Hello Guys , this is my first topic I publish in the forum
I’ve been a huge fan of the site for almost 3 years now ,so I’ve decided to register and interact and learn with you guys, I don’t know what took me this long to register to be honest 
so here we go , I was very bored and decided I should code something for fun ,I had some earlier knowledge concerning windows native ground .
some of you may know that native processes don’t just run with a simple call to CreateProcess() or other standard WINAPIs ,so I created a simple loader that can run native processes ,it can run a normal process but sometimes it gets some errors , I will not put the whole source code so you guys can keep on searching to make it work by your own ,I find that very informative, i 'll try to explain the important things , like very important parameters and workflows.
First things first : functions implemented .
RtlDosPathNameToNtPathName_U() :
this function will take a normal TCHAR string containing the path of the file you want to launch “calc.exe” for example and convert it to an Nt Path ,what this means is that native functions don’t understand normal paths used commonly in windows (dos paths) for eg : “C:\masm32\text”
instead it converts it to something like “??\C:\masm32\text” it happens to relative paths also but let’s not get there so we can keep it short you can read more on these paths in this article i found it very useful
RtlCreateProcessParameters() :
this function initializes the process parameters structure to be passed to the next function , like the PEB inherited from the parent process , the commandline and other stuff .
RtlCreateUserProcess() :
our native createprocess function , this function creates our process in a suspended state and we have to resume the execution calling the next function
NtResumeThread() :
this catches the first thread handle from our process parameters struct and executes it
NtWaitForSingleObject() :
waits for a signal like it’s WINAPI counterpart “WaitForsingalObject” the only difference here is that the timeout parameter in our case going to be NULL and it’s equivalent t INFINITE in WinAPI
RtlDestroyProcessParameters():
to destroy the process parameters structure
finally I present you with my minimal source code , keep in mind that this source code is not absolute there is so many methods to implement it some of which without using the NtResumeThread function and alote others ,
TCHAR original_path[512]=TEXT("......");
UNICODE_STRING converted;
PRTL_USER_PROCESS_PARAMETERS Process_parameters;
RTL_USER_PROCESS_INFORMATION Process_information;
if (!RtlDosPathNameToNtPathName_U(original_path, &converted, NULL, NULL)) {
printf("\n Cannot convert Path name ... \n");
return -1;
}
if (!NT_SUCCESS(RtlCreateProcessParameters(&Process_parameters, &converted, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL))) {
printf("\n RTL Process Parameters Struct cannot be Created ...\n");
RtlFreeUnicodeString(&converted);
return -1;
}
if (!NT_SUCCESS(RtlCreateUserProcess(&converted, OBJ_CASE_INSENSITIVE, Process_parameters, NULL, NULL, NULL, FALSE, NULL, NULL, &Process_information))) {
printf("\nThe process cannot be created ...\n");
RtlDestroyProcessParameters(Process_parameters);
RtlFreeUnicodeString(&converted);
return -1;
}
printf("\n Process Created ...\n");
NtResumeThread(Process_information.ThreadHandle,NULL);
printf("\n Waiting for the process to terminate ... \n");
NtWaitForSingleObject(Process_information.ProcessHandle,FALSE ,NULL);
printf("\n process terminated\n");
RtlDestroyProcessParameters(Process_parameters);
NtClose(Process_information.ThreadHandle);
NtClose(Process_information.ProcessHandle);
return 0;
}
POC : launching a project of mine
I hope you guys find this post informative , any questions are very welcome I’ll try to answer any of them ,keeping in mind that I’m not in any form a professional , I’m just and individual who likes to learn and share and discuss knowledge .
see you soon ,
