Malware Journey Day 16

I am trying to understand what exactly CreateProcess does in malware. Best way to do that is coding it up

Allof this screenshot is copied from the WINAPI, expect for the executable p.exe

p.exe creates a file in my desktop, my goal is to run and execute p.exe through createprocess winapi

In x64dbg I reached CreateProcessW

In the RDX register I see my executable. I still dont see p.exe executing yet.

Looks like I am stepping through this process again

Now it appears that CreateProcessW is calling CreateProcessInternalW

Unfortunately CreateProcessInternalW is undocumented. Thanks Microsoft.

DWORD WINAPI CreateProcessInternal(
  __in         DWORD unknown1,                              // always (?) NULL
  __in_opt     LPCTSTR lpApplicationName,
  __inout_opt  LPTSTR lpCommandLine,
  __in_opt     LPSECURITY_ATTRIBUTES lpProcessAttributes,
  __in_opt     LPSECURITY_ATTRIBUTES lpThreadAttributes,
  __in         BOOL bInheritHandles,
  __in         DWORD dwCreationFlags,
  __in_opt     LPVOID lpEnvironment,
  __in_opt     LPCTSTR lpCurrentDirectory,
  __in         LPSTARTUPINFO lpStartupInfo,
  __out        LPPROCESS_INFORMATION lpProcessInformation,
  __in         DWORD unknown2                               // always (?) NULL
);

Above is what I found through a quick search.

While still in the function call I dumped Application name

This appears to be the executable. It is unpacked of course and I see section names as I scroll down.

After exiting the CreateProcessW. The p.exe excutable ran and finished!