running app from driver

Hi All,

I need to run a command line application with a parameter from my filesystem
filter driver. If you can give me some idea i will appreciate it, even if it
is complicated.

Thanks

Don
Wed Aug 18 17:14:43 CDT 2004

You are going to have to have a helper service to do this, there is no
practical way to start a program from kernel mode. In general trying to
run a program is a bad idea, consider a service to do the work if you need
to go to user space at all. Now think about a number of things,
particularily if you try to run a program

1. You can't start this program until Win32 is up, this is long after
your filter driver has started.
2. You have to be careful how you do things since there is a good
chance the application will cause I/O through the filter.
3. You have to remember that you shouldn't expect user interaction from
the program, since you cannot be sure that there will be a desktop to run
the program.
4. Think about how you are going to run the program, there can be
multiple sessions with their own desktop, and depending on what the program
does you will want to run it in the context of a particular user which is
going to require things like storing passwords for everybody!

I've seen this asked multiple times, but most of the time the results
are a disaster.


--
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply

"needhelp" <needhelp@discussions.microsoft.com> wrote in message
news:53D1C07D-4934-4219-B998-4512FF3A25BE@microsoft.com...
> Hi All,
>
> I need to run a command line application with a parameter from my
filesystem
> filter driver. If you can give me some idea i will appreciate it, even if
it
> is complicated.
>
> Thanks
>

needhelp
Thu Aug 19 08:41:03 CDT 2004

Thanks Don for all the information, but i am trying to do as a lab project
and i am doing only for XP OS and i am ok with using undocumented fn's like
ZwCreateProcess() as it is only for lab purpose just to prove some concept.
So it will be very kind of you to tell me some info on how to implement it.

Thanks
Ashish


"Don Burn" wrote:

> You are going to have to have a helper service to do this, there is no
> practical way to start a program from kernel mode. In general trying to
> run a program is a bad idea, consider a service to do the work if you need
> to go to user space at all. Now think about a number of things,
> particularily if you try to run a program
>
> 1. You can't start this program until Win32 is up, this is long after
> your filter driver has started.
> 2. You have to be careful how you do things since there is a good
> chance the application will cause I/O through the filter.
> 3. You have to remember that you shouldn't expect user interaction from
> the program, since you cannot be sure that there will be a desktop to run
> the program.
> 4. Think about how you are going to run the program, there can be
> multiple sessions with their own desktop, and depending on what the program
> does you will want to run it in the context of a particular user which is
> going to require things like storing passwords for everybody!
>
> I've seen this asked multiple times, but most of the time the results
> are a disaster.
>
>
> --
> Don Burn (MVP, Windows DDK)
> Windows 2k/XP/2k3 Filesystem and Driver Consulting
> Remove StopSpam from the email to reply
>
> "needhelp" <needhelp@discussions.microsoft.com> wrote in message
> news:53D1C07D-4934-4219-B998-4512FF3A25BE@microsoft.com...
> > Hi All,
> >
> > I need to run a command line application with a parameter from my
> filesystem
> > filter driver. If you can give me some idea i will appreciate it, even if
> it
> > is complicated.
> >
> > Thanks
> >
>
>
>

Don
Thu Aug 19 09:09:20 CDT 2004

ZwCreateProcess creates a process in kernel mode, you then just have to use
a ton of undocumented and documented calls map in all the pieces, and
initiatate the process. Basically, create a service to do this, since any
other way is madness. You should note, that even with XP you can with SP2
have two deskops or zero desktops
so if this is anything other than your lab environment you have to think of
this. Also, you still have the problems of either hard code the LogonUser
parameters, or otherwise for things for CreateProcessAsUser.


