是否可以存在没有可执行文件支持的映像的进程?
查看 OSR Online 和 NtInternals,看起来像 NtCreateProcess
(和 ZwCreateProcess
)指定为内存部分提供句柄是可选!
这是否意味着我们可以拥有不受可执行映像支持的进程?如果是这样,它们可能(或正在)用于什么用途?这是否意味着我们可以将可执行文件完全复制到内存中,然后甚至从磁盘中删除该文件,并使进程继续运行?这看起来是一个非常有用的功能。
After looking at various pages like OSR Online and NtInternals, it seems like NtCreateProcess
(and ZwCreateProcess
) specify that giving a handle to a memory section is optional!
Does this mean that we can have processes that are not backed by executable images? If so, what could they be (or are they) used for potentially? Does that mean we can copy an executable entirely into memory and subsequently even delete the file from the disk, and have the process continue running?? That would seem like a really useful feature.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
如果节(win32 中的文件映射)为 NULL,则使用父进程的节。可能可以使用 NULL 并分配新内存并将 EIP 指向它(或使用页面文件映射),但使用 NtCreateProcess 是有问题的,它没有文档记录,并且不像 CreateProcess 那样向 win32 子系统注册。 (如果您只想使用 ntdll 的导出,这可能没问题)
在 Win9x、NT4 和 2000 上,您可以使用列出的肮脏技巧在运行时从磁盘中删除自己 此处。
其他选项:
If section (file mapping in win32 land) is NULL, it uses the section of the parent process. It might be possible to use NULL and allocate new memory and point EIP at it (or use a page file mapping), but using NtCreateProcess is problematic, it is undocumented and does not register with the win32 subsystem like CreateProcess does. (If you only want to use exports from ntdll, this might be ok)
On Win9x, NT4 and 2000 you can delete yourself from disk while running by using the dirty tricks listed here.
Other options:
我只是尝试自己创建一个带有非图像支持的部分对象的进程。 :)
结果呢?
NtCreateProcess
返回:所以显然每个进程都需要图像支持(假设你不破解内核来做其他事情)。
I just tried to create a process with a non-image-backed Section object myself. :)
The result?
NtCreateProcess
returned:So apparently every process needs to be image-backed (assuming you don't hack the kernel to do otherwise).