Question about NtCreateProcess

I have hooked NtCreateProcess but there is something extremely strange,
in the documentaion for this api we find

NtCreateProcess(


OUT PHANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN HANDLE ParentProcess,
IN BOOLEAN InheritObjectTable,
IN HANDLE SectionHandle OPTIONAL,
IN HANDLE DebugPort OPTIONAL,
IN HANDLE ExceptionPort OPTIONAL );

However, ObjectAttributes is optional. This is strange, how will the
kernel know which process we want if it doesn't have it's name ?
or in other words, how do I obtain the process name when
ObjectAttributes is NULL?
Thanks

Skywing
Thu Oct 13 20:56:47 CDT 2005

The "process name" as conventionally referred to is not the name specified
in the object attributes structure, but the filename of the primary image
section (referenced by SectionHandle, or the inherit from process's primary
image section if this is a fork).

<Essie> wrote in message news:ujlvp2F0FHA.3896@TK2MSFTNGP10.phx.gbl...
>I have hooked NtCreateProcess but there is something extremely strange,
> in the documentaion for this api we find
>
> NtCreateProcess(
>
>
> OUT PHANDLE ProcessHandle, IN ACCESS_MASK
> DesiredAccess,
> IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
> IN HANDLE ParentProcess,
> IN BOOLEAN InheritObjectTable,
> IN HANDLE SectionHandle OPTIONAL,
> IN HANDLE DebugPort OPTIONAL,
> IN HANDLE ExceptionPort OPTIONAL );
>
> However, ObjectAttributes is optional. This is strange, how will the
> kernel know which process we want if it doesn't have it's name ?
> or in other words, how do I obtain the process name when
> ObjectAttributes is NULL?
> Thanks
>
>

Don
Fri Oct 14 07:50:15 CDT 2005

First hooking this is extremely stupid. Doing any hooking is likely to
cause system crashes. It is also not going to work on a 64 bit system.


Second the executable image is not designated as part of this call, it will
be done many steps later in the setup of the process. If you want to
monitor process creation use a combination of
PsSetProcessCreateNotifyRoutine and PsSetLoadImageNotifyRoutine to achieve
the results in an approved manner.


--
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply





<Essie> wrote in message news:ujlvp2F0FHA.3896@TK2MSFTNGP10.phx.gbl...
>I have hooked NtCreateProcess but there is something extremely strange,
> in the documentaion for this api we find
>
> NtCreateProcess(
>
>
> OUT PHANDLE ProcessHandle, IN ACCESS_MASK
> DesiredAccess,
> IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
> IN HANDLE ParentProcess,
> IN BOOLEAN InheritObjectTable,
> IN HANDLE SectionHandle OPTIONAL,
> IN HANDLE DebugPort OPTIONAL,
> IN HANDLE ExceptionPort OPTIONAL );
>
> However, ObjectAttributes is optional. This is strange, how will the
> kernel know which process we want if it doesn't have it's name ?
> or in other words, how do I obtain the process name when
> ObjectAttributes is NULL?
> Thanks
>
>

Maxim
Tue Oct 18 18:24:11 CDT 2005

Process objects are nameless. The EXE name is not an Ob's object name, it
is obtained via other means and is kept as 8.3 ANSI string.

--
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
maxim@storagecraft.com
http://www.storagecraft.com

<Essie> wrote in message news:ujlvp2F0FHA.3896@TK2MSFTNGP10.phx.gbl...
> I have hooked NtCreateProcess but there is something extremely strange,
> in the documentaion for this api we find
>
> NtCreateProcess(
>
>
> OUT PHANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess,
> IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
> IN HANDLE ParentProcess,
> IN BOOLEAN InheritObjectTable,
> IN HANDLE SectionHandle OPTIONAL,
> IN HANDLE DebugPort OPTIONAL,
> IN HANDLE ExceptionPort OPTIONAL );
>
> However, ObjectAttributes is optional. This is strange, how will the
> kernel know which process we want if it doesn't have it's name ?
> or in other words, how do I obtain the process name when
> ObjectAttributes is NULL?
> Thanks
>
>