NtCreateUserProcess with CsrClientCallServer for mainstream Windows x64 version.
Reimplement this: NtCreateUserProcess->BasepConstructSxsCreateProcessMessage->
->CsrCaptureMessageMultiUnicodeStringsInPlace->CsrClientCallServer
This project could be useless, however it's also useful to learn!
I'll try to fix some known bugs, Any questions,suggestions and pulls are welcomed :)
I will mainly try to support ALL Windows x64 verison from win 7 to win 11.
NtCreateUserProcess-Native support Standard IO Redirect.
NtCreateUserProcess-Native is the Native Edition which remove BasepConstructSxsCreateProcessMessage, RtlCreateProcessParametersEx, CsrCaptureMessageMultiUnicodeStringsInPlace... just prevent any function hook?
NtCreateUserProcess-Native is created for OPSEC, RedTeam purpose.
I have enabled CFG in NtCreateUserProcess-Native Project Settings.
There is no plan to support AppX Package in this project.
I have nearly finished Reverse Engineering of CreateProcessInternalW of Windows 21H*,
but a few improvement,struct, data type... required, I need more time...
Try CreateProcessInternalW-Full instead
Hope the later CreateProcessInternalW project will help you gain different knowledge and understanding,
which reimplement to support AppX, 16 bit RaiseError, .bat && .cmd File.
After the release of Direct-NtCreateUserProcess and article by D0pam1ne705,
I think I should also share my the Reverse Engineering results of CreateProcessInternalW (there's no need to keep it private).
Different from his reverse route, I didn't kernel debug ALPC and csrss.exe,
but mainly depends on IDA and memory analysis parameter.
NtCreateUserProcess-Post.exe (ImagePath)
(NtCreateUserProcess-Post Temporarily Deprecated??? I'm lazy...ovO)
(Default is C:WindowsSystem32dfrgui.exe without special ImagePath)
(1) NtCreateUserProcess-Post.exe
(2) NtCreateUserProcess-Post.exe C:WindowsSystem32notepad.exe
(3) NtCreateUserProcess-Post.exe C:WindowsSystem32taskmgr.exe
(4) NtCreateUserProcess-Post.exe "C:Program Files (x86)MicrosoftEdgeApplicationmsedge.exe"
and so on...
C:WindowsSystem32DisplaySwitch.exe
"C:Program FilesGoogleChromeApplicationchrome.exe"
C:WindowsSystem32Magnify.exe
......
NtCreateUserProcess-Native.exe (-c ImagePath) (-i InteractType)
(Standard File IO redirect is already supportd in NtCreateUserProcess-Native!)
-i 0: (Default) None of any interact mode will be used, like CREATE_NEW_CONSOLE
-i 1: StdHandle via AttributeList, like bInheritHandles = FALSE
-i 2: Set ProcessParameters Std Input,Output,OutError with CurrentProcessParameters Value, like bInheritHandles = TRUE
(Default is C:WindowsSystem32dfrgui.exe without special Argument)
(1) NtCreateUserProcess-Native.exe
(2) NtCreateUserProcess-Native.exe -c C:Windowssystem32cmd.exe -i 1
(3) NtCreateUserProcess-Native.exe -c "C:WindowsSystem32WindowsPowerShellv1.0powershell.exe" -i 2
(4) NtCreateUserProcess-Native.exe -c "C:Program FilesGoogleChromeApplicationchrome.exe" -i 0
......
Visual Studio 2022 (Visual Studio 2019 should work)
Relase x64
Well, if you think this one is complex and redundant, Try the Native Edition NtCreateUserProcess-Native
Notice: On Windows 11 notepad.exe is AppX so it doesn't work
Windows 11 23H2 Insider x64 (26020.1000)
Windows 11 21H2 x64 (22000.613)
Windows 10 21H2 x64 (19044.1706)
Windows 10 21H1 x64 (19043.1023)
Windows 10 2004 x64 (19041.264)
Windows 10 1909 x64 (18363.2274)
Windows Server 2019 x64 (17763.107)
Windows 10 1709 x64 (16299.125)
Windows 10 1703 x64 (15063.2078)
Windows Server 2016 x64 (14393.5066)
Windows 10 1607 x64 (14393.447)
Windows 10 1511 x64 (10586.164)
Windows 10 1507 x64 (10240)
Windows Server 2012 R2 x64 (9600)
Windows Server 2012 x64 (9200)
Windows Server 2008 R2 x64 (7601)
Windows 7 SP1 x64 (7601)
Windows Server 2008 R2 x64 (7600)
Windows Server 2008 x64 (6002)
Windows Vista SP2 x64 (6002)
Windows Vista x64 (6000)
1: https://github.com/Microwave89/createuserprocess
2: https://github.com/PorLaCola25/PPID-Spoofing
3: https://github.com/processhacker/processhacker
4: https://www.geoffchappell.com/studies/windows/win32/csrsrv/api/apireqst/api_msg.htm
5: https://github.com/leecher1337/ntvdmx64
6: https://github.com/klezVirus/SysWhispers3
7: https://bbs.pediy.com/thread-207429.htm
8: https://doxygen.reactos.org
9: https://github.com/waleedassar/NativeDebugger
10: https://stackoverflow.com/questions/69599435/running-programs-using-rtlcreateuserprocess-only-works-occasionally
11: https://medium.com/philip-tsukerman/activation-contexts-a-love-story-5f57f82bccd
12: https://github.com/ShashankKumarSaxena/nt5src
13: https://github.com/D4stiny/spectre
14: https://github.com/x64dbg/TitanEngine
15: https://github.com/x64dbg/ScyllaHide
16: https://github.com/deroko/activationcontext
17: https://medium.com/philip-tsukerman/activation-contexts-a-love-story-5f57f82bccd
18: https://wasm.in/threads/csrclientcallserver-v-windows-7.29743/
19: https://bbs.csdn.net/topics/360229611
20: https://www.exploit-db.com/exploits/46712
11: https://googleprojectzero.github.io/0days-in-the-wild/0day-RCAs/2020/CVE-2020-1027.html
22: https://ii4gsp.tistory.com/288
23: https://www.unknowncheats.me/forum/c-and-c-/121045-ntdll-module-callback.html