Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Far jump in ntdll.dll's internal ZwCreateUserProcess

I'm trying to understand how the Windows API creates processes so I can create a program to determine where invalid exes fail. I have a program that calls kernel32.CreateProcessA. Following along in OllyDbg, this calls kernel32.CreateProcessInternalA, which calls kernel32.CreateProcessInternalW, which calls ntdll.ZwCreateUserProcess. This function goes:

mov eax, 0xAA
xor ecx, ecx
lea edx, dword ptr [esp+4]
call dword ptr fs:[0xC0]
add esp, 4
retn 0x2C

So I follow the call to fs:[0xC0], which contains a single instruction:

jmp far 0x33:0x74BE271E

But when I step this instruction, Olly just comes back to ntdll.ZwCreateUserProcess at the add esp, 4 right after the call (which is not at 0x74BE271E). I put a breakpoint at retn 0x2C, and I find that the new process was somehow created during the execution of add esp, 4.

So I'm assuming there's some magic involved in the far jump. I tried to change the CS register to 0x33 and EIP to 0x74BE271E instead of actually executing the far jump, but that just gave me an access violation after a few instructions. What's going on here? I need to be able to delve deeper beyond the abstraction of this ZwCreateUserProcess to figure out how exactly Windows creates processes.

like image 390
jcai Avatar asked Dec 02 '12 18:12

jcai


2 Answers

jmp far 0x33:0x74BE271E` 

That jump is entering the kernel. 0x33 is a special segment selector that points to some kind of x86 gate; this triggers a context switch into the kernel.

like image 88
ninjalj Avatar answered Sep 28 '22 10:09

ninjalj


Actually, that jump does not enter the kernel but switches to the x64 usermode subsystem of WoW64 (Win32 on Win64).

The selector 33h is a special selector that covers the 4GB memory space but is set to x64 mode. The jump goes to the 64-bit (but still usermode) part of wow64cpu.dll, which converts 32-bit API parameters to 64-bit ones and call the API in 64-bit ntdll.dll (yes, you have two of them in a WoW64 process). That ntdll, in turn, calls the real system call which goes to the kernel.

Here's a few links that describe the mechanism in more detail. You can also find more by searching for the term "heaven's gate".

http://rce.co/knockin-on-heavens-gate-dynamic-processor-mode-switching/

http://wasntnate.com/2012/04/heavens-gate-64-bit-code-in-32-bit-file/

like image 29
Igor Skochinsky Avatar answered Sep 28 '22 10:09

Igor Skochinsky