Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Far jump in ntdll.dll's internal ZwCreateUserProcess

Tags:

process

assembly

winapi

I'm trying to understand how the Windows API creates processes so I can create a program to determine where invalid exes fail. I have a program that calls kernel32.CreateProcessA. Following along in OllyDbg, this calls kernel32.CreateProcessInternalA, which calls kernel32.CreateProcessInternalW, which calls ntdll.ZwCreateUserProcess. This function goes:

mov eax, 0xAA
xor ecx, ecx
lea edx, dword ptr [esp+4]
call dword ptr fs:[0xC0]
add esp, 4
retn 0x2C

So I follow the call to fs:[0xC0], which contains a single instruction:

jmp far 0x33:0x74BE271E

But when I step this instruction, Olly just comes back to ntdll.ZwCreateUserProcess at the add esp, 4 right after the call (which is not at 0x74BE271E). I put a breakpoint at retn 0x2C, and I find that the new process was somehow created during the execution of add esp, 4.

So I'm assuming there's some magic involved in the far jump. I tried to change the CS register to 0x33 and EIP to 0x74BE271E instead of actually executing the far jump, but that just gave me an access violation after a few instructions. What's going on here? I need to be able to delve deeper beyond the abstraction of this ZwCreateUserProcess to figure out how exactly Windows creates processes.

like image 390
jcai Avatar asked Dec 02 '12 18:12

jcai

2 Answers

jmp far 0x33:0x74BE271E`

That jump is entering the kernel. 0x33 is a special segment selector that points to some kind of x86 gate; this triggers a context switch into the kernel.

like image 88
ninjalj Avatar answered Sep 28 '22 10:09

ninjalj

Actually, that jump does not enter the kernel but switches to the x64 usermode subsystem of WoW64 (Win32 on Win64).

The selector 33h is a special selector that covers the 4GB memory space but is set to x64 mode. The jump goes to the 64-bit (but still usermode) part of wow64cpu.dll, which converts 32-bit API parameters to 64-bit ones and call the API in 64-bit ntdll.dll (yes, you have two of them in a WoW64 process). That ntdll, in turn, calls the real system call which goes to the kernel.

Here's a few links that describe the mechanism in more detail. You can also find more by searching for the term "heaven's gate".

http://rce.co/knockin-on-heavens-gate-dynamic-processor-mode-switching/

http://wasntnate.com/2012/04/heavens-gate-64-bit-code-in-32-bit-file/

like image 29
Igor Skochinsky Avatar answered Sep 28 '22 10:09

Igor Skochinsky
Sign in to Comment

Related questions

How do you get CreateWindowEx() to create the window on a specific monitor?
how to handle click event in win32 API?
gethostbyname replacement for IPv6 addresses
Get OS in c++ win32 for all versions of win?
Disable CONTROL + ALT + DELETE and Windows(win) Key in Windows 7 using Win32 application [duplicate]
Why do I get a height and Width of 0?
Query thread (not process) processor affinity?
Loading dlls from path specified in SetdllDirectory in c#
Windows Update Agent pure win32 APIs
Delphi: How to use ShowWindow properly on external application [duplicate]
Use object method as WinApi WndProc callback [duplicate]
C++: converting WCHAR to LPCWSTR - real working example
C Windows API - close file handle before UnmapViewOfFile
What part of Windows 10 SDK do I need to install to get MakeAppx.exe?
How to call WinAPI function SetDllDirectory() in Delphi?
Making DrawText break a string
Can I use SetErrorMode in C# process?
Get current active Window title in C
Win32 application windows eventually stop painting on Windows 7
Zooming into a window based on the mouse position

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!