I created the process through NtCreateUserProcess. This was successful and returned STATUS_SUCCESS.
This created process attempted to run through NtResumeThread in a suspended state.
But immediately the process was turned off.
In the same code, NtCreateUserProcess was replaced with CreateProcessW. NtResumeThread was used to create the same suspended process to normal process, which worked well.
How can I resume a process created with NtCreateUserProcess?
Edit: CreateProcess (Working) -> NtCreateUserProcess (Nop..) means process created with wrong code. Got it. I created process with following code.
HANDLE hProcess;
HANDLE hThread;
PS_CREATE_INFO procInfo;
PS_ATTRIBUTE_LIST attrList;
RTL_USER_PROCESS_PARAMETERS10 userParams;
RtlSecureZeroMemory(&userParams, sizeof(RTL_USER_PROCESS_PARAMETERS10));
RtlSecureZeroMemory(&attrList, sizeof(PS_ATTRIBUTE_LIST));
RtlSecureZeroMemory(&procInfo, sizeof(PS_CREATE_INFO));
userParams.Length = sizeof(RTL_USER_PROCESS_PARAMETERS10);
userParams.MaximumLength = sizeof(RTL_USER_PROCESS_PARAMETERS10);
attrList.TotalLength = sizeof(PS_ATTRIBUTE_LIST) - sizeof(PS_ATTRIBUTE);
procInfo.Size = sizeof(PS_CREATE_INFO);
userParams.Environment = (WCHAR *) data;
userParams.EnvironmentSize = sizeof(data);
userParams.EnvironmentVersion = 0;
userParams.Flags = 0x01;
userParams.ShowWindowFlags = SW_HIDE;
userParams.ImagePathName = filename2;
userParams.CommandLine = command;
attrList.Attributes[0].Attribute = PsAttributeValue(PsAttributeImageName, FALSE, TRUE, FALSE);
attrList.Attributes[0].Size = filename.Length;
attrList.Attributes[0].Value = (ULONG_PTR) filename.Buffer;
NTSTATUS status = INLINE_SYSCALL(NtCreateUserProcess)(&hProcess, &hThread, MAXIMUM_ALLOWED, MAXIMUM_ALLOWED,
NULL, NULL, 0, THREAD_CREATE_FLAGS_CREATE_SUSPENDED,
reinterpret_cast<_RTL_USER_PROCESS_PARAMETERS *>(&userParams), &procInfo, &attrList);
if (!NT_SUCCESS(status)) {
printf("%x\n", status);
return 1;
}
And using following struct.
typedef struct _RTL_USER_PROCESS_PARAMETERS10
{
ULONG MaximumLength; //6c0
ULONG Length;//6c0
ULONG Flags;//0
ULONG DebugFlags;//0
HANDLE ConsoleHandle;//NULL
ULONG ConsoleFlags;//0
HANDLE StandardInput;//NULL
HANDLE StandardOutput;//NULL
HANDLE StandardError;//NULL
CURDIR CurrentDirectory;
UNICODE_STRING DllPath;
UNICODE_STRING ImagePathName;
UNICODE_STRING CommandLine;
PWSTR Environment;
ULONG StartingX;
ULONG StartingY;
ULONG CountX;
ULONG CountY;
ULONG CountCharsX;
ULONG CountCharsY;
ULONG FillAttribute;
ULONG WindowFlags;
ULONG ShowWindowFlags;
UNICODE_STRING WindowTitle;
UNICODE_STRING DesktopInfo;
UNICODE_STRING ShellInfo;
UNICODE_STRING RuntimeData;
RTL_DRIVE_LETTER_CURDIR CurrentDirectories[32];
#if (NTDDI_VERSION >= NTDDI_LONGHORN)
SIZE_T EnvironmentSize;
#endif
#if (NTDDI_VERSION >= NTDDI_WIN7)
SIZE_T EnvironmentVersion;
#endif
} RTL_USER_PROCESS_PARAMETERS10, *PRTL_USER_PROCESS_PARAMETERS10;
I cant find any error in this process creation.
