ZwCreateProcess problems

NTDEV
1

Hey guys, I’m not sure if this is the right place to post, but anyways. I started programming kernel drivers a week ago, and for a “first” driver that actually does something I wanted to create a file and then launch it.

Everything was working until I added ZwCreateProcess, I don’ know where is the error (I included the ntdll.lib to my project) but now each time I load the driver it fails… I’m going to include the source code and hopefully you guys will help me out (I

#define BUFFER_SIZE 30
CHAR buffer[BUFFER_SIZE];
size_t cb;
LARGE_INTEGER byteOffset;

NTSYSAPI
NTSTATUS
NTAPI
ZwCreateProcess(
OUT PHANDLE phProcess,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN HANDLE hParentProcess,
IN BOOLEAN bInheritParentHandles,
IN HANDLE hSection OPTIONAL,
IN HANDLE hDebugPort OPTIONAL,
IN HANDLE hExceptionPort OPTIONAL
);

NTSTATUS UnloadDriver( IN PDRIVER_OBJECT DriverObject )
{
DriverObject->DriverUnload;
DbgPrint(“Driver unloaded.”);

return STATUS_SUCCESS;
}

NTSTATUS DriverEntry( IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING theRegistryPath )
{
UNICODE_STRING uniName;
OBJECT_ATTRIBUTES objAttr;
HANDLE handle;
NTSTATUS ntstatus;
IO_STATUS_BLOCK ioStatusBlock;

RtlInitUnicodeString(&uniName, L"\DosDevices\C:\fromkernel.txt"); // or L"\SystemRoot\example.txt"
InitializeObjectAttributes(&objAttr, &uniName,
OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
NULL, NULL);
if(KeGetCurrentIrql() != PASSIVE_LEVEL)
return STATUS_INVALID_DEVICE_STATE;

ntstatus = ZwCreateFile(&handle,
GENERIC_WRITE,
&objAttr, &ioStatusBlock, NULL,
FILE_ATTRIBUTE_NORMAL,
0,
FILE_OVERWRITE_IF,
FILE_SYNCHRONOUS_IO_NONALERT,
NULL, 0);

if(NT_SUCCESS(ntstatus)) {
ntstatus = RtlStringCbPrintfA(buffer, sizeof(buffer), “Working?”);
if(NT_SUCCESS(ntstatus)) {
ntstatus = RtlStringCbLengthA(buffer, sizeof(buffer), &cb);
if(NT_SUCCESS(ntstatus)) {
ntstatus = ZwWriteFile(handle, NULL, NULL, NULL, &ioStatusBlock,
buffer, cb, NULL, NULL);
}
}
ZwClose(handle);
}
ntstatus = ZwCreateFile(&handle,
GENERIC_READ,
&objAttr, &ioStatusBlock,
NULL,
FILE_ATTRIBUTE_NORMAL,
0,
FILE_OPEN,
FILE_SYNCHRONOUS_IO_NONALERT,
NULL, 0);
if(NT_SUCCESS(ntstatus)) {
byteOffset.LowPart = byteOffset.HighPart = 0;
ntstatus = ZwReadFile(handle, NULL, NULL, NULL, &ioStatusBlock,
buffer, BUFFER_SIZE, &byteOffset, NULL);
if(NT_SUCCESS(ntstatus)) {
buffer[BUFFER_SIZE-1] = ‘\0’;
DbgPrint(“%s\n”, buffer);
}
ZwClose(handle);
}
//I think the error is here…
ZwCreateProcess (&handle,
PROCESS_ALL_ACCESS,
&objAttr,
NtCurrentProcess(),
TRUE,
0,
0,
0);

DriverObject->DriverUnload = UnloadDriver;

return STATUS_SUCCESS;

}

2

in driver,you can’t call the funciton exported by ntdll.dll directly. if
you do, your driver will fail when loading.
danny

3

This is a good example of something you should be doing in user-mode.
When writing a driver, ask yourself what code you can avoid putting
in it, and instead put into a dedicated user-mode service or
something similar. There are tons of good reasons for this.

In this particular case, you really need to have Win32 involved in
process start-up or you won’t get what you (probably) want. You can’t
reasonably do that from kernel-mode.