--
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply

"needhelp" <needhelp@discussions.microsoft.com> wrote in message
news:F5DCBB5C-EEC1-43AA-860D-405CA9506427@microsoft.com...
> Thanks Don for all the information, but i am trying to do as a lab project
> and i am doing only for XP OS and i am ok with using undocumented fn's
like
> ZwCreateProcess() as it is only for lab purpose just to prove some
concept.
> So it will be very kind of you to tell me some info on how to implement
it.
>
> Thanks
> Ashish
>
>
> "Don Burn" wrote:
>
> > You are going to have to have a helper service to do this, there is no
> > practical way to start a program from kernel mode. In general trying
to
> > run a program is a bad idea, consider a service to do the work if you
need
> > to go to user space at all. Now think about a number of things,
> > particularily if you try to run a program
> >
> > 1. You can't start this program until Win32 is up, this is long
after
> > your filter driver has started.
> > 2. You have to be careful how you do things since there is a good
> > chance the application will cause I/O through the filter.
> > 3. You have to remember that you shouldn't expect user interaction
from
> > the program, since you cannot be sure that there will be a desktop to
run
> > the program.
> > 4. Think about how you are going to run the program, there can be
> > multiple sessions with their own desktop, and depending on what the
program
> > does you will want to run it in the context of a particular user which
is
> > going to require things like storing passwords for everybody!
> >
> > I've seen this asked multiple times, but most of the time the
results
> > are a disaster.
> >
> >
> > --
> > Don Burn (MVP, Windows DDK)
> > Windows 2k/XP/2k3 Filesystem and Driver Consulting
> > Remove StopSpam from the email to reply
> >
> > "needhelp" <needhelp@discussions.microsoft.com> wrote in message
> > news:53D1C07D-4934-4219-B998-4512FF3A25BE@microsoft.com...
> > > Hi All,
> > >
> > > I need to run a command line application with a parameter from my
> > filesystem
> > > filter driver. If you can give me some idea i will appreciate it, even
if
> > it
> > > is complicated.
> > >
> > > Thanks
> > >
> >
> >
> >

needhelp
Thu Aug 19 15:33:02 CDT 2004

Thanks Don, I have lot of time on my hand so i will just try for fun.
Do i have to do anything beside the following:
NtCreateFile()
NtCreateSection()
NtCreateProcess()
NtCreateThread()
PEB values using WriteProcessMemory()
LdrpInitializeProcess()



"Don Burn" wrote:

> ZwCreateProcess creates a process in kernel mode, you then just have to use
> a ton of undocumented and documented calls map in all the pieces, and
> initiatate the process. Basically, create a service to do this, since any
> other way is madness. You should note, that even with XP you can with SP2
> have two deskops or zero desktops
> so if this is anything other than your lab environment you have to think of
> this. Also, you still have the problems of either hard code the LogonUser
> parameters, or otherwise for things for CreateProcessAsUser.
>
>
> --
> Don Burn (MVP, Windows DDK)
> Windows 2k/XP/2k3 Filesystem and Driver Consulting
> Remove StopSpam from the email to reply
>
> "needhelp" <needhelp@discussions.microsoft.com> wrote in message
> news:F5DCBB5C-EEC1-43AA-860D-405CA9506427@microsoft.com...
> > Thanks Don for all the information, but i am trying to do as a lab project
> > and i am doing only for XP OS and i am ok with using undocumented fn's
> like
> > ZwCreateProcess() as it is only for lab purpose just to prove some
> concept.
> > So it will be very kind of you to tell me some info on how to implement
> it.
> >
> > Thanks
> > Ashish
> >
> >
> > "Don Burn" wrote:
> >
> > > You are going to have to have a helper service to do this, there is no
> > > practical way to start a program from kernel mode. In general trying
> to
> > > run a program is a bad idea, consider a service to do the work if you
> need
> > > to go to user space at all. Now think about a number of things,
> > > particularily if you try to run a program
> > >
> > > 1. You can't start this program until Win32 is up, this is long
> after
> > > your filter driver has started.
> > > 2. You have to be careful how you do things since there is a good
> > > chance the application will cause I/O through the filter.
> > > 3. You have to remember that you shouldn't expect user interaction
> from
> > > the program, since you cannot be sure that there will be a desktop to
> run
> > > the program.
> > > 4. Think about how you are going to run the program, there can be
> > > multiple sessions with their own desktop, and depending on what the
> program
> > > does you will want to run it in the context of a particular user which
> is
> > > going to require things like storing passwords for everybody!
> > >
> > > I've seen this asked multiple times, but most of the time the
> results
> > > are a disaster.
> > >
> > >
> > > --
> > > Don Burn (MVP, Windows DDK)
> > > Windows 2k/XP/2k3 Filesystem and Driver Consulting
> > > Remove StopSpam from the email to reply
> > >
> > > "needhelp" <needhelp@discussions.microsoft.com> wrote in message
> > > news:53D1C07D-4934-4219-B998-4512FF3A25BE@microsoft.com...
> > > > Hi All,
> > > >
> > > > I need to run a command line application with a parameter from my
> > > filesystem
> > > > filter driver. If you can give me some idea i will appreciate it, even
> if
> > > it
> > > > is complicated.
> > > >
> > > > Thanks
> > > >
> > >
> > >
> > >
>
>
>

Peter
Thu Aug 19 15:38:09 CDT 2004

you may have to figure out how you tell the Win32 subsystem that there's a
new Win32 process (depending on how much of Win32 you need to use).

