Process creation flags

NTDEV
1

It’s been asked before but never answered from what I’ve read so I figured I’d throw it out there again. Is it possible to get the process creation flags during the process create notify callback (or really at any other time before execution begins)?

I’d like to be able determine if the process is created with any of the DEBUG or SUSPEND flags. After poking around with WinDbg through all of the various structures, they don’t seem to be saved anywhere directly. And even if they were, I’m not about to access EPROCESS/PEB fields anyway. I don’t like hooking usermode functions and kernel hooking is out of the question on x64. ZwQuerySystemInformation is not available in Win8 and it’s also undocumented which I want to stay away from.

It really seems like not providing these flags during the callback is a big oversight on MSFT’s part. If we get similar flags during IRP_MJ_CREATE in a file filter, process creation flags would also be nice. So kernel or user mode, is it possible to query the process creation options in a safe, clean, documented way? And just for my own edification are there any dirty, undocumented, BSOD causing ways?

And just to preempt the “what are you trying to do?” question, if a process is created with DEBUG or SUSPEND flags, I need to notify a usermode service to do some “house keeping” to get things ready for the follow on actions related to debugging.

2

I think that you will find that from the kernel’s perspective, practically every process is created with the initial thread suspended and a higher level layer resuming that conditionally (this is of course subject to change in the future). In other words, trying to special case create suspended is not very useful.

Your user mode service may be able to assess the debugger attached state with CheckRemoteDebuggerPresent, however keep in mind that someone can always slip a debugger attach in at any time with sufficient access rights to the target process.

  • S (Msft)

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Wednesday, February 04, 2015 9:19 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] Process creation flags

It’s been asked before but never answered from what I’ve read so I figured I’d throw it out there again. Is it possible to get the process creation flags during the process create notify callback (or really at any other time before execution begins)?

I’d like to be able determine if the process is created with any of the DEBUG or SUSPEND flags. After poking around with WinDbg through all of the various structures, they don’t seem to be saved anywhere directly. And even if they were, I’m not about to access EPROCESS/PEB fields anyway. I don’t like hooking usermode functions and kernel hooking is out of the question on x64. ZwQuerySystemInformation is not available in Win8 and it’s also undocumented which I want to stay away from.

It really seems like not providing these flags during the callback is a big oversight on MSFT’s part. If we get similar flags during IRP_MJ_CREATE in a file filter, process creation flags would also be nice. So kernel or user mode, is it possible to query the process creation options in a safe, clean, documented way? And just for my own edification are there any dirty, undocumented, BSOD causing ways?

And just to preempt the “what are you trying to do?” question, if a process is created with DEBUG or SUSPEND flags, I need to notify a usermode service to do some “house keeping” to get things ready for the follow on actions related to debugging.

NTDEV is sponsored by OSR

Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

3

Thanks Ken.

I haven’t tried but is the process setup to the point that CheckRemoteDebuggerPresent() would work during the stalled notify callback routine (routine notifies user mode and waits ->user mode calls function->user mode notifies kernel to continue->notify routine returns)? Also, I’m not concerned about debugger attachment of a live process, only when creating, but valid point none the less.

But I guess from your response, there is no way to get the creation flags during the notify callback or otherwise?