可以有没有可执行支持映像的进程吗? [英] Can There be a Process WITHOUT an Executable-Backed Image?

问题描述

浏览了诸如 OSR Online 和

After looking at various pages like OSR Online and NtInternals, it seems like NtCreateProcess (and ZwCreateProcess) specify that giving a handle to a memory section is optional!

这是否意味着我们可以拥有不受可执行映像支持的进程?如果是这样，它们可能被(或被)用于潜在的用途?这是否意味着我们可以将可执行文件完全复制到内存中，然后甚至从磁盘上删除文件，并使进程继续运行?这似乎是一个非常有用的功能.

Does this mean that we can have processes that are not backed by executable images? If so, what could they be (or are they) used for potentially? Does that mean we can copy an executable entirely into memory and subsequently even delete the file from the disk, and have the process continue running?? That would seem like a really useful feature.

推荐答案

如果section(在win32 land中的文件映射)为NULL，则使用父进程的section.可能可以使用NULL并分配新的内存并在其上指向EIP(或使用页面文件映射)，但是使用NtCreateProcess是有问题的，它没有文档说明，并且没有像CreateProcess一样在Win32子系统中注册. (如果您只想使用来自ntdll的导出，则可能没问题)

If section (file mapping in win32 land) is NULL, it uses the section of the parent process. It might be possible to use NULL and allocate new memory and point EIP at it (or use a page file mapping), but using NtCreateProcess is problematic, it is undocumented and does not register with the win32 subsystem like CreateProcess does. (If you only want to use exports from ntdll, this might be ok)

在Win9x，NT4和2000上，您可以使用此处.

On Win9x, NT4 and 2000 you can delete yourself from disk while running by using the dirty tricks listed here.

其他选项:

• 使用驱动程序，可以在加载后将其删除(sysinternal工具会执行此操作)
• 使用主机进程；暂停启动explorer.exe，cmd.exe或rundll32.exe并使用CreateRemoteThread +注入的代码(这当然意味着磁盘上有一个exe文件，但是其中没有任何代码)

这篇关于可以有没有可执行支持映像的进程吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！