C# (CSharp) NtApiDotNet ProcessCreateInfo Examples

Example #1

File: CreateUserProcess.cs Project: zaza6677/sandbox-attacksurface-analysis-tools

        /// <summary>
        /// For the current process
        /// </summary>
        /// <returns>The new forked process result</returns>
        public static CreateUserProcessResult Fork()
        {
            List <ProcessAttribute> attrs = new List <ProcessAttribute>();

            try
            {
                ProcessCreateInfo create_info = new ProcessCreateInfo();

                SafeStructureInOutBuffer <ClientId> client_id = new SafeStructureInOutBuffer <ClientId>();
                attrs.Add(ProcessAttribute.ClientId(client_id));

                ProcessAttributeList attr_list = new ProcessAttributeList(attrs);

                NtStatus status = NtSystemCalls.NtCreateUserProcess(
                    out SafeKernelObjectHandle process_handle, out SafeKernelObjectHandle thread_handle,
                    ProcessAccessRights.MaximumAllowed, ThreadAccessRights.MaximumAllowed,
                    null, null, ProcessCreateFlags.InheritFromParent,
                    ThreadCreateFlags.Suspended, IntPtr.Zero, create_info, attr_list).ToNtException();

                return(new CreateUserProcessResult(process_handle, thread_handle,
                                                   create_info.Data, new SectionImageInformation(), client_id.Result, false));
            }
            finally
            {
                foreach (ProcessAttribute attr in attrs)
                {
                    attr.Dispose();
                }
            }
        }

Example #2

File: NtProcessNative.cs Project: ProjectZeroDays/sandbox-attacksurface-analysis-tools

 public static extern NtStatus NtCreateUserProcess(
     out SafeKernelObjectHandle ProcessHandle,
     out SafeKernelObjectHandle ThreadHandle,
     ProcessAccessRights ProcessDesiredAccess,
     ThreadAccessRights ThreadDesiredAccess,
     ObjectAttributes ProcessObjectAttributes,
     ObjectAttributes ThreadObjectAttributes,
     ProcessCreateFlags ProcessFlags,
     ThreadCreateFlags ThreadFlags,
     IntPtr ProcessParameters,
     [In, Out] ProcessCreateInfo CreateInfo,
     [In, Out] ProcessAttributeList AttributeList
     );

Example #3

        /// <summary>
        /// For the current process
        /// </summary>
        /// <param name="process_create_flags">Process create flags.</param>
        /// <param name="thread_create_flags">Thread create flags.</param>
        /// <param name="throw_on_error">True to throw on error.</param>
        /// <returns>The new forked process result</returns>
        public static NtResult <CreateUserProcessResult> Fork(ProcessCreateFlags process_create_flags,
                                                              ThreadCreateFlags thread_create_flags, bool throw_on_error)
        {
            using (var attrs = new DisposableList <ProcessAttribute>()) {
                ProcessCreateInfo create_info = new ProcessCreateInfo();

                SafeStructureInOutBuffer <ClientId> client_id = new SafeStructureInOutBuffer <ClientId>();
                attrs.Add(ProcessAttribute.ClientId(client_id));

                ProcessAttributeList attr_list = new ProcessAttributeList(attrs);

                return(NtSystemCalls.NtCreateUserProcess(
                           out SafeKernelObjectHandle process_handle, out SafeKernelObjectHandle thread_handle,
                           ProcessAccessRights.MaximumAllowed, ThreadAccessRights.MaximumAllowed,
                           null, null, process_create_flags | ProcessCreateFlags.InheritFromParent,
                           thread_create_flags, IntPtr.Zero, create_info, attr_list).CreateResult(throw_on_error,
                                                                                                  () => new CreateUserProcessResult(process_handle, thread_handle,
                                                                                                                                    create_info.Data, new SectionImageInformation(), client_id.Result, false)));
            }
        }

Example #4

        /// <summary>
        /// Start the new process
        /// </summary>
        /// <param name="image_path">The image path to the file to execute</param>
        /// <returns>The result of the process creation</returns>
        public CreateUserProcessResult Start(string image_path)
        {
            if (image_path == null)
            {
                throw new ArgumentNullException("image_path");
            }

            using (var process_params = SafeProcessParametersBuffer.Create(ConfigImagePath ?? image_path, DllPath, CurrentDirectory,
                                                                           CommandLine, Environment, WindowTitle, DesktopInfo, ShellInfo, RuntimeData, CreateProcessParametersFlags.Normalize)) {
                using (var attrs = new DisposableList <ProcessAttribute>()) {
                    ProcessCreateInfo create_info = new ProcessCreateInfo();

                    attrs.Add(ProcessAttribute.ImageName(image_path));
                    SafeStructureInOutBuffer <SectionImageInformation> image_info = new SafeStructureInOutBuffer <SectionImageInformation>();
                    attrs.Add(ProcessAttribute.ImageInfo(image_info));
                    SafeStructureInOutBuffer <ClientId> client_id = new SafeStructureInOutBuffer <ClientId>();
                    attrs.Add(ProcessAttribute.ClientId(client_id));
                    attrs.AddRange(AdditionalAttributes);
                    if (ParentProcess != null)
                    {
                        attrs.Add(ProcessAttribute.ParentProcess(ParentProcess.Handle));
                    }

                    if (RestrictChildProcess || OverrideRestrictChildProcess)
                    {
                        attrs.Add(ProcessAttribute.ChildProcess(RestrictChildProcess, OverrideRestrictChildProcess));
                    }

                    if (Token != null)
                    {
                        attrs.Add(ProcessAttribute.Token(Token.Handle));
                    }

                    using (ProcessAttributeList attr_list = ProcessAttributeList.Create(attrs)) {
                        create_info.Data.InitFlags = InitFlags | ProcessCreateInitFlag.WriteOutputOnExit;
                        create_info.Data.ProhibitedImageCharacteristics = ProhibitedImageCharacteristics;
                        create_info.Data.AdditionalFileAccess           = AdditionalFileAccess;

