem(csrss.exe) that a win32 process
is to lauch.
Here is the code in rootkit about informcsrss.
VOID InformCsrss(HANDLE hProcess,HANDLE hThread,ULONG pid,ULONG tid){
CSRMSG csrmsg;
HANDLE hCurProcess;
ULONG handleIndex;
PVOID p;
p=PsGetCurrentProcess();
ObOpenObjectByPointer(p,0,NULL,0,NULL,KernelMode,&hCurProcess);
// Get the index of the port handle, used to send messages to csrss.
// FIX ME! find daynamic way to get this address.
UtilsZwRoutine(ZWREAD_VIRTUAL_MEMORY_INDEX,hCurProcess,0x77fa8168,&handleIndex,sizeof(handleIndex),0);
ZwClose(hCurProcess);
RtlZeroMemory(&csrmsg,sizeof(CSRMSG));
csrmsg.ProcessInformation.hProcess=hProcess;
csrmsg.ProcessInformation.hThread=hThread;
csrmsg.ProcessInformation.dwProcessId=pid;
csrmsg.ProcessInformation.dwThreadId=tid;
csrmsg.PortMessage.MessageSize=0x4c;
csrmsg.PortMessage.DataSize=0x34;
csrmsg.CsrssMessage.Opcode=0x10000;
UtilsZwRoutine(ZWREQUEST_WAIT_REPLY_PORT_INDEX,handleIndex,&csrmsg,&csrmsg);
}
I have some problems about these codes.
- Is the port handle under NT and 2k the same?If not the same and then the address 0x77fa8168
should be changed under 2k. How can I find the index? Are there any documents? - It seems MessageSize and DataSize also have to be changed. How can I do that?
Would someone like to give me some suggestion?
Thanks very much.
best regards
yours brucie
b???.???????&?v?'?ׯj?.n?Qyȩf??]?:.?˛???m??֛???zf???%y?ޞ?^?˛??^r*Lzfެ?
???l??ܢ