After looking at various pages like OSR Online and NtInternals, it seems like NtCreateProcess (and ZwCreateProcess) specify that giving a handle to a memory section is optional!
Does this mean that we can have processes that are not backed by executable images? If so, what could they be (or are they) used for potentially? Does that mean we can copy an executable entirely into memory and subsequently even delete the file from the disk, and have the process continue running?? That would seem like a really useful feature.
If section (file mapping in win32 land) is NULL, it uses the section of the parent process. It might be possible to use NULL and allocate new memory and point EIP at it (or use a page file mapping), but using NtCreateProcess is problematic, it is undocumented and does not register with the win32 subsystem like CreateProcess does. (If you only want to use exports from ntdll, this might be ok)
On Win9x, NT4 and 2000 you can delete yourself from disk while running by using the dirty tricks listed here.
Other options:
I just tried to create a process with a non-image-backed Section object myself. :)
The result?
NtCreateProcess returned:
STATUS_SECTION_NOT_IMAGE
// An attempt was made to query image information on a section which
// does not map an image.
So apparently every process needs to be image-backed (assuming you don't hack the kernel to do otherwise).
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With