-p

--
This posting is provided "AS IS" with no warranties, and confers no rights.
"needhelp" <needhelp@discussions.microsoft.com> wrote in message
news:E0CDF7B2-AD0B-49C0-91C7-34771E6263D1@microsoft.com...
> Thanks Don, I have lot of time on my hand so i will just try for fun.
> Do i have to do anything beside the following:
> NtCreateFile()
> NtCreateSection()
> NtCreateProcess()
> NtCreateThread()
> PEB values using WriteProcessMemory()
> LdrpInitializeProcess()
>
>
>
> "Don Burn" wrote:
>
>> ZwCreateProcess creates a process in kernel mode, you then just have to
>> use
>> a ton of undocumented and documented calls map in all the pieces, and
>> initiatate the process. Basically, create a service to do this, since
>> any
>> other way is madness. You should note, that even with XP you can with
>> SP2
>> have two deskops or zero desktops
>> so if this is anything other than your lab environment you have to think
>> of
>> this. Also, you still have the problems of either hard code the
>> LogonUser
>> parameters, or otherwise for things for CreateProcessAsUser.
>>
>>
>> --
>> Don Burn (MVP, Windows DDK)
>> Windows 2k/XP/2k3 Filesystem and Driver Consulting
>> Remove StopSpam from the email to reply
>>
>> "needhelp" <needhelp@discussions.microsoft.com> wrote in message
>> news:F5DCBB5C-EEC1-43AA-860D-405CA9506427@microsoft.com...
>> > Thanks Don for all the information, but i am trying to do as a lab
>> > project
>> > and i am doing only for XP OS and i am ok with using undocumented fn's
>> like
>> > ZwCreateProcess() as it is only for lab purpose just to prove some
>> concept.
>> > So it will be very kind of you to tell me some info on how to implement
>> it.
>> >
>> > Thanks
>> > Ashish
>> >
>> >
>> > "Don Burn" wrote:
>> >
>> > > You are going to have to have a helper service to do this, there is
>> > > no
>> > > practical way to start a program from kernel mode. In general
>> > > trying
>> to
>> > > run a program is a bad idea, consider a service to do the work if you
>> need
>> > > to go to user space at all. Now think about a number of things,
>> > > particularily if you try to run a program
>> > >
>> > > 1. You can't start this program until Win32 is up, this is long
>> after
>> > > your filter driver has started.
>> > > 2. You have to be careful how you do things since there is a
>> > > good
>> > > chance the application will cause I/O through the filter.
>> > > 3. You have to remember that you shouldn't expect user
>> > > interaction
>> from
>> > > the program, since you cannot be sure that there will be a desktop to
>> run
>> > > the program.
>> > > 4. Think about how you are going to run the program, there can
>> > > be
>> > > multiple sessions with their own desktop, and depending on what the
>> program
>> > > does you will want to run it in the context of a particular user
>> > > which
>> is
>> > > going to require things like storing passwords for everybody!
>> > >
>> > > I've seen this asked multiple times, but most of the time the
>> results
>> > > are a disaster.
>> > >
>> > >
>> > > --
>> > > Don Burn (MVP, Windows DDK)
>> > > Windows 2k/XP/2k3 Filesystem and Driver Consulting
>> > > Remove StopSpam from the email to reply
>> > >
>> > > "needhelp" <needhelp@discussions.microsoft.com> wrote in message
>> > > news:53D1C07D-4934-4219-B998-4512FF3A25BE@microsoft.com...
>> > > > Hi All,
>> > > >
>> > > > I need to run a command line application with a parameter from my
>> > > filesystem
>> > > > filter driver. If you can give me some idea i will appreciate it,
>> > > > even
>> if
>> > > it
>> > > > is complicated.
>> > > >
>> > > > Thanks
>> > > >
>> > >
>> > >
>> > >
>>
>>
>>

Don
Thu Aug 19 15:40:13 CDT 2004

Oh, yeah this is just a start, if you do successfully do this consider
publishing an article. I know of someone who wasted over 6 months trying to
do this, and in the end found they couldn't run shit.

