NtCreateProcess(Ex) - Can I have a child process inherit the parents address space while running under a different process name?

Question

NtCreateProcess(Ex) - Can I have a child process inherit the parents address space while running under a different process name?

I am calling NtCreateProcessEx with the section handle argument set to NULL in order to create a user mode process that is initialized with a copy of the parents address space.

I want the child process to run under a different image name other than the one of the parent process.

Is this even possible?

Here's my call to NtCreateProcessEx:

HANDLE fileHandle;
OBJECT_ATTRIBUTES ObjectAttributes = { 0 };

UNICODE_STRING InputString;

RtlInitUnicodeString( &InputString, L"C:\\Users\\user\\Documents\\codeblocks_projects\\test\\bin\\Release\\test.exe" );

ObjectAttributes.Length = sizeof( OBJECT_ATTRIBUTES );
ObjectAttributes.ObjectName = &InputString;

NTSTATUS status = NtCreateProcessEx( &fileHandle, PROCESS_QUERY_INFORMATION, &ObjectAttributes, GetCurrentProcess(), PS_INHERIT_HANDLES, NULL, NULL, NULL, FALSE );

printf_s( "%x\n", status );

Status is 0xC0000033 - STATUS_OBJECT_NAME_INVALID, if I don't pass any object attributes, the call works fine.

What am I missing here?

windows

process

native

asked on Stack Overflow Sep 22, 2018 by

Jessica Wright

1 Answer

My guess is that this not only poorly documented; it is also impossible. At least, it seems effectively impossible nowadays, perhaps due to security concerns.

The documentation for NtOpenProcess indicates that even identifying a process by name hasn't been possible since Vista:

https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/ntddk/nf-ntddk-ntopenprocess

I just tried an alternative approach using NtSetInformationProcess:

#define PHNT_NO_INLINE_INIT_STRING
#include <phnt_windows.h>
#include <phnt.h>

#include <stdio.h>

int main() {
    NTSTATUS status;
    HANDLE handle;

    status
        = NtCreateProcess(&handle,
                          PROCESS_ALL_ACCESS,
                          NULL,
                          NtCurrentProcess(),
                          /*InheritObjectTable=*/TRUE,
                          NULL,
                          NULL,
                          NULL
            );

    UNICODE_STRING newName;
    RtlInitUnicodeString(&newName, L"dummy.exe");

    status
        = NtSetInformationProcess(
            handle,
            ProcessImageFileName,
            &newName,
            sizeof newName
            );
    // fails with 0xC0000003, STATUS_INVALID_INFO_CLASS
    printf("status: %x\n", status);

    // pause to observe the new "zombie child" in Process Explorer
    printf("sleeping...\n");
    Sleep(5000);
    
    return 0;
}

As noted in the code, NtSetInformationProcess fails with STATUS_INVALID_INFO_CLASS, even though this is allowed by the corresponding NtQueryInformationProcess:

https://docs.microsoft.com/en-us/windows/win32/api/winternl/nf-winternl-ntqueryinformationprocess

Looking at the ReactOS source, this seems to be a deliberate omission. I also found this:

https://reactos.org/pipermail/ros-diffs/2004-November/002066.html

As of this writing, the above reads "don't allow the ProcessImageFileName information class for NtSetInformationProcess() anymore".

All this suggests it may have been possible in the past. After all, how was exec() in the old POSIX subsystem implemented? After fork() created an initial thread in the new process and set the thread's context to be a copy of the parent's, the child might then call exec(), whereupon the POSIX implementation probably destroyed and re-created the child process from within. At some point, the subsystem would have to set the ProcessImageFileName somehow.

answered on Stack Overflow Jan 26, 2021 by

Leif Strand

User contributions licensed under CC BY-SA 3.0