Can There be a Process WITHOUT an Executable-Backed Image?

Question

After looking at various pages like OSR Online and NtInternals, it seems like NtCreateProcess (and ZwCreateProcess) specify that giving a handle to a memory section is optional!

Does this mean that we can have processes that are not backed by executable images? If so, what could they be (or are they) used for potentially? Does that mean we can copy an executable entirely into memory and subsequently even delete the file from the disk, and have the process continue running?? That would seem like a really useful feature.

Answer 1

If section (file mapping in win32 land) is NULL, it uses the section of the parent process. It might be possible to use NULL and allocate new memory and point EIP at it (or use a page file mapping), but using NtCreateProcess is problematic, it is undocumented and does not register with the win32 subsystem like CreateProcess does. (If you only want to use exports from ntdll, this might be ok)

On Win9x, NT4 and 2000 you can delete yourself from disk while running by using the dirty tricks listed here.

Other options:

• Use a driver, they can be deleted after they have been loaded (The sysinternal tools do this)
• Use a host process; start explorer.exe, cmd.exe or rundll32.exe suspended and use CreateRemoteThread+injected code (This of course means there is a exe file on disk, but none of your code is in it)

Answer 2

I just tried to create a process with a non-image-backed Section object myself. :)

The result?

NtCreateProcess returned:

STATUS_SECTION_NOT_IMAGE
// An attempt was made to query image information on a section which
// does not map an image.

So apparently every process needs to be image-backed (assuming you don't hack the kernel to do otherwise).