关于使用RtlCreateUserProcess创建进程出现的怪事。。。

a1875566250 2010-11-15 10:12:25

好久不来CSDN了，最近无聊就研究了下RtlCreateUserProcess这个函数。。。然后去WASM上面翻到了别人以前研究的讨论：http://www.wasm.ru/forum/viewtopic.php?id=31426

按照那个代码翻译了一下。。。

Private Declare Function ZwResumeThread& Lib "ntdll" (ByVal Thread As Long, Optional ByVal Flags As Long)

Private Declare Function RtlCreateUserProcess& Lib "ntdll" (ByVal ImagePath As Long, ByVal Attributes As Long, ByVal Parameters As Long, ByVal Security As Long, ByVal Security As Long, ByVal Parent As Long, ByVal Inherit As Long, ByVal Port As Long, ByVal Port As Long, ByVal Information As Long)

Private Declare Function RtlCreateProcessParameters& Lib "ntdll" (ByVal Structure As Long, ByVal ImagePath As Long, ByVal DLLPath As Long, ByVal Directory As Long, ByVal Commands As Long, ByVal Environment As Long, ByVal Title As Long, ByVal Desktop As Long, ByVal Shell As Long, ByVal Runtime As Long)

Private Declare Function RtlDeNormalizeProcessParams& Lib "ntdll" (ByVal Structure As Long)

Private Declare Function RtlNormalizeProcessParams& Lib "ntdll" (ByVal Structure As Long)

Private Declare Function RtlDestroyProcessParameters& Lib "ntdll" (ByVal Structure As Long)

Private Declare Function RtlInitUnicodeString& Lib "ntdll" (ByVal Dst As Long, ByVal Src As Long)

Private Type UNICODE_STRING

Size As Integer

Length As Integer

Buffer As Long

End Type

Private Type RTL_DRIVE_LETTER_CURDIR

Flags As Long

Length As Long

Stamp As Long

DOSPath As UNICODE_STRING

End Type

Private Type RTL_USER_PROCESS_PARAMETERS

Length As Long

Size As Long

Flags As Long

Flags2 As Long

Console As Long

Console2 As Long

StdInput As Long

StdOutput As Long

StdError As Long

Directory As UNICODE_STRING

Directory2 As Long

DLLPath As UNICODE_STRING

ImagePath As UNICODE_STRING

Commands As UNICODE_STRING

Environment As Long

Left As Long

Top As Long

Width As Long

Height As Long

Width2 As Long

Height2 As Long

Flags3 As Long

Flags4 As Long

Flags5 As Long

Title As UNICODE_STRING

Desktop As UNICODE_STRING

Shell As UNICODE_STRING

Runtime As UNICODE_STRING

DLDirectory(31) As RTL_DRIVE_LETTER_CURDIR

End Type

Private Type RTL_USER_PROCESS_INFORMATION

Size As Long

Process As Long

Thread As Long

ClientID(1) As Long

Information As Long

End Type

Private Sub Form_Load()

Dim US As UNICODE_STRING, PM As RTL_USER_PROCESS_PARAMETERS, PI As RTL_USER_PROCESS_INFORMATION, Attributes&(5)

Attributes(0) = 24

Attributes(3) = 64

RtlInitUnicodeString VarPtr(US), StrPtr("\??\C:\WINDOWS\system32\calc.exe")

PM.Size = Len(PM)

PI.Size = Len(PI)

Me.Caption = RtlCreateProcessParameters(VarPtr(PM), VarPtr(US), 0, 0, 0, 0, 0, 0, 0, 0)

Me.Caption = RtlNormalizeProcessParams(VarPtr(PM))

Me.Caption = RtlCreateUserProcess(VarPtr(US), VarPtr(Attributes(0)), VarPtr(PM), 0, 0, -1, 0, 0, 0, VarPtr(PI))

RtlDestroyProcessParameters VarPtr(PM)

'ZwResumeThread PI.Thread

End Sub