ZwCreateProcess and Win2000

Guys,

Although Gary Nebbett documents a ZwCreateProcess function, I
cannot find it with my debugger inside Win2000 SP4, nor can I
find NtCreateProcess inside my Ntoskrnl. There is an
NtOpenProcess, and if for example I run Internet Explorer, I get
lots of breaks. Can I assume that Win2K uses NtOpenProcess as
its main process creation interface, or am I missing something ?

Thanks…

Alberto.

ZwCreateProcess(Ex) are there. if you have windbg, try x nt!ZwC*. I just
tried on xp sp2, and I’m quite sure it was on win2k .

-pro
----- Original Message -----
From: “Alberto Moreira”
To: “Windows System Software Devs Interest List”
Sent: Sunday, April 24, 2005 9:16 AM
Subject: [ntdev] ZwCreateProcess and Win2000

> Guys,
>
> Although Gary Nebbett documents a ZwCreateProcess function, I cannot find
> it with my debugger inside Win2000 SP4, nor can I find NtCreateProcess
> inside my Ntoskrnl. There is an NtOpenProcess, and if for example I run
> Internet Explorer, I get lots of breaks. Can I assume that Win2K uses
> NtOpenProcess as its main process creation interface, or am I missing
> something ?
>
> Thanks…
>
>
> Alberto.
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@garlic.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

And if you talk about any CreateProcess(), then If I could recall
NtCreateProcess ( simply for usermode native interface and sanity check
before gets down to actual work … ) could be bypassed if someone create a
process at krnl.

You know that there is a callback type for trappping Process creation events
.

-pro

----- Original Message -----
From: “Prokash Sinha”
To: “Windows System Software Devs Interest List”
Sent: Sunday, April 24, 2005 9:32 AM
Subject: Re: [ntdev] ZwCreateProcess and Win2000

> ZwCreateProcess(Ex) are there. if you have windbg, try x nt!ZwC*. I just
> tried on xp sp2, and I’m quite sure it was on win2k .
>
> -pro
> ----- Original Message -----
> From: “Alberto Moreira”
> To: “Windows System Software Devs Interest List”
> Sent: Sunday, April 24, 2005 9:16 AM
> Subject: [ntdev] ZwCreateProcess and Win2000
>
>
>> Guys,
>>
>> Although Gary Nebbett documents a ZwCreateProcess function, I cannot find
>> it with my debugger inside Win2000 SP4, nor can I find NtCreateProcess
>> inside my Ntoskrnl. There is an NtOpenProcess, and if for example I run
>> Internet Explorer, I get lots of breaks. Can I assume that Win2K uses
>> NtOpenProcess as its main process creation interface, or am I missing
>> something ?
>>
>> Thanks…
>>
>>
>> Alberto.
>>
>>
>> —
>> Questions? First check the Kernel Driver FAQ at
>> http://www.osronline.com/article.cfm?id=256
>>
>> You are currently subscribed to ntdev as: xxxxx@garlic.com
>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@garlic.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

Extreemly sorry Alberto, now I see what you saying. Explorer is indeed using
NtOpenProcess(). Yes, again it is trying to catch a fish. Lately I’ve been
bumped to get a authenticated communication channel between fltmgr’s
mnifilter and and user-mode, becasue I dont trust the usr mode quite easily,
some intermittent CHAP verification is what I’m trying … So I was
careless in responding you :-).

-pro
----- Original Message -----
From: “Prokash Sinha”
To: “Windows System Software Devs Interest List”
Sent: Sunday, April 24, 2005 9:43 AM
Subject: Re: [ntdev] ZwCreateProcess and Win2000

> And if you talk about any CreateProcess(), then If I could recall
> NtCreateProcess ( simply for usermode native interface and sanity check
> before gets down to actual work … ) could be bypassed if someone create
> a process at krnl.
>
> You know that there is a callback type for trappping Process creation
> events .
>
> -pro
>
> ----- Original Message -----
> From: “Prokash Sinha”
> To: “Windows System Software Devs Interest List”
> Sent: Sunday, April 24, 2005 9:32 AM
> Subject: Re: [ntdev] ZwCreateProcess and Win2000
>
>
>> ZwCreateProcess(Ex) are there. if you have windbg, try x nt!ZwC*. I just
>> tried on xp sp2, and I’m quite sure it was on win2k .
>>
>> -pro
>> ----- Original Message -----
>> From: “Alberto Moreira”
>> To: “Windows System Software Devs Interest List”
>> Sent: Sunday, April 24, 2005 9:16 AM
>> Subject: [ntdev] ZwCreateProcess and Win2000
>>
>>
>>> Guys,
>>>
>>> Although Gary Nebbett documents a ZwCreateProcess function, I cannot
>>> find it with my debugger inside Win2000 SP4, nor can I find
>>> NtCreateProcess inside my Ntoskrnl. There is an NtOpenProcess, and if
>>> for example I run Internet Explorer, I get lots of breaks. Can I assume
>>> that Win2K uses NtOpenProcess as its main process creation interface, or
>>> am I missing something ?
>>>
>>> Thanks…
>>>
>>>
>>> Alberto.
>>>
>>>
>>> —
>>> Questions? First check the Kernel Driver FAQ at
>>> http://www.osronline.com/article.cfm?id=256
>>>
>>> You are currently subscribed to ntdev as: xxxxx@garlic.com
>>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>>>
>>
>>
>> —
>> Questions? First check the Kernel Driver FAQ at
>> http://www.osronline.com/article.cfm?id=256
>>
>> You are currently subscribed to ntdev as: xxxxx@garlic.com
>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@garlic.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

It’s exported by ntdll.dll, TDUMP ntdll.dll reveals

0001D428 1013 03F4 ZwCreateProcess
0001CEE8 1014 03F5 ZwCreateProcessEx

/Daniel

“Alberto Moreira” wrote in message news:xxxxx@ntdev…
> Guys,
>
> Although Gary Nebbett documents a ZwCreateProcess function, I cannot find
> it with my debugger inside Win2000 SP4, nor can I find NtCreateProcess
> inside my Ntoskrnl. There is an NtOpenProcess, and if for example I run
> Internet Explorer, I get lots of breaks. Can I assume that Win2K uses
> NtOpenProcess as its main process creation interface, or am I missing
> something ?
>
> Thanks…
>
>
> Alberto.
>
>