ZwCreateProcessEx is a very good thing, although it is an UNDOC. however, if you have carefully read the SRC of WIN2K and have a good understanding of the PE operating mechanism, you will find some interesting things.
This is critical to all current NT kernel systems.
What can be used?
1. Create Vulnerabilities
2. Privilege Escalation
3. Use it to write viruses
4. Write various Trojans
5. Various ROOTKIT
But here I just want to briefly talk about the principle. I only hope this is only used for discussion. Of course, this is not a pure theory.
There is a simple EXAMPLES
In fact, if you have read SRC of 2 K and analyzed the loading of PE, you will find that all processes are created by a THREAD.
NtCreateThread has a very interesting parameter ThreadContext. This is the key.
When any process is created, ThreadContext> Eax in NtCreateThread called for the first time is the base address allocated to the memory of the process. However, the process did not even start loading at this time, but the system has allocated him with everything a normal process needs.
Then we can use this address to allocate a space for our code with ZwAllocateVirtualMemory, and then write our SHELLCODE in, my example is just to open a MessageBox and display a simple string.
But this does not prevent you from writing your virus code or a Trojan horse...
Maybe the first 100% Ring0 Virus or Ring0 Housr was born.
After that, you only need to modify the address of ThreadContext-> Eax to load the process smoothly. My SHELLCODE is run first, and there is only one SYS in this gadget, and there is nothing additional.
The example below is just to prove that this theory can become practical, and the driver has not done any processing. In addition, it can be loaded and detached normally, and it has not been removed from the linked list. You can use any driver management tool to terminate it.
After the driver is loaded, any process you run will be injected into my SHELLCODE ..
PS: Forgive me for being vague. After all, I don't want 100% Ring0 Virus or anything else.
Command Line loader load loader-u unload
If you append the opened process with OD at this time, you will find that my SHELLCODE is in the header of the process you append, as if it was born to be part of this process, in fact, you cannot find them in the process file. Isn't it interesting?
You can also add any executable files, including ICESWORD, Kabbah, and nod32 .. think about the fact that your anti-virus software or firewall is a trojan or a virus source one day. It's so interesting.