-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathproc.c
More file actions
70 lines (68 loc) · 2.17 KB
/
proc.c
File metadata and controls
70 lines (68 loc) · 2.17 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
#include <ntddk.h>
#include "utils.h"
PKUSER_SHARED_DATA SharedData = (PKUSER_SHARED_DATA)(0x7FFE0000);
void create_proc(char *ascii_path)
{
// assume ascii_path is like "\??\C:\Windows\System32\notepad.exe"
if (my_strncmp(ascii_path, "\\??\\", 4) != 0)
{
PrintString("Invalid path format. Must start with \\??\\\n");
return;
}
ANSI_STRING AnsiString;
RtlInitAnsiString(&AnsiString, ascii_path);
UNICODE_STRING nt_path;
RtlAnsiStringToUnicodeString(&nt_path, &AnsiString, TRUE);
UNICODE_STRING win32_path = { 0 };
RtlInitUnicodeString(&win32_path, nt_path.Buffer + 4);
UNICODE_STRING dll_path;
RtlInitUnicodeString(&dll_path, SharedData->NtSystemRoot);
PRTL_USER_PROCESS_PARAMETERS proc_param;
WCHAR Env[2] = { 0, 0 };
NTSTATUS status = RtlCreateProcessParameters(&proc_param, &win32_path, &dll_path, NULL, (PUNICODE_STRING)Env, NULL, &nt_path, 0, 0, 0);
if (!NT_SUCCESS(status))
{
PrintString("RtlCreateProcessParameters failed: 0x%x\n", RtlNtStatusToDosError(status));
return;
}
RTL_USER_PROCESS_INFORMATION proc_info = {0};
status = RtlCreateUserProcess(
&nt_path,
OBJ_CASE_INSENSITIVE,
proc_param,
NULL,
NULL,
NULL,
TRUE, // current cwd
NULL,
NULL,
&proc_info
);
if (!NT_SUCCESS(status))
{
PrintString("RtlCreateUserProcess failed: 0x%x\n", RtlNtStatusToDosError(status));
return;
}
switch (proc_info.ImageInformation.SubSystemType)
{
case 1:
PrintString("Creating a Native type of process.\n");
break;
case 2:
PrintString("Creating a GUI type of process.\n");
break;
case 3:
PrintString("Creating a Console type of process.\n");
break;
default:
PrintString("Creating an Unknown type of process.\n");
break;
}
status = NtResumeThread(proc_info.ThreadHandle, NULL);
if (!NT_SUCCESS(status))
{
PrintString("NtResumeThread failed: 0x%x\n", RtlNtStatusToDosError(status));
return;
}
PrintString("Process created successfully. Handle: 0x%x\n", proc_info.ProcessHandle);
}