flat assembler
Message board for the users of flat assembler.

Index > Windows > CreateProcess: 32bit should spawn 64bit -> ERR_NOT_SUPPOR

Author
Thread Post new topic Reply to topic
yoshimitsu



Joined: 07 Jul 2011
Posts: 96
yoshimitsu 19 Dec 2011, 18:34
Hi there!
I don't get what I'm doing wrong..
MSDN says spawning a 64bit process from a 32bit process and vice versa should work.

But I do not get it to do so..
CreateProcess returns FALSE and the error code is 32h = ERROR_NOT_SUPPORTED
Google doesn't seem to be very verbose with these keywords..

If I try to spawn a 32bit process everything works fine

Code:
0040104D  |.  68 674B4000   PUSH 00404B67                            ; /pProcessInfo = 00404B67
00401052  |.  68 774B4000   PUSH 00404B77                            ; |pStartupInfo = 00404B77
00401057  |.  50            PUSH EAX                                 ; |CurrentDir => NULL
00401058  |.  50            PUSH EAX                                 ; |pEnvironment => NULL
00401059  |.  6A 04         PUSH 4                                   ; |CreationFlags = CREATE_SUSPENDED
0040105B  |.  50            PUSH EAX                                 ; |InheritHandles => FALSE
0040105C  |.  50            PUSH EAX                                 ; |pThreadSecurity => NULL
0040105D  |.  50            PUSH EAX                                 ; |pProcessSecurity => NULL
0040105E  |.  68 67494000   PUSH 00404967                            ; |CommandLine = "C:\Users\Admin\Desktop\FASM\MYPROJECTS\x64_Test\x64_Test.exe"
00401063  |.  50            PUSH EAX                                 ; |ModuleFileName => NULL
00401064  |.  FF15 7CF14000 CALL [DWORD DS:<&KERNEL32.CreateProcessA>; \CreateProcessA    
Post 19 Dec 2011, 18:34
View user's profile Send private message Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2909
Location: 0x77760000
typedef 20 Dec 2011, 03:09
But is the machine you are running on 64 bit ?
Post 20 Dec 2011, 03:09
View user's profile Send private message Reply with quote
yoshimitsu



Joined: 07 Jul 2011
Posts: 96
yoshimitsu 20 Dec 2011, 04:18
of course..
How should I be able to spawn a 64bit process elsewise?

Win7 x64
CreateProcess is used inside a 32bit exe
and x64_Test is a 64bit exe which simply shows a messagebox

I just removed the CREATE_SUSPENDED as I thought maybe a x86 process can't debug a x64 one, though, it does not work.
srsly, what am I doing wrong? google doesn't show up almost anything about it, so apparently nobody else seems to have problems with this..
Post 20 Dec 2011, 04:18
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20454
Location: In your JS exploiting you and your system
revolution 20 Dec 2011, 04:25
Is the STARTUPINFO structure set properly? Are you using a 64-bit or 32-bit version of this structure? If the cb member is wrong Windows may think you are using a different version of the structure.
Post 20 Dec 2011, 04:25
View user's profile Send private message Visit poster's website Reply with quote
yoshimitsu



Joined: 07 Jul 2011
Posts: 96
yoshimitsu 20 Dec 2011, 04:56
As far as I recall, I have used OllyDbg to debug the code from the first test.
Because apparently it actually is working, as I just now simply doubleclicked the exe and the 64bit process got started, which does not happen when the CreateProcess-code is being debugged..
Post 20 Dec 2011, 04:56
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20454
Location: In your JS exploiting you and your system
revolution 20 Dec 2011, 09:54
So presumably Win7 is telling you that the new 64-bit process can't be debugged from a 32-bit process and therefore won't load it. Question
Post 20 Dec 2011, 09:54
View user's profile Send private message Visit poster's website Reply with quote
yoshimitsu



Joined: 07 Jul 2011
Posts: 96
yoshimitsu 20 Dec 2011, 10:34
1.exe (x86) spawns 2.exe (x64).
doesn't work if 1.exe is being debugged.
I thought the process would be spawned independently..
So the debugger actually inherits the handle of a new process, spawned by the debugged process, but can't inherit a x64 handle?
Post 20 Dec 2011, 10:34
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20454
Location: In your JS exploiting you and your system
revolution 20 Dec 2011, 10:41
yoshimitsu wrote:
So the debugger actually inherits the handle of a new process, spawned by the debugged process, but can't inherit a x64 handle?
That would make sense. A 32-bit debugger is unable to read the 64-bit process state or data, since there are no APIs in the 32-bit kernel to support that. Hence - ERROR_NOT_SUPPORTED

I wonder of the same thing happens in reverse. A debugged 64-bit process being unable to spawn a 32-bit process?
Post 20 Dec 2011, 10:41
View user's profile Send private message Visit poster's website Reply with quote
yoshimitsu



Joined: 07 Jul 2011
Posts: 96
yoshimitsu 20 Dec 2011, 11:23
But in which way does the debugger inherit such handle?
I mean why can't the debugged process spawn a new one, what has the debugger to do with the new spawned process? As the new process isn't the one which is being debugged..
Post 20 Dec 2011, 11:23
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.