6

After looking at various pages like OSR Online and NtInternals, it seems like NtCreateProcess (and ZwCreateProcess) specify that giving a handle to a memory section is optional!

Does this mean that we can have processes that are not backed by executable images? If so, what could they be (or are they) used for potentially? Does that mean we can copy an executable entirely into memory and subsequently even delete the file from the disk, and have the process continue running?? That would seem like a really useful feature.

user541686
  • 205,094
  • 128
  • 528
  • 886

2 Answers2

5

If section (file mapping in win32 land) is NULL, it uses the section of the parent process. It might be possible to use NULL and allocate new memory and point EIP at it (or use a page file mapping), but using NtCreateProcess is problematic, it is undocumented and does not register with the win32 subsystem like CreateProcess does. (If you only want to use exports from ntdll, this might be ok)

On Win9x, NT4 and 2000 you can delete yourself from disk while running by using the dirty tricks listed here.

Other options:

  • Use a driver, they can be deleted after they have been loaded (The sysinternal tools do this)
  • Use a host process; start explorer.exe, cmd.exe or rundll32.exe suspended and use CreateRemoteThread+injected code (This of course means there is a exe file on disk, but none of your code is in it)
Anders
  • 97,548
  • 12
  • 110
  • 164
  • I'm not too familiar with the Posix `fork` mechanism, but do you reckon that, since the parent process's section is used, this could be used to implement `fork` on Windows? (And +1, thanks for the file deletion info, it's interesting!) – user541686 Mar 18 '11 at 02:41
  • @Mehrdad: According to http://www.eggheadcafe.com/software/aspnet/32040421/ntcreateprocess-and-fork.aspx from 2008, the Cygwin guys did try to use NTCreateProcess for forking and failed, I don't know if things have changed since then but you could check their source... – Anders Mar 18 '11 at 02:44
  • :O this is SO cool!! I think I'll try (for the billionth time) to see if I can write my own version of `CreateProcess`... wish me luck! :] – user541686 Mar 18 '11 at 02:50
2

I just tried to create a process with a non-image-backed Section object myself. :)

The result?

NtCreateProcess returned:

STATUS_SECTION_NOT_IMAGE
// An attempt was made to query image information on a section which
// does not map an image.

So apparently every process needs to be image-backed (assuming you don't hack the kernel to do otherwise).

user541686
  • 205,094
  • 128
  • 528
  • 886