CreateProcessEx unable to create 64bit Process From 32bit

c++ / delphi package - dll injection and api hooking
Post Reply
omidgl
Posts: 14
Joined: Mon Sep 26, 2005 1:20 pm

CreateProcessEx unable to create 64bit Process From 32bit

Post by omidgl »

Hi

I've tried to use CreateProcessEx to load a 64bit dll into a sample 64bit process on windows 7 x64
The calling process itself is 32 bit. According to your documentations this is possible using v3.x

However CreateProcessEx function returns error code 299 and fails.
From my 64bit process with the same code, the same call to CreateProcessEx is successful.

Please advice...
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: CreateProcessEx unable to create 64bit Process From 32bi

Post by madshi »

I've had that problem in win8 recently, but I thought it would work in win7. Does it happen with every 64bit process, or just with a specific one? Can you please check at which base address the 64bit ntdll is loaded in the target process?
omidgl
Posts: 14
Joined: Mon Sep 26, 2005 1:20 pm

Re: CreateProcessEx unable to create 64bit Process From 32bi

Post by omidgl »

I've tested 64 bit version of notepad.exe and also all Microsoft office 2010 x64 products.
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: CreateProcessEx unable to create 64bit Process From 32bi

Post by madshi »

Hmmmm... I've double checked my emails, here's what I replied to someone else reporting a problem with win8:
Bad news. It seems that in win8 sometimes the 64bit ntdll.dll is loaded outside of the 32bit 4GB address range. In win7 this doesn't seem to happen. The problem is that if your process is 32bit, there is only limited access possible to 64bit address range. There are APIs available to read from and write to 64bit address range, but there's no API available to change the memory page protection. In order to inject dlls into a 64bit process, I need to patch ntdll.dll, but if it's loaded outside of the 32bit address range, I don't have the APIs I need to patch it.

Practically this means that CreateProcessEx can't technically work, if your process is 32bit and the target process is 64bit, and if the target process has ntdll.dll loaded outside of the 32bit address range. I would love to make this work, but Microsoft simply doesn't offer the APIs to do this. In this situation the only way to call CreateProcessEx successfully will be to compile your exe as a 64bit exe.

I'm sorry, I wish I could give you better news, but I'm bound by the API limitations Microsoft puts on me.
I'm not sure why you get the same problems in win7 now. Either ntdll.dll or maybe the EXE module is probably loaded above the 32bit address range? In that case there's probably not much I can do. I will have to change my documentation and state that CreateProcessEx may fail on 64bit processes when calling from within a 32bit process. Or maybe I'll find a workaround. But for now you'll have to use a 64bit exe to call CreateProcessEx, it seems... :(
omidgl
Posts: 14
Joined: Mon Sep 26, 2005 1:20 pm

Re: CreateProcessEx unable to create 64bit Process From 32bi

Post by omidgl »

Do you know any program which I can use to check the memory map and address space of a 64bit process?
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: CreateProcessEx unable to create 64bit Process From 32bi

Post by madshi »

SysInternals ProcessExplorer.
omidgl
Posts: 14
Joined: Mon Sep 26, 2005 1:20 pm

Re: CreateProcessEx unable to create 64bit Process From 32bi

Post by omidgl »

Ntdll.dll
Load Address: 779D0000

MyDLL.dll
Load Address: 180000000
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: CreateProcessEx unable to create 64bit Process From 32bi

Post by madshi »

And the office and notepad exes?
omidgl
Posts: 14
Joined: Mon Sep 26, 2005 1:20 pm

Re: CreateProcessEx unable to create 64bit Process From 32bi

Post by omidgl »

That was the results of office.

For notepad only the ntdll.dll base address changed to 77440000
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: CreateProcessEx unable to create 64bit Process From 32bi

Post by madshi »

No, I want to know the image base address of the modules "Office.exe" and "Notepad.exe" inside their processes.
omidgl
Posts: 14
Joined: Mon Sep 26, 2005 1:20 pm

Re: CreateProcessEx unable to create 64bit Process From 32bi

Post by omidgl »

Notepad.exe: FFE90000
Word.exe: 13FB70000
Excel.exe: 13F790000
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: CreateProcessEx unable to create 64bit Process From 32bi

Post by madshi »

Thanks. I think these high addresses (> 2GB) have to do with the problem. I'll put this on my to do list to look into. I think I might be able to find a way to make this work, but it will take a while until I get to this. For now I fear you'll have to use a 64bit process to do CreateProcessEx. I'm sorry for the inconvenience.
omidgl
Posts: 14
Joined: Mon Sep 26, 2005 1:20 pm

Re: CreateProcessEx unable to create 64bit Process From 32bi

Post by omidgl »

Thank you.
Sure, I'll use a 64 bit process as a workaround while you're working on this issue.
roni
Posts: 9
Joined: Sun Apr 03, 2011 3:24 pm

Re: CreateProcessEx unable to create 64bit Process From 32bi

Post by roni »

Hi Madshi
Were you able to solve this problem? or using a 64bit process as the initiator is the only solution?
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: CreateProcessEx unable to create 64bit Process From 32bi

Post by madshi »

Didn't find a solution yet. You still have to use a 64bit process, I'm sorry...
Post Reply