A journey into the native lands of windows PART 2 :The closest you can get to absolute power

Here we meet again , cheerz
beloved readers ,I write to you with very welcoming hands ,buckle up .
not long ago i posted the first part on a subject about creating a native process you can look it up here ,today we meet to code that very native program we’re going to run using our previously coded loader,I’ll try my best explaining every detail,and if by any chance I’ve missed something or you guys wanted a little bit more explanation feel free to ask.

INTRO
a native process in my opinion is the closest you can get to launching a kernel driver without the hurdles that come with the latter , and it might be used in a malicious intent wink wink
our POC program is simple it’s going to create an empty text file on my desktop, very simple hah .but ain’t the sky is the limit they say.
you must know that compiling such native apps is not an easy task like clicking a compiler button , the code itself is saved in a *.c extension .sadly I’m not going to explain how to compile the program in this topic but there is a lot of methods to do that either by using gcc compiler or windows driver’s kit.
first of all we must include our native libraries

#include "ntddk.h"
#include "ntifs.h"

our entrypoint can be anything but i chose to go with the traditions and name it NTprocessStartup
with PPEB structure as a parametere, and we will be using the native variant of the function CreateFile() that is NtCreateFile()
the functions parameters are pretty easy and understandable you can read about it here.
there is a structure that we need to initialize with a function called RtlInitializeObjectAttributes() named OBJECT_ATTRIBUTES , this structure have the following members :sweat_smile:

ULONG Length
HANDLE RootDirectory
PUNICODE_STRING ObjectName
ULONG Attributes
PSECURITY_DESCRIPTOR SecurityDescriptor
PSECURITY_QUALITY_OF_SERVICE SecurityQualityOfService

anyhow I wanted to make this topic as short as possible and open the door for discussions so here is the final product

#include "ntddk.h"
#include "ntifs.h"


void NtProcessStartup(PPEB peb) {
	HANDLE fileh;
	IO_STATUS_BLOCK statusblock;

	NTSTATUS status;
	OBJECT_ATTRIBUTES ITACHI_ATT;
	UNICODE_STRING SASUKE;
	RtlInitUnicodeString(&SASUKE, L"\\DosDevices\\C:\\********* \\fromme.txt");
	InitializeObjectAttributes(&ITACHI_ATT, &SASUKE, OBJ_CASE_INSENSITIVE, NULL,NULL);
	status = NtCreateFile(&fileh, (GENERIC_WRITE | SYNCHRONIZE), &ITACHI_ATT, &statusblock, 0, FILE_ATTRIBUTE_NORMAL, 0, FILE_SUPERSEDE, FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0);

}

if we try to run our native app directly by double clicking it we will encounter this error

fourth

sorry the error is in french :sweat_smile: but it basically says you cannot run this app in win32 mode

but upon launching it using our loader we get this

i had to put a break-point because the process quickly terminates itself

and i get this in process hacker
runnnnn

and finally the text file we created
third

I hope this humble topic made you excited or curious to know more about the native applications
see you soon

1 Like