I have a few questions regarding process creation. I have callbacks for PsSetCreateProcessNotifyRoutine and PsSetLoadImageNotifyRoutine. What I need to do is (1) identify each newly created process to see if it is one in which I am interested [depends on exe file name], (2) if it is an app of interest, allocate some additional memory to that app, (3) locate the entry point of the exe and (4) make a patch to the entry point. I understand from previous list postings that the LoadImage callback gives me the exe name required for step 1. But here are the Qs about the rest:
Which of the two callbacks are called first: CreateProcess or LoadImage [I believe the latter]? Is there a possibility that the pair could be out of sequence, such as LoadImageA, LoadImageB, CreateProcessB, CreateProcessA, possibly due to task switching? If undependable, I could keep a linked list keyed on the PID.
How to allocate the additional VM for the user app? I tried ZwAllocateVirtualMemory within the CreateProcess callback, using the passed-in process id parameter, but I got an error return of invalid handle. I suspect ZwAllocateVirtualMemory takes something other than a PID. If this is the case, what does it expect and how do I determine it from the PID?
I have an algorithm that works in user mode to locate the app’s entry point, using the NtQueryInformation Win32 API to walk the chain of exe sections. Is there an equivalent KM API do do likewise?
I would greatly appreciate any help you can provide on the matter, as I am rather stuck at the moment. Thanx.
Actually, renaming the app on disk is ok with us – we publish the fact that
renaming the app will cause our system not to work for that app any longer,
and if that’s what the user wants to do then it’s fine. Regarding
allocating the VM, if I can’t do it in the CreateProcessNotify routine,
where can I do it? In the LoadImageNotify routine? Or do I have to do it
via a user mode partner? It is imperative that the additional memory be
allocated before the app starts to run. Also, is the first parameter to
ZwAllocateVirtualMemory something other than a PID and, if so, what is it,
and do I get it via something like ObReferenceObjectByHandle? Note that of
the term HANDLE used for the first two parameters to the CreateProcessNotify
callback is confusing, since they are actually PIDs. In user mode, a handle
is a handle, and a PID is a DWORD. Are things different in KM? Thanks.
“Don Burn” wrote in message news:xxxxx@ntdev…
> Comments inline:
>
> >> “Ron Field” wrote in message news:xxxxx@ntdev…
> >> I have a few questions regarding process creation. I have callbacks
for
> >> PsSetCreateProcessNotifyRoutine and PsSetLoadImageNotifyRoutine.
> >> What I need to do is (1) identify each newly created process to see if
it
> is
> >> one in which I am interested [depends on exe file name], (2) if it is
an
> app
> >> of interest, allocate some additional memory to that app, (3) locate
the
> entry
> >> point of the exe and (4) make a patch to the entry point. I understand
> from
> >> previous list postings that the LoadImage callback gives me the exe
name
> >> required for step 1. But here are the Qs about the rest:
>
> You have a problem here in that it is easy to rename an application, so
> using the file name is not a good mechanism to control and monitor things.
>
>
> >> Which of the two callbacks are called first: CreateProcess or LoadImage
> [I believe the latter]?
> >> Is there a possibility that the pair could be out of sequence, such as
> LoadImageA,
> >> LoadImageB, CreateProcessB, CreateProcessA, possibly due to task
> switching?
> >> If undependable, I could keep a linked list keyed on the PID.
>
> You will always see CreateProcess first, the image is loaded into a
process
> which must exist.
>
> >> How to allocate the additional VM for the user app? I tried
> >> ZwAllocateVirtualMemory within the CreateProcess callback, using the
> >> passed-in process id parameter, but I got an error return of invalid
> handle.
> >> I suspect ZwAllocateVirtualMemory takes something other than a PID.
> >> If this is the case, what does it expect and how do I determine it from
> the PID?
>
> You can’t do it it in CreateProcess, there is not enough context created
> yet. The call is:
>
> NTSYSAPI
> NTSTATUS
> NTAPI
> ZwAllocateVirtualMemory(
> IN HANDLE ProcessHandle,
> IN OUT PVOID *BaseAddress,
> IN ULONG ZeroBits,
> IN OUT PULONG AllocationSize,
> IN ULONG AllocationType,
> IN ULONG Protect
> );
>
>
> >> I have an algorithm that works in user mode to locate the app’s entry
> point,
> >> using the NtQueryInformation Win32 API to walk the chain of exe
sections.