As I have said before, use a service. ATTEMPTING TO BE ABLE TO INVOKE A
PROGRAM FROM THE KERNEL WITHOUT USER SPACE ASSISTANCE IS THE HEIGHT OF
STUPIDITY.


--
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply


"needhelp" <needhelp@discussions.microsoft.com> wrote in message
news:E0CDF7B2-AD0B-49C0-91C7-34771E6263D1@microsoft.com...
> Thanks Don, I have lot of time on my hand so i will just try for fun.
> Do i have to do anything beside the following:
> NtCreateFile()
> NtCreateSection()
> NtCreateProcess()
> NtCreateThread()
> PEB values using WriteProcessMemory()
> LdrpInitializeProcess()
>
>
>
> "Don Burn" wrote:
>
> > ZwCreateProcess creates a process in kernel mode, you then just have to
use
> > a ton of undocumented and documented calls map in all the pieces, and
> > initiatate the process. Basically, create a service to do this, since
any
> > other way is madness. You should note, that even with XP you can with
SP2
> > have two deskops or zero desktops
> > so if this is anything other than your lab environment you have to think
of
> > this. Also, you still have the problems of either hard code the
LogonUser
> > parameters, or otherwise for things for CreateProcessAsUser.
> >
> >
> > --
> > Don Burn (MVP, Windows DDK)
> > Windows 2k/XP/2k3 Filesystem and Driver Consulting
> > Remove StopSpam from the email to reply
> >
> > "needhelp" <needhelp@discussions.microsoft.com> wrote in message
> > news:F5DCBB5C-EEC1-43AA-860D-405CA9506427@microsoft.com...
> > > Thanks Don for all the information, but i am trying to do as a lab
project
> > > and i am doing only for XP OS and i am ok with using undocumented fn's
> > like
> > > ZwCreateProcess() as it is only for lab purpose just to prove some
> > concept.
> > > So it will be very kind of you to tell me some info on how to
implement
> > it.
> > >
> > > Thanks
> > > Ashish
> > >
> > >
> > > "Don Burn" wrote:
> > >
> > > > You are going to have to have a helper service to do this, there is
no
> > > > practical way to start a program from kernel mode. In general
trying
> > to
> > > > run a program is a bad idea, consider a service to do the work if
you
> > need
> > > > to go to user space at all. Now think about a number of things,
> > > > particularily if you try to run a program
> > > >
> > > > 1. You can't start this program until Win32 is up, this is long
> > after
> > > > your filter driver has started.
> > > > 2. You have to be careful how you do things since there is a
good
> > > > chance the application will cause I/O through the filter.
> > > > 3. You have to remember that you shouldn't expect user
interaction
> > from
> > > > the program, since you cannot be sure that there will be a desktop
to
> > run
> > > > the program.
> > > > 4. Think about how you are going to run the program, there can
be
> > > > multiple sessions with their own desktop, and depending on what the
> > program
> > > > does you will want to run it in the context of a particular user
which
> > is
> > > > going to require things like storing passwords for everybody!
> > > >
> > > > I've seen this asked multiple times, but most of the time the
> > results
> > > > are a disaster.
> > > >
> > > >
> > > > --
> > > > Don Burn (MVP, Windows DDK)
> > > > Windows 2k/XP/2k3 Filesystem and Driver Consulting
> > > > Remove StopSpam from the email to reply
> > > >
> > > > "needhelp" <needhelp@discussions.microsoft.com> wrote in message
> > > > news:53D1C07D-4934-4219-B998-4512FF3A25BE@microsoft.com...
> > > > > Hi All,
> > > > >
> > > > > I need to run a command line application with a parameter from my
> > > > filesystem
> > > > > filter driver. If you can give me some idea i will appreciate it,
even
> > if
> > > > it
> > > > > is complicated.
> > > > >
> > > > > Thanks
> > > > >
> > > >
> > > >
> > > >
> >
> >
> >