[Stylo]

Hi

I've built a driver to get the address for the PEB for a specific process and i know (in XP) that the address should look something like 7ffdf000.
when i use inline assembly in user mode: mov eax,fs:[0x30] it works good but when i get it from kernel mode i get kernel space address (above 0x80000000)
so my question is, does the peb address pointed by the PEB field at EPROCESS Structure store the address (in user mode) for the current process? or it has a different value as i got it?
because i want to get the PEB from the EPROCESS but the address doesn't make any sense.

[Vrtule]

Hello,

look at NtQueryInformationProcess with ProcessBasicInformation. This part of the routine reutrns address of the PEB in PebBaseAddress field of the PROCESS_BASIC_INFORMATION structure. It seems that the field is filled from the Peb member of the EPROCESS structure (at Windows XP/2k3 at least).

Maybe, you have an error in your code. Can you show the snipped here?

[Alex]

Or try to use PsGetProcessPeb(IN PEPROCESS Process).

[Stylo]

Right after i get a pointer to the EPROCESS i needed the code looks like

Code: Select all

EPROCESS eProcess;
INT iProcess;

eProcess = FindEPROCESSByProcessId(dwProcessId);
iProcess = (INT)eProcess; // since (eProcess + offset) doesn't work i need an actual type that can be calculated with an offset.

DbgPrint("PEB Address: %X", *(INT*)(iProcess + 0x190)); // 0x190 is the PEB field offset which should contain the PEB Address

but when i run dbgview the address i get is something at kernel space

[Alex]

Code: Select all

PROCESS 85dd2da0  SessionId: 0  Cid: 05a0    Peb: 7ffdf000  ParentCid: 00cc
    DirBase: 0c680320  ObjectTable: e2921270  HandleCount:  31.
    Image: livekd.exe

PROCESS 85e6bda0  SessionId: 0  Cid: 0520    Peb: 7ffdd000  ParentCid: 05a0
    DirBase: 0c680300  ObjectTable: e2b9dcd0  HandleCount: 168.
    Image: kd.exe

kd> .process /p 85dd2da0
Implicit process is now 85dd2da0
kd> dt nt!_EPROCESS Peb
   +0x1b0 Peb : Ptr32 _PEB
kd> dt nt!_EPROCESS Peb 85dd2da0
   +0x1b0 Peb : 0x7ffdf000 _PEB

Are you sure that used offset is correct? And why not use documented/exported APIs instead of offsets?

[EP_X0FF]

when i use inline assembly in user mode: mov eax,fs:[0x30] it works good but when i get it from kernel mode i get kernel space address (above 0x80000000)

Because in kernel mode in legacy mode (x86) fs register points to current processor control region (KPCR). Everything else is your buggy code.

Code: Select all

PEPROCESS Process;
PPEB peb1 = *(PPEB *)((PBYTE)Process + PEBoffset);

Of course you need to switch context to be able read something from it.

[R00tKit]

in one tip :
Indeed FS register is different for the UM and KM - in the UM it points to TEB ( and inside it we have PEB in 0x30), and in the kernel mode it points to Processor Control Block. first member of pcr is _NT_TIB and this filed differ from TEB
regard

[Stylo]

I tried the *(PPEB*) casting but the ddk doesn't recognize the PEB structure
what header file should i use?
i already included nttdk and wdm

[EP_X0FF]

Its just a pointer.
http://msdn.microsoft.com/ru-ru/library ... s.85).aspx

[Stylo]

I know it's a pointer but the ddk doesn't recognize the PEB structure (even if i try _PEB)