|
阅读:2791回复:4
我在使用ZwCreateProcess函数的时候我是这样定义的。
extern NTSYSAPI NTSTATUS NTAPI ZwCreateProcess(
OUT PHANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, IN HANDLE InheritFromProcessHandle, IN BOOLEAN InheritHandles, IN HANDLE SectionHandle OPTIONAL, IN HANDLE DebugPort OPTIONAL, IN HANDLE ExceptionPort OPTIONAL } 但是使用以后在编译的时候却提示: unresolved external symbol _ZwCreateProcess@32 我不知道这是为什么。那位高手能帮帮我呢??? |
|
|
沙发#
发布于:2004-01-20 11:53
是不是函数ZwCreateProcess需要包含那个头函数的呢???
|
|
|
板凳#
发布于:2004-01-21 23:04
用,导入方式。。
ntdll.dll里的。 WIN提供了个函数调用DLL.........,不过我喜欢爆力搜索 :) :)新年快乐~~ |
|
|
|
地板#
发布于:2004-01-28 23:21
ntdll开放了 ntCreateProcess,NTSTATUS
NTAPI NtCreateProcess( OUT PHANDLE phProcess, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, IN HANDLE hParentProcess, IN BOOLEAN bInheritParentHandles, IN HANDLE hSection OPTIONAL, IN HANDLE hDebugPort OPTIONAL, IN HANDLE hExceptionPort OPTIONAL ); 但ntoskrnl没有相应的zwCreateProcess开放,所以不能用zwCreateProcess,ntoskrnl开放了PsCreateSystemProcess, extern NTSTATUS PsCreateSystemProcess(OUT PHANDLE Process, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObAttributes ); 看看创建进程的内核部分虚拟码就知道创建一个进程不简单了 NTSTATUS NtCreateProcess(OUT PHANDLE Process, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObAttributes, IN HANDLE Parent, IN BOOLEAN InheritParentHandles, IN HANDLE Section OPTIONAL, IN HANDLE DebugPort OPTIONAL, IN HANDLE ExceptionPort OPTIONAL) { PKTRHEAD Thread = KeGetCurrentThread(); NTSTATUS ntS; if (Thread->PreviousMode != KernelMode) { var_4 = 0; if (Process < MmUserProbeAddress) var_4 = 0xFFFFFFFF; else *Process = NULL; } if (Parent == NULL) ntS = STATUS_INVALID_PARAMETER; else ntS = PspCreateProcess(Process, DesiredAccess, ObAttributes, Parent, InheritParentHandles, Section, DebugPort, ExceptionPort)); return(ntS); } NTSTATUS PspCreateProcess(OUT PHANDLE Process, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObAttributes, IN HANDLE Parent, IN BOOLEAN InheritParentHandles, IN HANDLE Section OPTIONAL, IN HANDLE DebugPort OPTIONAL, IN HANDLE ExceptionPort OPTIONAL) { NTSTATUS ntS; PKTHREAD Thread = KeGetCurrentThread(); DWORD Flag; //var_4 BOOLEAN MemoryAllocated; // var_1C HANDLE DupProcessHandle; // var_20 PVOID ObSection; // var_24 PEPROCESS NewProcess; //var_30 DWORD CreateParentSpace=0; //var_34 PEPROCESS ObProcess; // var_38 NTSTATUS AccessStatus; // var_3C HANDLE ProcessHandle; // var_40 PACCESS_TOKEN Token; // var_50 SECURITY_SUBJECT_CONTEXT SubjectCtx; // var_58 PLPC_OBJECT ObDebugPort; // var_5C KAFFINITY Affinity; // var_60 PLPC_OBJECT ObExceptPort; // var_6C DWORD VarPeb2; // var_70 DWORD VarPeb; // var_74 KPROCESSOR_MODE PreviousMode = Thread->PreviousMode; // var_78 PROCESS_ADDRESS_SPACE SectionSpace; // var_7C PSECURITY_DESCRIPTOR SecurityDescriptor; // var_84 PROCESS_ADDRESS_SPACE ProcessSpace; // var_8C BOOL Res; if (Parent) { ntS = ObReferenceObjectByHandle(Parent, 0x80, PsProcessType, PreviousMode, &ObProcess, 0); if (ntS < 0) return(ntS); Affinity = ObProcess->Pcb.Affinity; } else { ObProcess = NULL; Affinity = KeActiveProcessors; } if (Section) { ntS = ObReferenceObjectByHandle(Section, 0x8, MmSectionObjectType, PreviousMode, &ObSection, 0); if (ntS < 0) goto cleanup; } else ObSection = NULL; if (DebugPort) { ntS = ObReferenceObjectByHandle(DebugPort, 0, LpcObjectType, PreviousMode, &ObDebugPort, 0); if (ntS < 0) goto cleanup; } else ObDebugPort = NULL; if (ExceptionPort) { ntS = ObReferenceObjectByHandle(ExceptionPort, 0, LpcObjectType, PreviousMode, &ObExceptPort, 0); if (ntS < 0) goto cleanup; } else ObExceptPort = NULL; ntS = ObCreateObject(Thread->PreviousMode, PsProcessType, ObAttributes, Thread->PreviousMode, 0, 0x288, 0, 0, &NewProcess); if (ntS < 0) goto cleanup; memset(NewProcess, 0, 0xA2); NewProcess->ThreadListHead.Blink = &NewProcess.ThreadListHead; NewProcess->ThreadListHead.Flink = &NewProcess.ThreadListHead; NewProcess->CreateProcessReported = 0; NewProcess->DebugPort = ObDebugPort; NewProcess->ExceptionPort = ObExceptPort; PspInheritQuota(NewProcess, ObProcess); ObInheritDeviceMap(NewProcess, ObProcess); if (ObProcess) { NewProcess->DefaultHardErrorProcessing = ObProcess->DefaultHardErrorProcessing; NewProcess->InheritedFromUniqueProcessId = ObProcess->UniqueProcessId; NewProcess->SessionId = ObProcess->SessionId; } else { NewProcess->DefaultHardErrorProcessing = 1; NewProcess->InheritedFromUniqueProcessId = 0; } NewProcess->ExitStatus = STATUS_PENDING; NewProcess->LockCount = 1; NewProcess->LockOwner = 0; NewProcess->LockEvent.Type = 1; NewProcess->LockEvent.Size = 4; NewProcess->LockEvent.SignalState = 0; NewProcess->LockEvent.WaitListHead.Flink = &NewProcess->LockEvent; NewProcess->LockEvent.WaitListHead.Blink = &NewProcess->LockEvent; // NTSTATUS PspInitializeProcessSecurity(PEPROCESS Parent, PEPROCESS Process); ntS = PspInitializeProcessSecurity(ObProcess, NewProcess); if (ntS < 0) goto cleanup; if (ObProcess == NULL) loc_4FAED7 // NTSTATUS MmCreateProcessAddressSpace(DWORD PsMinimumWorkingSet, PEPROCESS Process, // PVOID SectionObject, PPROCESS_ADDRESS_SPACE ProcessSpace); if (MmCreateProcessAddressSpace(PsMinimumWorkingSet, NewProcess, 0, &ProcessSpace) == FALSE) goto cleanup2; NewProcess->Vm.MaximumWorkingSetSize = PsMaximumWorkingSet; NewProcess->Vm.MinimumWorkingSetSize = PsMinimumWorkingSet; // void KeIntilializeProcess(PEPROCESS, BYTE BasePriority, KAFFINITY Affinity, // PPROCESS_ADDRESS_SPACE ProcessSpace, DWORD Error); KeInitializeProcess(NewProcess, 8, Affinity, &ProcessSpace, DefaultHardErrorProcessing & 4); NewProcess->Pcb.ThreadQuantum = PspForegroundQuantum; NewProcess->PriorityClass = 2; if (ObProcess) { if (ObProcess->InheritParentHandles) ntS = ObInitProcess(ObProcess, NewProcess); else ntS = ObInitProcess(NULL, NewProcess); if (ntS < 0) goto cleanup2; } if (Section) { // NTSTATUS MmInitializeProcessAddressSpace(PEPROCESS ParentProcess, PEPROCESS Process, PVOID SectionObject); MmInitializeProcessAddressSpace(NewProcess, 0, ObSection, &SectionSpace); ObfDereferenceObject(ObSection); // NTSTATUS RtlpDestroyLockAtomTable(PEPROCESS Process); ntS = RtlpDestroyLockAtomTable(NewProcess); if (ntS >= 0) ntS = PspMapSystemDll(NewProcess, 0); CreateParentSpace = 1; } else { if (ObProcess) { if (ObProcess == PsInitialSystemProcess) ntS = MmInitializeProcessAddressSpace(ObProcess, 0, 0, 0); else { ntS = MmInitializeProcessAddressSpace(ObProcess, NewProcess, 0, 0); } } } ntS = ObInsertObject(NewProcess, 0, DesiredAccess, 0, 0, &ProcessHandle); if (ntS < 0) goto cleanup2; if (ObProcess && ObProcess->Job != NULL) { if (!(ObProcess->LockOwner & 0x8) || !(ObProcess->LockOwner & 0x10)) { NtClose(ProcessHandle); return(STATUS_ACCESS_DENIED); } } PsSetProcessPriorityByClass(NewProcess, 0); ExAcquireFastMutex(PspActiveProcessMutex); NewProcess.ActiveProcessLinks.Flink = &PsActiveProcessHead; NewProcess.ActiveProcessLinks.Blink = PsActiveProcessHead.Blink; PsActiveProcessHead.Blink = &NewProcess.ActiveProcessLinks; ExReleaseFastMutex(PspActiveProcessMutex); if (ObProcess && CreateParentSpace) { VarPeb = VarPeb2 = 0; if (ObSection) { Flag = 0; NewProcess->Peb = MmCreatePeb(NewProcess, &VarPeb); Flag = -1; } else ntS = ZwWriteVirtualMemory(ProcessHandle, NewProcses->Peb, &VarPeb, 8, 0); if (Section) ntS = ZwDuplicateObject(-1, Section, ProcessHandle, &DupProcessHandle, 0, 0, 2); else ntS = ZwDuplicateObject(ObProcess, ObProcess->SectionHandle, ProcessHandle, &DupProcessHandle, 0, 0, 2); NewProcess->SectionHandle = DupProcessHandle; if (ntS < 0) goto cleanup3; } if (Parent && Parent != PspInitialSystemProcessHandle) { ntS = ObGetObjectSecurity(NewProcess, &SecurityDescriptor, &MemoryAllocated); if (ntS < 0) goto cleanup3; Token = PsReferencePrimaryToken(NewProcess); Res = SeAccessCheck(SecurityDescriptor, &SubjectCtx, 0, 0x2000000, 0, 0, PsProcessType+0x68, PreviousMode, NewProcess->GrantedAccess, &AccessStatus); ObfDereferenceObject(Token); ntS = ObReleaseObjectSecurity(SecurityDescriptor, MemoryAllocated); if (Res == FALSE) NewProcess->GrantedAccess = 0; else NewProcess->GrantedAccess |= 0x6FB; } else NewProcess->GrantedAccess |= 0x1F0FFF; if (SeDetailedAuditing != 0) ntS = SeAuditProcessCreation(NewProcess, ObProcess, SectionSpace); KeQuerySystemTime(&NewProcess->CreateTime); *Process = ProcessHandle; return(ntS); cleanup: if (ObProcess) ObfDereferenceObject(ObProcess); return(ntS); } //in PspCreateProcess family :) NTSTATUS RtlCreateUserProcess( , // 0 IN ACCESS_MASK DesiredAccess, // 4 , // 8 PSECURITY_DESCRIPTOR SecDesc, // C , //10 IN HANDLE Parent, // 14 IN BOOLEAN InheritParentHandles, // 18 IN HANDLE DebugPort OPTIONAL, // 1C IN HANDLE ExceptionPort OPTIONAL, // 20 , // 24 ) { NTSTATUS ntS; UNICODE_STRING ObName; // var_38 OBJECT_ATTRIBUTES ObAttributes; // var_58 --> var_40 HANDLE FileHandle, SectionHandle; // var_78 / var_28 PROCESS_BASIC_INFORMATION ProcessInfoBuffer; memset(arg_24, 0, 0x11); *arg_24 = 0x44; ntS = RtlpOpenImageFile(arg_0, DesiredAccess+0x42, &FileHandle, 1); if (ntS < 0) return(ntS); ntS = ZwCreateSection(&SectionHandle, 0xF001F, NULL, NULL, 0x10, 0x1000000, FileHandle); ZwClose(FileHandle); if (ntS < 0) return(ntS); if (Parent == NULL) Parent = -1; memset(ObAttributes, 0, sizeof(OBJECT_ATTRIBUTES)); ObAttributes.Length = 0x18; ObAttributes. SecurityDescriptor = SecDesc; if (RtlGetNtGlobalFlags() & 20000) { if (wcsstr(arg_0, \"csrss\")) { if (!(0x7FFE02D0 & 10)) { RtlInitUnicodeString(&ObName, \"\\\\WindowsSS\"); ObAttributes.ObjectName = ObName; } } } if (!InheritParentHandles) arg_8+0x2C = 0; // offset 0x4 = HANDLE Process ntS = NtCreateProcess(&(arg_0+0x4), 0x1F0FFF, &ObAttributes, Parent, InheritParentHandles, SectionHandle, DebugPort, ExceptionPort); if (ntS < 0) goto cleanup; // offset 0x14 = char Buffer[0x30] ntS = ZwQuerySection(SectionHandle, 1, &(arg_0+0x14), 0x30, NULL); if (ntS < 0) goto cleanup; ntS = ZwQueryInformationProcess(arg_0+0x4, ProcessBasicInformation, &ProcessInfoBuffer, 0x18, NULL); ZwClose(arg_0+0x4); if (ntS < 0) goto cleanup; // offset 0x18 = HANDLE Handle ZwDuplicateObject(Parent, arg_8+0x18, arg_0+0x4); ... } |
|
|
地下室#
发布于:2004-01-28 23:33
原先我以为只要ntdll有个ntXXX,ntoskrnl也必然又个相应的zwXXX,
所以认为有个ntdll的ntCreateprocess,必然ntoskrnl有个 zwCreateProcess,今天一查才知是没有的,对于先前的妄断表示抱歉,还有在驱动中创建一个县城是没什么问题的,创建进程本来以为用 RtlInitUnicodeString(&ProcessName, L\"\\\\??\\\\C:\\\\WINNT\\\\system32\\\\notepad.exe\"); InitializeObjectAttributes(&ob, &ProcessName, OBJ_CASE_INSENSITIVE, NULL, NULL); PsCreateSystemProcess(&p,PROCESS_ALL_ACCESS,&ob); 可以实现,可是不行,用softice跟踪了一把,PsCreateSystemProcess返回值c0000024,含义如下 // There is a mismatch between the type of object required by the requested operation and the type of object that is specified in the request. // #define STATUS_OBJECT_TYPE_MISMATCH ((NTSTATUS)0xC0000024L),看来不是那么简单,研究中。。。 |
|