Scribd
Upload
6 views8 pages

19 API Basics CreateProcess

19 API Basics CreateProcess

Uploaded by

anand-1
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
6 views8 pages

19 API Basics CreateProcess

19 API Basics CreateProcess

Uploaded by

anand-1
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 8

Creating Process

https://t.me/learningnets
Creating Process

Process
( notepad.exe )
CreateProcess( )
notepad.exe

RAM

https://t.me/learningnets
Function Prototype

BOOL CreateProcess(
lpApplicationName, // Path to the executable
lpCommandLine, // Command-line arguments
lpProcessAttributes, // Security attributes for the process
lpThreadAttributes, // Security attributes for the primary thread
bInheritHandles, // Inherit handles from parent process
dwCreationFlags, // Process creation flags
lpEnvironment, // Pointer to environment block
lpCurrentDirectory, // Working directory of the new process
lpStartupInfo, // Pointer to STARTUPINFO structure
lpProcessInformation // Pointer to PROCESS_INFORMATION structure
);

https://t.me/learningnets
Function Prototype
Flag Description
BOOL CreateProcess(
CREATE_NEW_CONSOLE Creates a new console window for the child
lpApplicationName, // Path to the executable process.
lpCommandLine, // Command-line arguments CREATE_SUSPENDED Creates the process in a suspended state.
(Used in process injection.)
lpProcessAttributes, // Security attributes for the process
CREATE_NO_WINDOW Runs the process without showing any
lpThreadAttributes, // Security attributes for the primary thread window (used for stealth malware).

bInheritHandles, // Inherit handles from parent process CREATE_DEFAULT_ERROR_ Uses the parent's error mode.
MODE
dwCreationFlags, // Process creation flags
CREATE_BREAKAWAY_FRO Allows the process to run outside of a job
lpEnvironment, // Pointer to environment block M_JOB object.

lpCurrentDirectory, // Working directory of the new process CREATE_SEPARATE_WOW_ Runs the process in a separate virtual DOS
VDM machine (for 16-bit apps).
lpStartupInfo, // Pointer to STARTUPINFO structure
CREATE_SHARED_WOW_VD Runs in a shared DOS environment (legacy
lpProcessInformation // Pointer to PROCESS_INFORMATION structure M stuff).

DEBUG_PROCESS Allows the parent process to debug the child


); process.

DEBUG_ONLY_THIS_PROCE Only allows the parent to debug this


SS process.

DETACHED_PROCESS Runs the process without associating with


the parent console.

EXTENDED_STARTUPINFO_ Allows passing extended startup information.


PRESENT

INHERIT_PARENT_AFFIINITY Inherits the CPU affinity of the parent


process.

CREATE_PROTECTED_PRO Creates a protected process (used in anti-


CESS debugging).

https://t.me/learningnets
Function Prototype

BOOL CreateProcess(
lpApplicationName, // Path to the executable
lpCommandLine, // Command-line arguments
lpProcessAttributes, // Security attributes for the process
lpThreadAttributes, // Security attributes for the primary thread
bInheritHandles, // Inherit handles from parent process
dwCreationFlags, // Process creation flags
lpEnvironment, // Pointer to environment block
lpCurrentDirectory, // Working directory of the new process
lpStartupInfo, // Pointer to STARTUPINFO structure
lpProcessInformation // Pointer to PROCESS_INFORMATION structure
);

https://t.me/learningnets
Function Prototype

BOOL CreateProcess(
lpApplicationName, // Path to the executable
lpCommandLine, // Command-line arguments
lpProcessAttributes, // Security attributes for the process
lpThreadAttributes, // Security attributes for the primary thread
bInheritHandles, // Inherit handles from parent process
dwCreationFlags, // Process creation flags
lpEnvironment, // Pointer to environment block
lpCurrentDirectory, // Working directory of the new process
It controls how the new process starts (window size, position, appearance, etc.).
lpStartupInfo, // Pointer to STARTUPINFO structure
lpProcessInformation // Pointer to PROCESS_INFORMATION structure
);

typedef struct _STARTUPINFO {


DWORD cb; // Size of the structure
LPSTR lpReserved; // Reserved (always NULL)
LPSTR lpDesktop; // Desktop name (NULL = default)
LPSTR lpTitle; // Console title (NULL = default)
DWORD dwX, dwY; // Window position (ignored if not set)
DWORD dwXSize, dwYSize; // Window size
DWORD dwFlags; // specify which flag is used (e.g., SW_HIDE)
WORD wShowWindow; // Controls the window state (SW_SHOW, SW_HIDE, etc.)
... (Other fields not commonly used)
} STARTUPINFO;

https://t.me/learningnets
Function Prototype

BOOL CreateProcess(
lpApplicationName, // Path to the executable
lpCommandLine, // Command-line arguments
lpProcessAttributes, // Security attributes for the process
lpThreadAttributes, // Security attributes for the primary thread
bInheritHandles, // Inherit handles from parent process
dwCreationFlags, // Process creation flags
lpEnvironment, // Pointer to environment block
lpCurrentDirectory, // Working directory of the new process
It controls how the new process starts (window size, position, appearance, etc.).
lpStartupInfo, // Pointer to STARTUPINFO structure
lpProcessInformation // Pointer to PROCESS_INFORMATION structure
);

typedef struct _STARTUPINFO {


DWORD cb; // Size of the structure
FLAGS LPSTR lpReserved; // Reserved (always NULL)
LPSTR lpDesktop; // Desktop name (NULL = default)
1. STARTF_USESHOWWINDOW ( 0X00000001) LPSTR lpTitle; // Console title (NULL = default)
2. STARTF_USESIZE ( 0X00000002)
DWORD dwX, dwY; // Window position (ignored if not set)
3. STARTF_USEPOSITION ( 0X00000004)
4. STARTF_USECOUNTCHARS ( 0X00000008) DWORD dwXSize, dwYSize; // Window size
5. STARTF_USEFILLATTRIBUTE ( 0X00000010) DWORD dwFlags; // specify which flag is used (e.g., SW_HIDE)
6. STARTF_RUNFULLSCREEN ( 0X00000020) WORD wShowWindow; // Controls the window state (SW_SHOW, SW_HIDE, etc.)
7. STARTF_FORCEONFEEDBACK ( 0X00000040) ... (Other fields not commonly used)
8. STARTF_FORCEOFFFEEDBACK ( 0X00000080) } STARTUPINFO;
9. STARTF_USESTDHANDLES ( 0X00000100)
10. STARTF_USEHOTKEY ( 0X00000200)

https://t.me/learningnets
Function Prototype

BOOL CreateProcess(
lpApplicationName, // Path to the executable
lpCommandLine, // Command-line arguments
lpProcessAttributes, // Security attributes for the process
lpThreadAttributes, // Security attributes for the primary thread
bInheritHandles, // Inherit handles from parent process
dwCreationFlags, // Process creation flags
lpEnvironment, // Pointer to environment block
lpCurrentDirectory, // Working directory of the new process
lpStartupInfo, // Pointer to STARTUPINFO structure
Holds important information about the newly created process.
lpProcessInformation // Pointer to PROCESS_INFORMATION structure
);

typedef struct _PROCESS_INFORMATION {


HANDLE hProcess; // Handle to the process
HANDLE hThread; // Handle to the main thread
DWORD dwProcessId; // Process ID
DWORD dwThreadId; // Thread ID
} PROCESS_INFORMATION;

https://t.me/learningnets

You might also like