A journey into the native lands of windows PART 2 :The closest you can get to absolute power

Here we meet again , cheerz
beloved readers ,I write to you with very welcoming hands ,buckle up .
not long ago i posted the first part on a subject about creating a native process you can look it up here ,today we meet to code that very native program we’re going to run using our previously coded loader,I’ll try my best explaining every detail,and if by any chance I’ve missed something or you guys wanted a little bit more explanation feel free to ask.

a native process in my opinion is the closest you can get to launching a kernel driver without the hurdles that come with the latter , and it might be used in a malicious intent wink wink
our POC program is simple it’s going to create an empty text file on my desktop, very simple hah .but ain’t the sky is the limit they say.
you must know that compiling such native apps is not an easy task like clicking a compiler button , the code itself is saved in a *.c extension .sadly I’m not going to explain how to compile the program in this topic but there is a lot of methods to do that either by using gcc compiler or windows driver’s kit.
first of all we must include our native libraries

#include "ntddk.h"
#include "ntifs.h"

our entrypoint can be anything but i chose to go with the traditions and name it NTprocessStartup
with PPEB structure as a parametere, and we will be using the native variant of the function CreateFile() that is NtCreateFile()
the functions parameters are pretty easy and understandable you can read about it here.
there is a structure that we need to initialize with a function called RtlInitializeObjectAttributes() named OBJECT_ATTRIBUTES , this structure have the following members :sweat_smile:

ULONG Length
HANDLE RootDirectory
ULONG Attributes

anyhow I wanted to make this topic as short as possible and open the door for discussions so here is the final product

#include "ntddk.h"
#include "ntifs.h"

void NtProcessStartup(PPEB peb) {
	HANDLE fileh;
	IO_STATUS_BLOCK statusblock;

	NTSTATUS status;
	RtlInitUnicodeString(&SASUKE, L"\\DosDevices\\C:\\********* \\fromme.txt");


if we try to run our native app directly by double clicking it we will encounter this error


sorry the error is in french :sweat_smile: but it basically says you cannot run this app in win32 mode

but upon launching it using our loader we get this

i had to put a break-point because the process quickly terminates itself

and i get this in process hacker

and finally the text file we created

I hope this humble topic made you excited or curious to know more about the native applications
see you soon


I mean 2.2 k views and no replies
come on guys hype me up to write another part :sweat_smile:

1 Like

Do you have part 3 already planned? I’d love to see more on compiling at some stage. That has been a major hurdle, either finding the necessary headers or the compiler itself. Are they found on a normal windows machine? if not where do you acquire them? Its also relevant to file size: compiling with the wrong approach could make the executable very much larger than it needs to be, no?
Things are so much simpler on *nix :slight_smile:

1 Like

hello Deltaeus,
indeed m working on part 3 ,concerning the compiling stage ,you asked about the headers you can find them on github for example or if you’re familiar with driver development you’d know that they come in a package with the WDD (windows driver’s kit), I intentionaly didn’t put the compiling stage so the people really interested in the topic could go that far to have a full executable , it is a bit tricky not hard and i’ve put clues on how to do that all over my last topics and if you want any leads contact me ,and just to put it out there I am in no means a professional or someone who’s expert in kernel ,I’m just an enthusiast driven by curiosity and still has a lote to learn and i hope to do so from you guys and a lote of talented people in this forum

:slight_smile: Integrate this and this and we have ourselves an absolute banger

1 Like

we got ourselves a weapon hahahaha, unfortunately the first topic couldn’t be integrated for the simple fact that he uses not the right libraries for the native environment
but nice share i will definetly look more into it , I’m working on a little project that this might come in handy
thank you @c0z

1 Like

This topic was automatically closed after 121 days. New replies are no longer allowed.