Sorry for bad english.. I'm not a native speaker so there can be some wrong grammer, graceless manner.
Related
I am trying to communicate with a user mode program via Windows driver using Flt functions.
And when I build the program (on VS) I get a lot of errors:
I can't understand what those errors mean.
That's my code:
#include <Ntifs.h>
#include <ntddk.h>
#include <fltKernel.h>
#include <WinDef.h>
#include <Psapi.h>
#pragma comment(lib, "fltlib")
UNICODE_STRING name = RTL_CONSTANT_STRING(L"\\Test");
PSECURITY_DESCRIPTOR sd;
OBJECT_ATTRIBUTES attr;
PFLT_FILTER gFilterHandle;
LARGE_INTEGER timeout;
PFLT_PORT FilterPort;
PFLT_PORT SendClientPort;
NTSTATUS status;
NTSTATUS createCommunication();
NTSTATUS PortConnectNotify(PFLT_PORT ClientPort, PVOID ServerPortCookie, PVOID ConnectionContext, ULONG SizeOfContext,
PVOID* ConnectionPortCookie);
NTSTATUS PortMessageNotify(PVOID PortCookie, PVOID InputBuffer, ULONG InputBufferLength, PVOID OutputBuffer,
ULONG OutputBufferLength, PULONG ReturnOutputBufferLength);
void PortDisconnectNotify(PVOID ConnectionCookie);
void SampleUnload(_In_ PDRIVER_OBJECT DriverObject)
{
UNREFERENCED_PARAMETER(DriverObject);
DbgPrint("Sample driver Unload called\n");
timeout.QuadPart = 10000 * 50;
status = createCommunication();
}
void sCreateProcessNotifyRoutineEx(PEPROCESS process, HANDLE pid, PPS_CREATE_NOTIFY_INFO createInfo)
{
UNREFERENCED_PARAMETER(createInfo);
UNREFERENCED_PARAMETER(process);
WCHAR path[MAX_PATH];
if(!GetProcessImageFileNameW(pid, path, MAX_PATH))
{
DbgPrint("Can't get the process image name");
return;
}
LPWSTR hash[35]; //Getting the hash from the replay message
status = FltSendMessage(gFilterHandle, &SendClientPort, path, MAX_PATH, hash, reinterpret_cast<ULONG*>(35),
&timeout);
if (!NT_SUCCESS(status))
{
DbgPrint("Can't send the message and");
return;
}
DbgPrint("The hash of %wZ is %wZ", path, hash);
}
extern "C"
NTSTATUS
DriverEntry(_In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_STRING RegistryPath)
{
UNREFERENCED_PARAMETER(RegistryPath);
DriverObject->DriverUnload = SampleUnload;
DbgPrint("Sample driver Load called\n");
//When createComunication()
if (!NT_SUCCESS(status))
{
DbgPrint("Can't create the connection");
return status;
}
DbgPrint("Finish");
return STATUS_SUCCESS;
}
NTSTATUS PortConnectNotify(PFLT_PORT ClientPort, PVOID ServerPortCookie, PVOID ConnectionContext, ULONG SizeOfContext,
PVOID* ConnectionPortCookie)
{
UNREFERENCED_PARAMETER(ServerPortCookie);
UNREFERENCED_PARAMETER(ConnectionContext);
UNREFERENCED_PARAMETER(SizeOfContext);
UNREFERENCED_PARAMETER(ConnectionPortCookie);
SendClientPort = ClientPort;
return STATUS_SUCCESS;
}
void PortDisconnectNotify(PVOID ConnectionCookie)
{
UNREFERENCED_PARAMETER(ConnectionCookie);
FltCloseClientPort(gFilterHandle, &SendClientPort);
SendClientPort = nullptr;
}
NTSTATUS PortMessageNotify(PVOID PortCookie, PVOID InputBuffer, ULONG InputBufferLength, PVOID OutputBuffer,
ULONG OutputBufferLength, PULONG ReturnOutputBufferLength)
{
UNREFERENCED_PARAMETER(PortCookie);
UNREFERENCED_PARAMETER(InputBuffer);
UNREFERENCED_PARAMETER(InputBufferLength);
