NtCreateProcessex

I have a written a small program which spawns another program from within, using the createprocess call on XP. I then debug this using windbg and set breakpoints at ntdll!ntcreateprocessex and ntdll!ntcreateprocess. However, none of these breakpoints are triggered.

Can anyone tell me what I am doing wrong.

I can hit other system calls e.g. ntcreatefile using a similar method as above.

Sorry, if this was stupid, but I am a newbie. Thanks for all the help
cheers
felix

it triggers here properly

Opened log file ‘c:\ntcreatepro.txt’
0:000> bp ntdll!NtCreateProcess
0:000> bp ntdll!NtCreateProcessEx
0:000> bl
0 e 77f759f4 0001 (0001) 0:**** ntdll!ZwCreateProcess
1 e 77f75a03 0001 (0001) 0:**** ntdll!NtCreateProcessEx
0:000> g
Breakpoint 1 hit
eax=0012fa04 ebx=00000000 ecx=00000004 edx=00000000 esi=00000001 edi=ffffffff
eip=77f75a03 esp=0012f2a8 ebp=0012fca0 iopl=0 nv up ei ng nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000286
ntdll!NtCreateProcessEx:
77f75a03 b830000000 mov eax,30h
0:000> dd esp l8
0012f2a8 77e7fe05 0012fa04 001f0fff 00000000
0012f2b8 ffffffff 00000000 000007d0 00000000
0:000> !handle 7d0 f
Handle 7d0
Type Section
Attributes 0
GrantedAccess 0xf001f:
Delete,ReadControl,WriteDac,WriteOwner
Query,MapWrite,MapRead,MapExecute,Extend
HandleCount 2
PointerCount 3
Name
Object Specific Information
Section base address 0
Section attributes 0x1800000
Section max size 0x4000
0:000> k
ChildEBP RetAddr
0012f2a4 77e7fe05 ntdll!NtCreateProcessEx
0012fca0 77e733c8 kernel32!CreateProcessInternalW+0x1111
0012fd8c 77e61be6 kernel32!CreateProcessInternalA+0x2db
0012fdc4 77eb4524 kernel32!CreateProcessA+0x2a
WARNING: Unable to verify checksum for cproc.exe
ERROR: Symbol file could not be found. Defaulted to export
symbols for cproc.exe -
0012feb4 004011e6 kernel32!LoadModule+0x119
WARNING: Stack unwind information not available. Following frames may be wrong.
0012ff88 00406973 opd!_GetExceptDLLinfo+0x18d
0012ffc0 77e814c7 opd!_GetExceptDLLinfo+0x591a
0012fff0 00000000 kernel32!BaseProcessStart+0x23
0:000> .logclose
Closing open log file c:\ntcreatepro.txt

On 7/28/07, xxxxx@rediffmail.com wrote:
>
> I have a written a small program which spawns another program from within, using the createprocess call on XP. I then debug this using windbg and set breakpoints at ntdll!ntcreateprocessex and ntdll!ntcreateprocess. However, none of these breakpoints are triggered.
>
> Can anyone tell me what I am doing wrong.
>
> I can hit other system calls e.g. ntcreatefile using a similar method as above.
>
> Sorry, if this was stupid, but I am a newbie. Thanks for all the help
> cheers
> felix
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>

There are some cases like shared VDMs that might not actually translate to a
new process object in a CreateProcess call as well, so beware of that (if
you were creating a 16-bit windows app “process”).

–
Ken Johnson (Skywing)
Windows SDK MVP
http://www.nynaeve.net
wrote in message news:xxxxx@ntdev…
>
> I have a written a small program which spawns another program from within,
> using the createprocess call on XP. I then debug this using windbg and set
> breakpoints at ntdll!ntcreateprocessex and ntdll!ntcreateprocess. However,
> none of these breakpoints are triggered.
>
> Can anyone tell me what I am doing wrong.
>
> I can hit other system calls e.g. ntcreatefile using a similar method as
> above.
>
> Sorry, if this was stupid, but I am a newbie. Thanks for all the help
> cheers
> felix
>

Thank you for the replies. I am still unable to trigger it. I am cutting pasting relevant parts for your perusal.

