Far jump in ntdll.dll's internal ZwCreateUserProcess
Posted
by
user49164
on Stack Overflow
See other posts from Stack Overflow
or by user49164
Published on 2012-12-02T18:33:20Z
Indexed on
2012/12/03
17:04 UTC
Read the original article
Hit count: 447
I'm trying to understand how the Windows API creates processes so I can create a program to determine where invalid exes fail. I have a program that calls kernel32.CreateProcessA
. Following along in OllyDbg, this calls kernel32.CreateProcessInternalA
, which calls kernel32.CreateProcessInternalW
, which calls ntdll.ZwCreateUserProcess
. This function goes:
mov eax, 0xAA
xor ecx, ecx
lea edx, dword ptr [esp+4]
call dword ptr fs:[0xC0]
add esp, 4
retn 0x2C
So I follow the call to fs:[0xC0]
, which contains a single instruction:
jmp far 0x33:0x74BE271E
But when I step this instruction, Olly just comes back to ntdll.ZwCreateUserProcess
at the add esp, 4
right after the call (which is not at 0x74BE271E
). I put a breakpoint at retn 0x2C
, and I find that the new process was somehow created during the execution of add esp, 4
.
So I'm assuming there's some magic involved in the far jump. I tried to change the CS register to 0x33
and EIP to 0x74BE271E
instead of actually executing the far jump, but that just gave me an access violation after a few instructions. What's going on here? I need to be able to delve deeper beyond the abstraction of this ZwCreateUserProcess
to figure out how exactly Windows creates processes.
© Stack Overflow or respective owner