UNREFERENCED_PARAMETER(OutputBuffer);
UNREFERENCED_PARAMETER(OutputBufferLength);
UNREFERENCED_PARAMETER(ReturnOutputBufferLength);
return STATUS_SUCCESS;
}
NTSTATUS createCommunication()
{
status = FltBuildDefaultSecurityDescriptor(&sd, FLT_PORT_ALL_ACCESS);
if (!NT_SUCCESS(status))
return status;
InitializeObjectAttributes(&attr, &name, OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE, nullptr, sd);
status = FltCreateCommunicationPort(gFilterHandle, &FilterPort, &attr, nullptr,
(PFLT_CONNECT_NOTIFY)PortConnectNotify,
(PFLT_DISCONNECT_NOTIFY)PortDisconnectNotify,
(PFLT_MESSAGE_NOTIFY)PortMessageNotify, 1);
if (!NT_SUCCESS(status))
return status;
FltFreeSecurityDescriptor(sd);
status = FltStartFiltering(gFilterHandle);
return status;
}
Maybe my pragma is incorrect?
How can I solve it?
I am very new in the driver world so sorry for being newbie.
Thanks for all the helpers!
Here im trying to create and run calc but the process is created in suspended state. This is the main code:
#include <Windows.h>
#include <iostream>
using namespace std;
#define NtCurrentProcess() ( (HANDLE)(LONG_PTR) -1 )
typedef struct _LSA_UNICODE_STRING
{
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} LSA_UNICODE_STRING, * PLSA_UNICODE_STRING, UNICODE_STRING, * PUNICODE_STRING;
typedef struct _OBJECT_ATTRIBUTES
{
ULONG Length;
HANDLE RootDirectory;
PUNICODE_STRING ObjectName;
ULONG Attributes;
PVOID SecurityDescriptor;
PVOID SecurityQualityOfService;
} OBJECT_ATTRIBUTES, * POBJECT_ATTRIBUTES;
typedef NTSTATUS(NTAPI* fpNtCreateProcessEx)
(
PHANDLE ProcessHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
HANDLE ParentProcess,
ULONG Flags,
HANDLE SectionHandle OPTIONAL,
HANDLE DebugPort OPTIONAL,
HANDLE ExceptionPort OPTIONAL,
BOOLEAN InJob
);
typedef NTSTATUS(NTAPI* fpNtCreateTransaction)
(
PHANDLE TransactionHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
LPGUID Uow,
HANDLE TmHandle,
ULONG CreateOptions,
ULONG IsolationLevel,
ULONG IsolationFlags,
PLARGE_INTEGER Timeout,
PUNICODE_STRING Description
);
typedef NTSTATUS(NTAPI* fpNtCreateSection)
(
PHANDLE SectionHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
PLARGE_INTEGER MaximumSize,
ULONG SectionPageProtection,
ULONG AllocationAttributes,
HANDLE FileHandle
);
typedef NTSTATUS(NTAPI* fpNtClose)
(
HANDLE Handle
);
typedef LONG(NTAPI* fpNtResumeProcess)
(
HANDLE ProcessHandle
);
typedef LONG(NTAPI* fpNtResumeThread)
(
HANDLE ProcessHandle
);
#define PS_INHERIT_HANDLES 4
int main()
{
HANDLE hProcess;
OBJECT_ATTRIBUTES objattr;
WCHAR wstrObjName[MAX_PATH];
lstrcpyW(wstrObjName, L"C:\\Windows\\System32\\calc.exe");
const HINSTANCE hinst = LoadLibrary(L"ntdll.dll");
const auto _NtCreateTransaction = fpNtCreateTransaction(GetProcAddress(hinst, "NtCreateTransaction"));
const auto _NtCreateSection = fpNtCreateSection(GetProcAddress(hinst, "NtCreateSection"));
const auto _NtCreateProcessEx = fpNtCreateProcessEx(GetProcAddress(hinst, "NtCreateProcessEx"));
const auto _NtResumeProcess = fpNtResumeProcess(GetProcAddress(hinst, "NtResumeProcess"));
const auto _NtResumeThread = fpNtResumeThread(GetProcAddress(hinst, "NtResumeThread"));
