I was making my service and I was calling NtCreateProcessEx() to launch a process. I was wondering if this was at all possible from kernel mode. Basically If my service is not running (I am working on a NDIS packet filter), I want the driver to launch it. Is it possible to do such a thing? I looked through some windows internals pdf’s and did not find much. I saw some information on the PspCid table and inserting data but that would trigger a BSOD no? If there is anyway that is possible to do this? I thought of injecting some DLL into remote process via queuing APC and making it launch my process. But I rather not go through that trouble since it would only work on x86 systems? Is there any reliable way to inject a DLL into a remote process? I am genineuly curious on a “legitimate” way to do this that has SOME stability to it.
Obviously it’s possible. The operating system does it, after all.
But the steps to do so are neither documented nor supported.
Windows has designed and supported ways to automatically start processes/services… please use one of those. You’ll be happier, I promise.
Peter
I was calling NtCreateProcessEx() to launch a process. I was wondering if this was at all possible from kernel mode.
IIRC, you cannot call NtCreateProcessEx() from the KM, because this function is not exported via ntoskrnl.exe’s IAT either in Nt or Zw form. All calls to this function are supposed to be made only via SSDT, which means only the userland is supposed to call this function.
Certainly you can try to provide your own KM implementation of ZwCreateProcessEx() by calling it via SSDT by means of INT 0x2E instruction, but there are certain caveats here. When you make a system call the system call dispatcher records the CPU mode at the time of the call in a certain field in ETHREAD so that the actual callee knows whether it was called by the kernel or by the uerland. Therefore, NtCreateProcessEx()'s actual implementation always has a way to discover whether it was called in a “supported” way, which means you may get a “funny” reaction from it if its expectations are not met.
Is there any reliable way to inject a DLL into a remote process?
From the userland,yes…
I am genineuly curious on a “legitimate” way to do this that has SOME stability to it.
The best way to go here is just writing a userland helper service that your driver can communicate with. If you have to do something that is not supposed to be done in the kernel ( or is just too cumbersome in the KM) you can always delegate this task to a userland service. Simple, ugh…
Anton Bassov