Far jump in ntdll.dll's internal ZwCreateUserProcess

Posted by user49164 on Stack Overflow See other posts from Stack Overflow or by user49164
Published on 2012-12-02T18:33:20Z Indexed on 2012/12/03 17:04 UTC
Read the original article Hit count: 447

Filed under:
|
|

I'm trying to understand how the Windows API creates processes so I can create a program to determine where invalid exes fail. I have a program that calls kernel32.CreateProcessA. Following along in OllyDbg, this calls kernel32.CreateProcessInternalA, which calls kernel32.CreateProcessInternalW, which calls ntdll.ZwCreateUserProcess. This function goes:

mov eax, 0xAA
xor ecx, ecx
lea edx, dword ptr [esp+4]
call dword ptr fs:[0xC0]
add esp, 4
retn 0x2C

So I follow the call to fs:[0xC0], which contains a single instruction:

jmp far 0x33:0x74BE271E

But when I step this instruction, Olly just comes back to ntdll.ZwCreateUserProcess at the add esp, 4 right after the call (which is not at 0x74BE271E). I put a breakpoint at retn 0x2C, and I find that the new process was somehow created during the execution of add esp, 4.

So I'm assuming there's some magic involved in the far jump. I tried to change the CS register to 0x33 and EIP to 0x74BE271E instead of actually executing the far jump, but that just gave me an access violation after a few instructions. What's going on here? I need to be able to delve deeper beyond the abstraction of this ZwCreateUserProcess to figure out how exactly Windows creates processes.

© Stack Overflow or respective owner

Related posts about winapi

Related posts about assembly