const auto _NtClose = fpNtClose(GetProcAddress(hinst, "NtClose"));
wcslen(wstrObjName) * sizeof(WCHAR);
objattr.Length = sizeof(OBJECT_ATTRIBUTES);
objattr.Attributes = 0x00000040L;
objattr.ObjectName = nullptr;
objattr.RootDirectory = nullptr;
objattr.SecurityDescriptor = nullptr;
objattr.SecurityQualityOfService = nullptr;
HANDLE hTransaction = nullptr;
_NtCreateTransaction(&hTransaction, TRANSACTION_ALL_ACCESS, &objattr, nullptr, nullptr, 0, 0, 0, nullptr, nullptr);
const HANDLE h_transacted_file = CreateFileTransacted(wstrObjName, GENERIC_WRITE | GENERIC_READ, 0, nullptr, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, nullptr, hTransaction, nullptr, nullptr);
HANDLE hSection = nullptr;
_NtCreateSection(&hSection, SECTION_ALL_ACCESS, nullptr, nullptr, PAGE_READONLY, SEC_IMAGE, h_transacted_file);
_NtCreateProcessEx(&hProcess, PROCESS_ALL_ACCESS, nullptr, NtCurrentProcess(), PS_INHERIT_HANDLES, hSection, nullptr, nullptr, false);
const DWORD pid = GetProcessId(hProcess);
ResumeThread(hProcess);
printf("Pid = %d\n", pid);
CloseHandle(h_transacted_file);
_NtClose(hTransaction);
_NtClose(hSection);
_NtClose(hProcess);
return 0;
}
This is my ProcessExplorer:
What i have tried:
Changing #define PS_INHERIT_HANDLES 4 to something else like 2, 1 or 8 and no luck.
Tried to resume the process by ResumeThread(hProcess);, ResumeProcess(hProcess); or _NtResumeProcess(hProcess); but doesn't work.
Tried to manually resume the process with ProcessExplorer and Process goes back to suspended state immediately.
Changing my target file to something else.
My question is: Why i cannot resume this created process? How can i fix this?
In case you didn't figure it out, you need to create a thread using NtCreateThreadEx
I want to call NtCreateProcessEx, But i get no exception and error and nothing happens. Also i don't want to use CreateProcess. My intention is to create and run a process from a file with this specific function.
This what i have tried so far:
#include <Windows.h>
#include <bcrypt.h>
#include "winternl.h"
#pragma comment(lib, "ntdll")
NTSTATUS NTAPI NtCreateProcessEx(
OUT HANDLE ProcessHandle,
IN ACCESS_MASK DesiredAccess,
IN OBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN HANDLE ParentProcess,
IN BOOLEAN InheritObjectTable,
IN HANDLE SectionHandle OPTIONAL,
IN HANDLE DebugPort OPTIONAL,
IN HANDLE ExceptionPort OPTIONAL,
IN BOOLEAN InJob);
int main()
{
const HANDLE ph = nullptr;
OBJECT_ATTRIBUTES oa;
UNICODE_STRING fileName;
RtlInitUnicodeString(&fileName, PCWSTR(L"\\??\\C:\\Windows\\System32\\calc.exe"));
(&oa)->Length = sizeof(OBJECT_ATTRIBUTES);
(&oa)->RootDirectory = nullptr;
(&oa)->Attributes = 0x00000040L;
(&oa)->ObjectName = &fileName;
(&oa)->SecurityDescriptor = nullptr;
(&oa)->SecurityQualityOfService = nullptr;;
NtCreateProcessEx(ph, PROCESS_ALL_ACCESS, oa, nullptr, FALSE, nullptr, nullptr, nullptr, FALSE);
return 0;
}
There is no document and example on whole internet about this specific function. I am able to do something somewhat similar to this for NtCreateFile, But this is my closest try for NtCreateProcessEx and no luck.