I understand you’re just trying to learn, but kernel-mode coding is
kinda like karate: the first thing to learn is when NOT to use it.

-Steve

On Jul 5, 2007, at 8:39 PM, xxxxx@hotmail.com wrote:

Hey guys, I’m not sure if this is the right place to post, but
anyways. I started programming kernel drivers a week ago, and for a
“first” driver that actually does something I wanted to create a
file and then launch it.

Everything was working until I added ZwCreateProcess, I don’ know
where is the error (I included the ntdll.lib to my project) but now
each time I load the driver it fails… I’m going to include the
source code and hopefully you guys will help me out (I

#define BUFFER_SIZE 30
CHAR buffer[BUFFER_SIZE];
size_t cb;
LARGE_INTEGER byteOffset;

NTSYSAPI
NTSTATUS
NTAPI
ZwCreateProcess(
OUT PHANDLE phProcess,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN HANDLE hParentProcess,
IN BOOLEAN bInheritParentHandles,
IN HANDLE hSection OPTIONAL,
IN HANDLE hDebugPort OPTIONAL,
IN HANDLE hExceptionPort OPTIONAL
);

NTSTATUS UnloadDriver( IN PDRIVER_OBJECT DriverObject )
{
DriverObject->DriverUnload;
DbgPrint(“Driver unloaded.”);

return STATUS_SUCCESS;
}

NTSTATUS DriverEntry( IN PDRIVER_OBJECT DriverObject, IN
PUNICODE_STRING theRegistryPath )
{
UNICODE_STRING uniName;
OBJECT_ATTRIBUTES objAttr;
HANDLE handle;
NTSTATUS ntstatus;
IO_STATUS_BLOCK ioStatusBlock;

RtlInitUnicodeString(&uniName, L"\DosDevices\C:\
\fromkernel.txt"); // or L"\SystemRoot\example.txt"
InitializeObjectAttributes(&objAttr, &uniName,
OBJ_CASE_INSENSITIVE |
OBJ_KERNEL_HANDLE,
NULL, NULL);
if(KeGetCurrentIrql() != PASSIVE_LEVEL)
return STATUS_INVALID_DEVICE_STATE;

ntstatus = ZwCreateFile(&handle,
GENERIC_WRITE,
&objAttr, &ioStatusBlock, NULL,
FILE_ATTRIBUTE_NORMAL,
0,
FILE_OVERWRITE_IF,
FILE_SYNCHRONOUS_IO_NONALERT,
NULL, 0);

if(NT_SUCCESS(ntstatus)) {
ntstatus = RtlStringCbPrintfA(buffer, sizeof(buffer),
“Working?”);
if(NT_SUCCESS(ntstatus)) {
ntstatus = RtlStringCbLengthA(buffer, sizeof(buffer), &cb);
if(NT_SUCCESS(ntstatus)) {
ntstatus = ZwWriteFile(handle, NULL, NULL, NULL,
&ioStatusBlock,
buffer, cb, NULL, NULL);
}
}
ZwClose(handle);
}
ntstatus = ZwCreateFile(&handle,
GENERIC_READ,
&objAttr, &ioStatusBlock,
NULL,
FILE_ATTRIBUTE_NORMAL,
0,
FILE_OPEN,
FILE_SYNCHRONOUS_IO_NONALERT,
NULL, 0);
if(NT_SUCCESS(ntstatus)) {
byteOffset.LowPart = byteOffset.HighPart = 0;
ntstatus = ZwReadFile(handle, NULL, NULL, NULL,
&ioStatusBlock,
buffer, BUFFER_SIZE, &byteOffset, NULL);
if(NT_SUCCESS(ntstatus)) {
buffer[BUFFER_SIZE-1] = ‘\0’;
DbgPrint(“%s\n”, buffer);
}
ZwClose(handle);
}
//I think the error is here…
ZwCreateProcess (&handle,
PROCESS_ALL_ACCESS,
&objAttr,
NtCurrentProcess(),
TRUE,
0,
0,
0);

DriverObject->DriverUnload = UnloadDriver;

return STATUS_SUCCESS;

}

Questions? First check the Kernel Driver FAQ at http://
www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

4

All right, thanks for the replies.