Search code examples
windowswinapikernelkernel-modulewin32-process

Creating child process without getting memory rights to parent

I'm trying create child process without getting PROCESS_VM_WRITE rights to parent that way:

Using kernel driver with ObRegisterCallbacks I remove PROCESS_VM_WRITE access when parent try to get handle of starting child process:

  1. In parent process I use CreateProcess function to start child process, but it fails with error that I'm not having rights.

  2. I'm also tried to use RtlCreateUserProcess and this succeed, but as you may know process now running without subsystem and it doesn't work properly.

So for all these reasons I have three questions:

  1. Maybe it is possible to use some ntdll.dll function which will create process properly without writing in child memory?

  2. Maybe it is possible to hook some Nt functions and elevate all write requests during process creating to my kernel driver? If yes, what functions do I need to hook? I hooked NtWriteVirtualMemory, but ntdll.dll checks access right before call it

  3. Maybe it is possible to finish proper process creating myself after using RtlCreateUserProcess? If yes, what function I need to use?

Not getting memory access to parent process is very critical for me as I need to protect child memory from all UserMode tricks, ObRegisterCallback is good for it, but parent process (launcher) is a big hole.

Solution

  • Maybe it is possible to hook some Nt functions and elevate all write requests during process creating to my kernel driver? If yes, what functions do I need to hook? I hooked NtWriteVirtualMemory, but ntdll.dll checks access right before call it

    Yes, that's all you need to do. Hook NtWriteVirtualMemory, which is called from CreateProcessInternalW. This avoids STATUS_ACCESS_DENIED and in this case all will work.

    ntdll.dll checks access right before call it

    You're mistaken - nothing like this happens.

    In ObjectPreCallback are you checking that the request is from your parent process and removing PROCESS_VM_WRITE only if it is? During process creation CsrClientCallServer is called, and as result csrss.exe also opens a child process. Are you sure that you're not removing PROCESS_VM_WRITE here?

    Of course its also possible use RtlCreateUserProcess, but in this case you will be need connect to csrss by yourself and use undocumented and probably unstable interfaces. I think this is not the best way, but it is possible.

    And no there isn't another ntdll API for creating processes with csrss connected.