I work with Visual Studio 2019 and windows 10 1909.
These are some resources that i tried:
NtCreateProcess(Ex) - Can I have a child process inherit the parents address space while running under a different process name?
http://www.rohitab.com/discuss/topic/40191-ntcreateuserprocess/
https://github.com/Microwave89/createuserprocess/blob/master/createuserprocess/main.c
http://www.rohitab.com/discuss/topic/42229-start-a-process-using-ntcreateprocessex-usermode/
https://hshrzd.wordpress.com/2017/12/18/process-doppelganging-a-new-way-to-impersonate-a-process/
First of all, the 3rd parameter is a pointer to the OBJECT_ATTRIBUTES:
typedef NTSTATUS(NTAPI* fpNtCreateProcessEx)
(
PHANDLE ProcessHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
HANDLE ParentProcess,
ULONG Flags,
HANDLE SectionHandle OPTIONAL,
HANDLE DebugPort OPTIONAL,
HANDLE ExceptionPort OPTIONAL,
BOOLEAN InJob
);
A sample to use(remove error checking):
#include <windows.h>
#include <iostream>
using namespace std;
#define NtCurrentProcess() ( (HANDLE)(LONG_PTR) -1 )
typedef struct _LSA_UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} LSA_UNICODE_STRING, * PLSA_UNICODE_STRING, UNICODE_STRING, * PUNICODE_STRING;
typedef struct _OBJECT_ATTRIBUTES {
ULONG Length;
HANDLE RootDirectory;
PUNICODE_STRING ObjectName;
ULONG Attributes;
PVOID SecurityDescriptor;
PVOID SecurityQualityOfService;
} OBJECT_ATTRIBUTES, * POBJECT_ATTRIBUTES;
typedef NTSTATUS(NTAPI* fpNtCreateProcessEx)
(
PHANDLE ProcessHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
HANDLE ParentProcess,
ULONG Flags,
HANDLE SectionHandle OPTIONAL,
HANDLE DebugPort OPTIONAL,
HANDLE ExceptionPort OPTIONAL,
BOOLEAN InJob
);
typedef NTSTATUS(NTAPI* fpNtCreateTransaction)
(
PHANDLE TransactionHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
LPGUID Uow,
HANDLE TmHandle,
ULONG CreateOptions,
ULONG IsolationLevel,
ULONG IsolationFlags,
PLARGE_INTEGER Timeout,
PUNICODE_STRING Description
);
typedef NTSTATUS (NTAPI *fpNtCreateSection)
(
PHANDLE SectionHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
PLARGE_INTEGER MaximumSize,
ULONG SectionPageProtection,
ULONG AllocationAttributes,
HANDLE FileHandle
);
typedef NTSTATUS (NTAPI *fpNtClose)
(
HANDLE Handle
);
#define PS_INHERIT_HANDLES 4
int main()
{
HANDLE hProcess;
OBJECT_ATTRIBUTES objattr;
UNICODE_STRING objname;
NTSTATUS status;
WCHAR wstrObjName[MAX_PATH];
lstrcpyW(wstrObjName, L"C:\\test.exe");
HINSTANCE hinst = LoadLibrary(L"ntdll.dll");
fpNtCreateProcessEx _NtCreateProcessEx = (fpNtCreateProcessEx)GetProcAddress(hinst, "NtCreateProcessEx");
fpNtCreateTransaction _NtCreateTransaction = (fpNtCreateTransaction)GetProcAddress(hinst, "NtCreateTransaction");
fpNtCreateSection _NtCreateSection = (fpNtCreateSection)GetProcAddress(hinst, "NtCreateSection");
fpNtClose _NtClose = (fpNtClose)GetProcAddress(hinst, "NtClose");
// Initialize ObjectName UNICODE_STRING
objname.Buffer = wstrObjName;
objname.Length = wcslen(wstrObjName) * sizeof(WCHAR); // Length in bytes of string, without null terminator
