https://www.coresecurity.com/core-labs/articles/creating-processes-using-system-calls

https://github.com/helpsystems/CreateProcess/blob/main/source/main.c

https://github.com/D0pam1ne705/Direct-NtCreateUserProcess/tree/main/DirectNtCreateUserProcess

• CreateProcess ⇒ CreateProcessInternal ⇒ NtCreateuserProcess
• CreateProcessInternal notifies CRSS (Client/Server Runtime Subsystem), the windows subsystem of process existing
  • We skip this, big problem; a lot of stuff don’t work. As I tested, only cmd, iexplore, but not chrome/notepad
• ntdll!CsrClientCallServer sends the message to CSRSS, after creation, in suspended mode but before resumption
• What I need to do
  • NtCreateuserProcess
  • CsrCaptureMessageMultiUnicodeStringsInPlace
    • CsrAllocateCaptureBuffer
    • CsrCaptureMessageUnicodeStringInPlace
  • CsrClientCallServer
    • CSR_MAKE_API_NUMBER
  • CsrFreeCaptureBuffer