I test this on the putty program

CreateProcess(L"putty.exe", NULL, NULL, NULL, FALSE, CREATE_DEFAULT_ERROR_MODE,NULL, NULL, &si, &pi );

WinDBG

Opened log file ‘creatproc.log’
CommandLine: C:\Analyzer\insideTM\debug\insideTM.exe
Symbol search path is: SRV*\Symbols* http://msdl.microsoft.com/download/symbols
Executable search path is:
ModLoad: 00400000 0041e000 insideTM.exe
ModLoad: 7c900000 7c9b0000 ntdll.dll
ModLoad: 7c800000 7c8f5000 C:\WINDOWS\system32\kernel32.dll
ModLoad: 4d4f0000 4d548000 C:\WINDOWS\system32\WINHTTP.dll
ModLoad: 77c10000 77c68000 C:\WINDOWS\system32\msvcrt.dll
ModLoad: 77f60000 77fd6000 C:\WINDOWS\system32\SHLWAPI.dll
ModLoad: 77dd0000 77e6b000 C:\WINDOWS\system32\ADVAPI32.dll
ModLoad: 77e70000 77f01000 C:\WINDOWS\system32\RPCRT4.dll
ModLoad: 77f10000 77f57000 C:\WINDOWS\system32\GDI32.dll
ModLoad: 7e410000 7e4a0000 C:\WINDOWS\system32\USER32.dll
ModLoad: 10480000 10558000 C:\WINDOWS\WinSxS\x86_Microsoft.VC90.DebugCRT_1fc8b3b9a1e18e3b_9.0.20404.44800_x-ww_9e02369f\MSVCP90D.dll
ModLoad: 10200000 10323000 C:\WINDOWS\WinSxS\x86_Microsoft.VC90.DebugCRT_1fc8b3b9a1e18e3b_9.0.20404.44800_x-ww_9e02369f\MSVCR90D.dll
(75c.e64): Break instruction exception - code 80000003 (first chance)
eax=00251eb4 ebx=7ffd6000 ecx=00000003 edx=00000008 esi=00251f48 edi=00251eb4
eip=7c901230 esp=0012fb20 ebp=0012fc94 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
ntdll!DbgBreakPoint:
7c901230 cc int 3
0:000> bp ntdll!ntcreateprocessex
0:000> bp ntdll!ntcreateprocess
0:000> bl
0 e 7c90d769 0001 (0001) 0:**** ntdll!ZwCreateProcessEx
1 e 7c90d754 0001 (0001) 0:**** ntdll!ZwCreateProcess
0:000> g
ModLoad: 76390000 763ad000 C:\WINDOWS\system32\IMM32.DLL
eax=77c3f88a ebx=00000000 ecx=77c3e9f9 edx=77c61a70 esi=7c90e88e edi=00000000
eip=7c90eb94 esp=0012fe00 ebp=0012fefc iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
ntdll!KiFastSystemCallRet:
7c90eb94 c3 ret
0:000>
0:000> g
^ No runnable debuggees error in ‘g’
Closing open log file creatproc.log

I can however hit createfile using the same procedure. Any ideas as to why this is happening?

Also, Raj can you kindly tell me which version of windows you are using?

Worked just fine for me…

I inserted a loop

bool go = false;
do {
Sleep(1000);
} while(!go);

right before

if(!CreateProcessW(NULL, …

attached windbg when the process hang in that loop, set bp’s exactly as you did

(bp ntdll!ntcreateprocess and bp ntdll!ntcreateprocessex)

and set “go” to 1 manually from WinDbg. I hit

Breakpoint 1 hit
. . .
ntdll!ZwCreateProcessEx:

as expected (note the name) with (expected) stack

0012f368 7c81923e ntdll!ZwCreateProcessEx
0012fdb8 7c80235e kernel32!CreateProcessInternalW+0x1327
0012fdf0 00411481 kernel32!CreateProcessW+0x2c
0012ff68 00411af6 CreateProcess!wmain+0xa1 [c:!projects\createprocess\createprocess.cpp @ 27]
0012ffb8 0041193d CreateProcess!__tmainCRTStartup+0x1a6 [f:\sp\vctools\crt_bld\self_x86\crt\src\crtexe.c @ 594]
0012ffc0 7c816fd7 CreateProcess!wmainCRTStartup+0xd [f:\sp\vctools\crt_bld\self_x86\crt\src\crtexe.c @ 414]
0012fff0 00000000 kernel32!BaseProcessStart+0x23

Can it be that you set bp’s too early? Will “bu” (break undefined) help?

-------------- Original message --------------
From: xxxxx@rediffmail.com

Thank you for the replies. I am still unable to trigger it. I am cutting pasting
relevant parts for your perusal.

