Reversing ExitProcess()
Apparently in the midst of redesigning my blog the other day I wiped out the post I had on reversing ExitProcess inside windows kernel32.dll.
I wondered Why I was seeing 2 calls to the NtTerminateProcess system call for every 1 call to ExitProcess() in userspace code.
this is why:
; When a windows app calls ExitProcess(), ExitProcess0
; Will actually make 2 calls to NtTerminateProcess. The first one
; passing a handle of 0, and the last call passing a handle of -1 (0xffffffff).
; We will ignore if handle == 0. And only continue of Handle is -1
; or greater than 0.
;
; You can see this behavior in the following snipped of code
; disassembed from ExitProcess();
.text:77E66877 xor ebx, ebx ; <-- sets ebx to 0
.text:77E66879 cmp byte_77ECB008, bl
.text:77E6687F jnz short loc_77E668CC
.text:77E66881 call ds:RtlAcquirePebLock
.text:77E66887 mov [ebp-4], ebx
.text:77E6688A mov edi, [ebp+8] ; <-- exit code
.text:77E6688D push edi
.text:77E6688E push ebx ; <-- first calls passes
.text:77E6688E ; 0 for the handle
.text:77E6688F mov esi, ds:__imp_NtTerminateProcess
.text:77E66895 call esi ; __imp_NtTerminateProcess
.text:77E66897 mov .text:77E6689D call ds:LdrShutdownProcess
.text:77E668A3 mov [ebp-0ACh], edi
.text:77E668A9 push 4
.text:77E668AB push 10003h
.text:77E668B0 push ebx
.text:77E668B1 lea eax, [ebp-0D4h]
.text:77E668B7 push eax
.text:77E668B8 call ds:CsrClientCallServer
.text:77E668BE push edi ; <-- exit code
.text:77E668BF push 0FFFFFFFFh ; <-- handle = -1
.text:77E668C1 call esi ; __imp_NtTerminateProcess