是否可以存在没有可执行文件支持的映像的进程?

发布于 2024-10-23 20:06:58 字数 471 浏览 6 评论 0原文

查看 OSR OnlineNtInternals,看起来像 NtCreateProcess (和 ZwCreateProcess)指定为内存部分提供句柄是可选

这是否意味着我们可以拥有不受可执行映像支持的进程?如果是这样,它们可能(或正在)用于什么用途?这是否意味着我们可以将可执行文件完全复制到内存中,然后甚至从磁盘中删除该文件,并使进程继续运行?这看起来是一个非常有用的功能。

After looking at various pages like OSR Online and NtInternals, it seems like NtCreateProcess (and ZwCreateProcess) specify that giving a handle to a memory section is optional!

Does this mean that we can have processes that are not backed by executable images? If so, what could they be (or are they) used for potentially? Does that mean we can copy an executable entirely into memory and subsequently even delete the file from the disk, and have the process continue running?? That would seem like a really useful feature.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

巴黎夜雨 2024-10-30 20:06:58

如果节(win32 中的文件映射)为 NULL,则使用父进程的节。可能可以使用 NULL 并分配新内存并将 EIP 指向它(或使用页面文件映射),但使用 NtCreateProcess 是有问题的,它没有文档记录,并且不像 CreateProcess 那样向 win32 子系统注册。 (如果您只想使用 ntdll 的导出,这可能没问题)

在 Win9x、NT4 和 2000 上,您可以使用列出的肮脏技巧在运行时从磁盘中删除自己 此处

其他选项:

  • 使用驱动程序,它们可以在加载后删除(sysinternal 工具可以执行此操作)
  • 使用主机进程;启动explorer.exe、cmd.exe或rundll32.exe挂起并使用CreateRemoteThread+注入代码(这当然意味着磁盘上有一个exe文件,但里面没有你的代码)

If section (file mapping in win32 land) is NULL, it uses the section of the parent process. It might be possible to use NULL and allocate new memory and point EIP at it (or use a page file mapping), but using NtCreateProcess is problematic, it is undocumented and does not register with the win32 subsystem like CreateProcess does. (If you only want to use exports from ntdll, this might be ok)

On Win9x, NT4 and 2000 you can delete yourself from disk while running by using the dirty tricks listed here.

Other options:

  • Use a driver, they can be deleted after they have been loaded (The sysinternal tools do this)
  • Use a host process; start explorer.exe, cmd.exe or rundll32.exe suspended and use CreateRemoteThread+injected code (This of course means there is a exe file on disk, but none of your code is in it)
奈何桥上唱咆哮 2024-10-30 20:06:58

我只是尝试自己创建一个带有非图像支持的部分对象的进程。 :)

结果呢?

NtCreateProcess 返回:

STATUS_SECTION_NOT_IMAGE
// An attempt was made to query image information on a section which
// does not map an image.

所以显然每个进程都需要图像支持(假设你不破解内核来做其他事情)。

I just tried to create a process with a non-image-backed Section object myself. :)

The result?

NtCreateProcess returned:

STATUS_SECTION_NOT_IMAGE
// An attempt was made to query image information on a section which
// does not map an image.

So apparently every process needs to be image-backed (assuming you don't hack the kernel to do otherwise).

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文