> >> Is there an equivalent KM API do do likewise?
>
> The load image notify gives you the base the executable is loaded at. The
> entry
> point offset is easily locatable in the PE file.
>
>
>
> –
> Don Burn (MVP, Windows DDK)
> Windows 2k/XP/2k3 Filesystem and Driver Consulting
>
>
>
“Ron Field” wrote in message news:xxxxx@ntdev…
> Actually, renaming the app on disk is ok with us – we publish the fact
that
> renaming the app will cause our system not to work for that app any
longer,
> and if that’s what the user wants to do then it’s fine. Regarding
> allocating the VM, if I can’t do it in the CreateProcessNotify routine,
> where can I do it? In the LoadImageNotify routine? Or do I have to do it
> via a user mode partner? It is imperative that the additional memory be
> allocated before the app starts to run. Also, is the first parameter to
> ZwAllocateVirtualMemory something other than a PID and, if so, what is it,
> and do I get it via something like ObReferenceObjectByHandle? Note that
of
> the term HANDLE used for the first two parameters to the
CreateProcessNotify
> callback is confusing, since they are actually PIDs. In user mode, a
handle
> is a handle, and a PID is a DWORD. Are things different in KM? Thanks.
>
You can allocate in LoadImageNotify this is in the context of the user
process.
To get the handle:
NTSYSAPI
NTSTATUS
NTAPI
ZwOpenProcess(
OUT PHANDLE ProcessHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN PCLIENT_ID ClientId OPTIONAL
);
Where ClientId is defined in the DDK and the handles in the structure
represent what
comes from CreateProcessNotify
–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Don. Thanks to your kind help, I’m almost there! There seems to be one
last (?) problem though. In my LoadImageNotify routine I use the handle
returned from ZwOpenProcess as the first argument to
ZwAllocateVirtualMemory, as follows:
HANDLE hProcess;
PVOID pvBaseAddr = NULL;
ULONG ulRegionSz = 1000; // 1000 bytes
ntStatus = ZwAllocateVirtualMemory (hProcess,
&pvBaseAddr,
0, // don’t care
about alignment
&ulRegionSz,
MEM_COMMIT,
PAGE_EXECUTE_READWRITE);
No error return, but the process doesn’t seem to run. I can’t even get
TaskMgr to open. If I remove this call, all is ok. Perhaps the args are
incorrect? If I can get past this, I think we’re in good shape.
“Don Burn” wrote in message news:xxxxx@ntdev…
>
> “Ron Field” wrote in message news:xxxxx@ntdev…
> > Actually, renaming the app on disk is ok with us – we publish the fact
> that
> > renaming the app will cause our system not to work for that app any
> longer,
> > and if that’s what the user wants to do then it’s fine. Regarding
> > allocating the VM, if I can’t do it in the CreateProcessNotify routine,
> > where can I do it? In the LoadImageNotify routine? Or do I have to do
it
> > via a user mode partner? It is imperative that the additional memory be
> > allocated before the app starts to run. Also, is the first parameter to
> > ZwAllocateVirtualMemory something other than a PID and, if so, what is
it,
> > and do I get it via something like ObReferenceObjectByHandle? Note that
> of
> > the term HANDLE used for the first two parameters to the
> CreateProcessNotify
> > callback is confusing, since they are actually PIDs. In user mode, a
> handle
> > is a handle, and a PID is a DWORD. Are things different in KM? Thanks.
> >
> You can allocate in LoadImageNotify this is in the context of the user
> process.
> To get the handle:
>
> NTSYSAPI
> NTSTATUS
> NTAPI
> ZwOpenProcess(
> OUT PHANDLE ProcessHandle,
> IN ACCESS_MASK DesiredAccess,
> IN POBJECT_ATTRIBUTES ObjectAttributes,
> IN PCLIENT_ID ClientId OPTIONAL
> );
>
> Where ClientId is defined in the DDK and the handles in the structure
> represent what
> comes from CreateProcessNotify
>
>
> –
> Don Burn (MVP, Windows DDK)
> Windows 2k/XP/2k3 Filesystem and Driver Consulting
>
>
>
>
>
>
>