objname.MaximumLength = MAX_PATH * sizeof(WCHAR);
// Initialize OBJECT_ATTRIBUTES
objattr.Length = sizeof(OBJECT_ATTRIBUTES);
objattr.Attributes = 0x00000040L; //OBJ_CASE_INSENSITIVE
objattr.ObjectName = NULL;
objattr.RootDirectory = NULL;
objattr.SecurityDescriptor = NULL;
objattr.SecurityQualityOfService = NULL;
HANDLE hTransaction = NULL;
status = _NtCreateTransaction(&hTransaction,
TRANSACTION_ALL_ACCESS,
&objattr,
NULL,
NULL,
0,
0,
0,
NULL,
NULL);
HANDLE hTransactedFile = CreateFileTransacted(wstrObjName,
GENERIC_WRITE | GENERIC_READ,
0,
NULL,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
NULL,
hTransaction,
NULL,
NULL);
HANDLE hSection = NULL;
status = _NtCreateSection(&hSection,
SECTION_ALL_ACCESS,
NULL,
0,
PAGE_READONLY,
SEC_IMAGE,
hTransactedFile);
status = _NtCreateProcessEx(&hProcess, PROCESS_ALL_ACCESS, NULL, NtCurrentProcess(), PS_INHERIT_HANDLES, hSection, NULL, NULL, false);
DWORD pid = GetProcessId(hProcess);
printf("Pid = %d\n", pid);
CloseHandle(hTransactedFile);
_NtClose(hTransaction);
_NtClose(hSection);
_NtClose(hProcess);
return 0;
}
Do i have to change a specific flag or use another standard function to resume the process state?
You must create thread. New process doesn't have any thread. You must allocate memory for thread and then call ZwCreateThread. For details, see Garry Nebeth book for windows 2000.
How can you determine the executable that launches an application with C++?
For example: my application name is (a.exe) and there is another application named (b.exe). How can I know when a.exe has been launched with b.exe or not?
I found a way to do this, thanks Wimmel.
To get the Process Id you can use GetParentProcessId(). And you will need this function:
ULONG_PTR GetParentProcessId() // By Napalm # NetCore2K
{
ULONG_PTR pbi[6];
ULONG ulSize = 0;
LONG (WINAPI *NtQueryInformationProcess)(HANDLE ProcessHandle, ULONG ProcessInformationClass,
PVOID ProcessInformation, ULONG ProcessInformationLength, PULONG ReturnLength);
*(FARPROC *)&NtQueryInformationProcess =
GetProcAddress(LoadLibraryA("NTDLL.DLL"), "NtQueryInformationProcess");
if(NtQueryInformationProcess){
if(NtQueryInformationProcess(GetCurrentProcess(), 0, &pbi, sizeof(pbi), &ulSize) >= 0 && ulSize == sizeof(pbi))
return pbi[5];
}
return (ULONG_PTR)-1;
}
to get the Process Name from Process Id ProcessName(GetParentProcessId()).
And then you will need this function:
char* ProcessName(int ProcessId){
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if(hSnapshot) {
PROCESSENTRY32 pe32;
pe32.dwSize = sizeof(PROCESSENTRY32);
if(Process32First(hSnapshot,&pe32)) {
do {
int th32ProcessID = pe32.th32ProcessID;
if (th32ProcessID == ProcessId)
return pe32.szExeFile;
} while(Process32Next(hSnapshot,&pe32));
}
CloseHandle(hSnapshot);
}
return 0;
}
I try to call the function NtConnectPort - I create a section and then forward this section to NtConnectPort .
I get a running error from the function NtConnectPort. The return value is c000000d - The parameter is incorrect.
I don't understand why. Any ideas?
