I need to emulate the windows process dispatcher.
When i create a process i need that those process be a "child" (or "son") of the main process (the dispatcher).
How can i do that?.
Greets and thanks.
When i create a process i need that those process be a "child" (or "son") of the main process (the dispatcher).
How can i do that?.
Greets and thanks.
The dispatcher will:
Ask for an exe to add into the dispatcher.
Then, will parse de import table and hook all apis that make an I/O request, per example "WriteFile".
The redirected import table will be in the dispatcher data area, and i need that all open handles of the child process be accesible through the dispatcher.
Imagine this situation.
In the import table of the "child" process there is the "WriteFile" api pointer, it points to the "WriteFile" "handler":
When the child process calls the writefile it will jump to the dispatcher handler, i need to preserve all the registers, lock those process, resume other process, and then call to the WriteFile api, but those call will be performed from the dispatcher. So i need that all handles that the child process opens, be accesible in the dispatcher.
Any ideas?.
Greets and thanks.
Ask for an exe to add into the dispatcher.
Then, will parse de import table and hook all apis that make an I/O request, per example "WriteFile".
The redirected import table will be in the dispatcher data area, and i need that all open handles of the child process be accesible through the dispatcher.
Imagine this situation.
In the import table of the "child" process there is the "WriteFile" api pointer, it points to the "WriteFile" "handler":
When the child process calls the writefile it will jump to the dispatcher handler, i need to preserve all the registers, lock those process, resume other process, and then call to the WriteFile api, but those call will be performed from the dispatcher. So i need that all handles that the child process opens, be accesible in the dispatcher.
Any ideas?.
Greets and thanks.
You can't really emulate CreateProcess. There isn't a (documented) way to create a "process" without using CreateProcess - this might be possible if you look at the NT native API, but I dunno.
An alternative way would be CreateProcess with the suspended flag, and fix up the executable image before ResumeThread. There's a bunch of things to keep in mind, though:
- process is not suspended at PE entrypoint, it's somewhere in DLL land
- executable might be packed/whatever, so perhaps you can't hook the API directly
- GetProcAddress might need to be hooked
- take care of processes that does "manual import"
this topic is probably on the edge of what is allowed at this forum, but I can imagine quite legit uses for something like this. For instance, a sandbox system, that disallows certain operations on untrusted programs.
An alternative way would be CreateProcess with the suspended flag, and fix up the executable image before ResumeThread. There's a bunch of things to keep in mind, though:
- process is not suspended at PE entrypoint, it's somewhere in DLL land
- executable might be packed/whatever, so perhaps you can't hook the API directly
- GetProcAddress might need to be hooked
- take care of processes that does "manual import"
this topic is probably on the edge of what is allowed at this forum, but I can imagine quite legit uses for something like this. For instance, a sandbox system, that disallows certain operations on untrusted programs.
Hi f0dder, thanks for the reply:
Quote: "An alternative way would be CreateProcess with the suspended flag, and fix up the executable image before ResumeThread."
That's exactly that i want to do.
The problem i have is:
When the child process call WriteFile, i will hook the call, then i must suspend those process, resume other process, and make the real WriteFile call. But those real WriteFile call its from the dispatcher process (different from child process), and windows will note that the dispatcher process dont have those handle opened.
Greets and thanks.
Quote: "An alternative way would be CreateProcess with the suspended flag, and fix up the executable image before ResumeThread."
That's exactly that i want to do.
The problem i have is:
When the child process call WriteFile, i will hook the call, then i must suspend those process, resume other process, and make the real WriteFile call. But those real WriteFile call its from the dispatcher process (different from child process), and windows will note that the dispatcher process dont have those handle opened.
Greets and thanks.
The easiest way of handling this is probably to inject a DLL into the child process. And the easiest way of accomplishing this would be using NT, and VirtualAllocEx+CreateRemoteThread. On 9x, other strategies will have to be implemented - take a look at my site and my XCOM bugfix loader.
Must be accomplished in windows 9x.
Thanks for the replys and info.
The problem with the dll is:
I must "create" the dll in runtime, bcoz the dispatcher must handle any exe, at any time. I dont know beforehand the number of processes to handle.
Greets.
Thanks for the replys and info.
The problem with the dll is:
I must "create" the dll in runtime, bcoz the dispatcher must handle any exe, at any time. I dont know beforehand the number of processes to handle.
Greets.
"create" the DLL? Just leave it in your dispatcher dir and specify full path to LoadLibrary in the injected code. Or copy the DLL to the target program path and use a relative path in LoadLibrary.
Hi f0dder:
Quote: "the easiest way of accomplishing this would be using NT, and VirtualAllocEx+CreateRemoteThread. On 9x, other strategies will have to be implemented"
where can i found examples of those strategies?.
greets and thanks.
Quote: "the easiest way of accomplishing this would be using NT, and VirtualAllocEx+CreateRemoteThread. On 9x, other strategies will have to be implemented"
where can i found examples of those strategies?.
greets and thanks.
Quoting myself:
- take a look at my site and my XCOM bugfix loader.
- take a look at my site and my XCOM bugfix loader.
also look at y0da's forcelibrary source here. His main site is http://sistemo.has.it/