I test this on the putty program

CreateProcess(L"putty.exe", NULL, NULL, NULL, FALSE,
CREATE_DEFAULT_ERROR_MODE,NULL, NULL, &si, &pi );

WinDBG

Opened log file ‘creatproc.log’
CommandLine: C:\Analyzer\insideTM\debug\insideTM.exe
Symbol search path is: SRV*\Symbols* http://msdl.microsoft.com/download/symbols
Executable search path is:
ModLoad: 00400000 0041e000 insideTM.exe
ModLoad: 7c900000 7c9b0000 ntdll.dll
ModLoad: 7c800000 7c8f5000 C:\WINDOWS\system32\kernel32.dll
ModLoad: 4d4f0000 4d548000 C:\WINDOWS\system32\WINHTTP.dll
ModLoad: 77c10000 77c68000 C:\WINDOWS\system32\msvcrt.dll
ModLoad: 77f60000 77fd6000 C:\WINDOWS\system32\SHLWAPI.dll
ModLoad: 77dd0000 77e6b000 C:\WINDOWS\system32\ADVAPI32.dll
ModLoad: 77e70000 77f01000 C:\WINDOWS\system32\RPCRT4.dll
ModLoad: 77f10000 77f57000 C:\WINDOWS\system32\GDI32.dll
ModLoad: 7e410000 7e4a0000 C:\WINDOWS\system32\USER32.dll
ModLoad: 10480000 10558000
C:\WINDOWS\WinSxS\x86_Microsoft.VC90.DebugCRT_1fc8b3b9a1e18e3b_9.0.20404.44800_x
-ww_9e02369f\MSVCP90D.dll
ModLoad: 10200000 10323000
C:\WINDOWS\WinSxS\x86_Microsoft.VC90.DebugCRT_1fc8b3b9a1e18e3b_9.0.20404.44800_x
-ww_9e02369f\MSVCR90D.dll
(75c.e64): Break instruction exception - code 80000003 (first chance)
eax=00251eb4 ebx=7ffd6000 ecx=00000003 edx=00000008 esi=00251f48 edi=00251eb4
eip=7c901230 esp=0012fb20 ebp=0012fc94 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
ntdll!DbgBreakPoint:
7c901230 cc int 3
0:000> bp ntdll!ntcreateprocessex
0:000> bp ntdll!ntcreateprocess
0:000> bl
0 e 7c90d769 0001 (0001) 0:**** ntdll!ZwCreateProcessEx
1 e 7c90d754 0001 (0001) 0:**** ntdll!ZwCreateProcess
0:000> g
ModLoad: 76390000 763ad000 C:\WINDOWS\system32\IMM32.DLL
eax=77c3f88a ebx=00000000 ecx=77c3e9f9 edx=77c61a70 esi=7c90e88e edi=00000000
eip=7c90eb94 esp=0012fe00 ebp=0012fefc iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
ntdll!KiFastSystemCallRet:
7c90eb94 c3 ret
0:000>
0:000> g
^ No runnable debuggees error in ‘g’
Closing open log file creatproc.log

I can however hit createfile using the same procedure. Any ideas as to why this
is happening?

---

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Thanks for all the help guys. I was setting bp too early

the code is some old LoadModule (it internally calls CreateProcess in
kernel32.dll which get to ZwCreateProcess() in ntdll) sample which i
had tested long back in w2k after your query yesterday i checked it
in win-xp-sp1 before i posted my reply

and no i didnt need a sleep loop
i set the bp on initial breakpoint and it broke for me
let me dredge out the src and try compiling it back in some latest
compilers and see if it behaves anything different

did you try .childdbg 1 on your app that should break too

On 7/30/07, xxxxx@rediffmail.com wrote:
> Also, Raj can you kindly tell me which version of windows you are using?
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>

It works now thanks a lot. I was making the dumb mistake of not specifying the entire path in the imagefilename.

Just in case anyone is interested, I was trying to get the processname from the ntcreateprocessex call. I found the pobject_attribute at a distance of 0x8B0 from the ESP just before the sysenter gets executed.

For the ntcreatefile, the pobject_attribute was at a distance of 0xC from the ESP.

I hope that you aren’t trying to rely on that for production code…
hardcoding the internal stack layout of a function is extremely likely to be
broken in the next kernel32 hotfix.

–
Ken Johnson (Skywing)
Windows SDK MVP
http://www.nynaeve.net
wrote in message news:xxxxx@ntdev…
> It works now thanks a lot. I was making the dumb mistake of not specifying
> the entire path in the imagefilename.
>
> Just in case anyone is interested, I was trying to get the processname
> from the ntcreateprocessex call. I found the pobject_attribute at a
> distance of 0x8B0 from the ESP just before the sysenter gets executed.
>
> For the ntcreatefile, the pobject_attribute was at a distance of 0xC from
> the ESP.
>

Nope, I was just playing around with qemu and trapping sysenters and reading system call parameters etc.