                        using (ObjectAttributes proc_attr = new ObjectAttributes(null, AttributeFlags.None,
                                                                                 SafeKernelObjectHandle.Null, null, ProcessSecurityDescriptor),
                               thread_attr = new ObjectAttributes(null, AttributeFlags.None,
                                                                  SafeKernelObjectHandle.Null, null, ThreadSecurityDescriptor)) {
                            NtStatus status = NtSystemCalls.NtCreateUserProcess(
                                out SafeKernelObjectHandle process_handle, out SafeKernelObjectHandle thread_handle,
                                ProcessDesiredAccess, ThreadDesiredAccess,
                                proc_attr, thread_attr, ProcessFlags,
                                ThreadFlags, process_params.DangerousGetHandle(), create_info, attr_list);

                            if (!status.IsSuccess() && !ReturnOnError)
                            {
                                // Close handles which come from errors
                                switch (create_info.State)
                                {
                                case ProcessCreateState.FailOnSectionCreate:
                                    NtSystemCalls.NtClose(create_info.Data.FileHandle);
                                    break;

                                case ProcessCreateState.FailExeName:
                                    NtSystemCalls.NtClose(create_info.Data.IFEOKey);
                                    break;
                                }

                                status.ToNtException();
                            }

                            if (create_info.State == ProcessCreateState.Success)
                            {
                                return(new CreateUserProcessResult(process_handle, thread_handle,
                                                                   create_info.Data, image_info.Result, client_id.Result, TerminateOnDispose));
                            }
                            else
                            {
                                return(new CreateUserProcessResult(status, create_info.Data, create_info.State));
                            }
                        }
                    }
                }
            }
        }

Example #5

File: CreateUserProcess.cs Project: yeyintminthuhtut/sandbox-attacksurface-analysis-tools

        /// <summary>
        /// Start the new process
        /// </summary>
        /// <param name="image_path">The image path to the file to execute</param>
        /// <returns>The result of the process creation</returns>
        public CreateUserProcessResult Start(string image_path)
        {
            if (image_path == null)
            {
                throw new System.ArgumentNullException("image_path");
            }

            IntPtr process_params = CreateProcessParameters(ImagePath ?? image_path, DllPath, CurrentDirectory,
                                                            CommandLine, Environment, WindowTitle, DesktopInfo, ShellInfo, RuntimeData, 1);
            List <ProcessAttribute> attrs = new List <ProcessAttribute>();

            try
            {
                ProcessCreateInfo      create_info = new ProcessCreateInfo();
                SafeKernelObjectHandle process_handle;
                SafeKernelObjectHandle thread_handle;

                attrs.Add(ProcessAttribute.ImageName(image_path));
                SafeStructureInOutBuffer <SectionImageInformation> image_info = new SafeStructureInOutBuffer <SectionImageInformation>();
                attrs.Add(ProcessAttribute.ImageInfo(image_info));
                SafeStructureInOutBuffer <ClientId> client_id = new SafeStructureInOutBuffer <ClientId>();
                attrs.Add(ProcessAttribute.ClientId(client_id));
                attrs.AddRange(AdditionalAttributes);
                if (ParentProcess != null)
                {
                    attrs.Add(ProcessAttribute.ParentProcess(ParentProcess.Handle));
                }

                if (RestrictChildProcess || OverrideRestrictChildProcess)
                {
                    attrs.Add(ProcessAttribute.ChildProcess(RestrictChildProcess, OverrideRestrictChildProcess));
                }

                ProcessAttributeList attr_list = new ProcessAttributeList(attrs);

                create_info.Data.InitFlags = InitFlags | ProcessCreateInitFlag.WriteOutputOnExit;
                create_info.Data.ProhibitedImageCharacteristics = ProhibitedImageCharacteristics;
                create_info.Data.AdditionalFileAccess           = AdditionalFileAccess;

                NtStatus status = NtSystemCalls.NtCreateUserProcess(
                    out process_handle, out thread_handle,
                    ProcessAccessRights.MaximumAllowed, ThreadAccessRights.MaximumAllowed,
                    null, null, ProcessFlags,
                    ThreadFlags, process_params, create_info, attr_list);

                if (!status.IsSuccess() && !ReturnOnError)
                {
                    // Close handles which come from errors
                    switch (create_info.State)
                    {
                    case ProcessCreateState.FailOnSectionCreate:
                        NtSystemCalls.NtClose(create_info.Data.FileHandle);
                        break;

                    case ProcessCreateState.FailExeName:
                        NtSystemCalls.NtClose(create_info.Data.IFEOKey);
                        break;
                    }

                    status.ToNtException();
                }

                if (create_info.State == ProcessCreateState.Success)
                {
                    return(new CreateUserProcessResult(process_handle, thread_handle,
                                                       create_info.Data, image_info.Result, client_id.Result, TerminateOnDispose));
                }
                else
                {
                    return(new CreateUserProcessResult(status, create_info.Data, create_info.State));
                }
            }
            finally
            {
                NtRtl.RtlDestroyProcessParameters(process_params);
                foreach (ProcessAttribute attr in attrs)
                {
                    attr.Dispose();
                }
            }
        }