The code:
HANDLE hSection=0;
LARGE_INTEGER SecSize;
SecSize.LowPart=0x10000;
SecSize.HighPart=0x0;
if(NtCreateSection(&hSection, SECTION_ALL_ACCESS, NULL, &SecSize, PAGE_READWRITE,SEC_COMMIT ,NULL))
{
printf("couldn't create a section");
}
HANDLE hPort;
LPC_SECTION_OWNER_MEMORY sectionInfo;
LPC_SECTION_MEMORY mapInfo;
byte ConnectDataBuffer[0x100];
DWORD Size = sizeof(ConnectDataBuffer);
UNICODE_STRING uStr;
WCHAR * uString=L"\\SmApiPort";
DWORD maxSize;
SECURITY_QUALITY_OF_SERVICE qos;
for (int i=0 ; i < 0x100 ; i++)
{
ConnectDataBuffer[i]=0x0;
}
memset(§ionInfo, 0, sizeof(sectionInfo));
memset(&mapInfo, 0, sizeof(mapInfo));
sectionInfo.Length = 24;
sectionInfo.SectionHandle =hSection;
sectionInfo.ViewSize = 0x10000;
mapInfo.Length = 0x0C;
uStr.Length = wcslen(uString)*2;
uStr.MaximumLength = wcslen(uString)*2+2;
uStr.Buffer =uString;
NTSTATUS res = NtConnectPort(&hPort,&uStr,&qos,(LPC_SECTION_OWNER_MEMORY*)§ionInfo,(LPC_SECTION_MEMORY*)&mapInfo,&maxSize,(DWORD*)ConnectDataBuffer,&Size);
if (res)
{
printf("Could not connect to LPC port.\n -%x", res);
return 1;
}
typedef struct _LPC_SECTION_OWNER_MEMORY {
ULONG Length;
HANDLE SectionHandle;
ULONG OffsetInSection;
ULONG ViewSize;
PVOID ViewBase;
PVOID OtherSideViewBase;
} LPC_SECTION_OWNER_MEMORY, *PLPC_SECTION_OWNER_MEMORY;
typedef struct _LPC_SECTION_MEMORY {
ULONG Length;
ULONG ViewSize;
PVOID ViewBase;
} LPC_SECTION_MEMORY, *PLPC_SECTION_MEMORY;
NTSYSAPI NTSTATUS NTAPI NtConnectPort(
OUT PHANDLE PortHandle,
IN PUNICODE_STRING PortName,
IN PSECURITY_QUALITY_OF_SERVICE SecurityQos,
//IN OUT PPORT_VIEW ClientView OPTIONAL,
IN OUT PLPC_SECTION_OWNER_MEMORY ClientSharedMemory,
OUT PLPC_SECTION_MEMORY ServerSharedMemory,
//OUT PREMOTE_PORT_VIEW ServerView OPTIONAL,
OUT PULONG MaxMessageLength OPTIONAL,
IN OUT PVOID ConnectionInformation OPTIONAL,
IN OUT PULONG ConnectionInformationLength OPTIONAL
);
NTSYSAPI NTSTATUS NTAPI ZwConnectPort(
OUT PHANDLE PortHandle,
IN PUNICODE_STRING PortName,
IN PSECURITY_QUALITY_OF_SERVICE SecurityQos,
IN OUT PLPC_SECTION_OWNER_MEMORY ClientSharedMemory,
OUT PLPC_SECTION_MEMORY ServerSharedMemory,
//IN OUT int int1,
//IN OUT PPORT_VIEW ClientView OPTIONAL,
//OUT PREMOTE_PORT_VIEW ServerView OPTIONAL,
OUT PULONG MaxMessageLength OPTIONAL,
IN OUT PVOID ConnectionInformation OPTIONAL,
IN OUT PULONG ConnectionInformationLength OPTIONAL
);
You're not initializing the qos variable (http://msdn.microsoft.com/en-us/library/windows/desktop/aa379574(v=vs.85).aspx)
SecurityQos - Points to a structure that specifies the level
of impersonation available to the port listener.