I am trying to understand how the Windows API creates processes, so I can create a program to determine where the exes are invalid. I have a program that calls kernel32.CreateProcessA . Following in OllyDbg, it calls kernel32.CreateProcessInternalA , which calls kernel32.CreateProcessInternalW , which calls ntdll.ZwCreateUserProcess . This function:
mov eax, 0xAA xor ecx, ecx lea edx, dword ptr [esp+4] call dword ptr fs:[0xC0] add esp, 4 retn 0x2C
So, I follow the call to fs:[0xC0] , which contains one command:
jmp far 0x33:0x74BE271E
But when I find this command, Ollie simply returns to ntdll.ZwCreateUserProcess in add esp, 4 immediately after the call (which is not in 0x74BE271E ). I set a breakpoint at retn 0x2C and I found that a new process was somehow created at runtime add esp, 4 .
Therefore, I assume that in the long jump there is some kind of magic. I tried changing the CS register to 0x33 and EIP to 0x74BE271E instead of actually doing a down jump, but that just gave me an access violation after a few instructions. What's going on here? I need to be able to dive deeper into the abstraction of this ZwCreateUserProcess to find out exactly how Windows creates processes.
source share