Could there be a process without an executable image?

Question

Could there be a process without an executable image?

By looking at various pages, such as OSR Online and NtInternals , it seems that NtCreateProcess(and ZwCreateProcess) indicates that providing a handle to the memory section is optional!

Does this mean that we can have processes that are not supported by executable images? If so, what could be (or are) potentially used? Does this mean that we can completely copy the executable file to memory, and then even delete the file from disk and continue the process? This seems like a really useful feature.

+5

process winapi executable

Mehrdad Mar 18 '11 at 1:26

source share

2 answers

.:)

?

NtCreateProcess:

STATUS_SECTION_NOT_IMAGE
// An attempt was made to query image information on a section which
// does not map an image.

, , ( , ).

+2

Mehrdad 30 '11 20:07

Anders · Accepted Answer · 2011-03-18T02:26:47+0000

If the partition (file mapping on win32 land) is NULL, it uses the partition of the parent process. Perhaps you can use NULL and allocate new memory in it and specify EIP (or use page file mapping), but using NtCreateProcess is problematic, it is undocumented and is not registered in the win32 subsystem, for example CreateProcess. (If you want to use export from ntdll, this might be ok)

In Win9x, NT4, and 2000, you can remove yourself from disk during operation using the following tricks here .

Other parameters:

Use a driver, they can be removed after they are downloaded (sysinternal tools do this)
-; start explorer.exe, cmd.exe rundll32.exe CreateRemoteThread + (, , exe , )

Could there be a process without an executable image?

More articles: