show pids from PEPROCESS and PLIST_ENTRY

#31959 by WhoPMi
Fri Aug 10, 2018 4:25 am

Hello guys, today i'm here to ask you a simple question about listing all processes ids in wdd, the problem is that i can't obtain the currentPID of the currentProcess, showing just some rand values and then zeroes, so please I'm literally stucked in these lines of code and idk how to get out of it, if you could explain me what am i doing wrong.

Thank you

PEPROCESS currentProcess = PsGetCurrentProcess();
PLIST_ENTRY currentLink = (unsigned char *)currentProcess + ACTIVE_PROCESS_LINK_OFFS64;
HANDLE *currentPID;

do {
currentLink = currentLink->Flink;

currentProcess = (PEPROCESS)((unsigned char *)currentLink - ACTIVE_PROCESS_LINK_OFFS64); //2f0
currentPID = ((HANDLE*)currentLink - 0x8);
i++;
KdPrint(("Current PID: %d", currentPID));

} while (currentProcess != PsGetCurrentProcess());

Username

WhoPMi

Posts

18

Joined

Thu Aug 09, 2018 2:14 pm

Re: show pids from PEPROCESS and PLIST_ENTRY

#31962 by EP_X0FF
Fri Aug 10, 2018 1:15 pm

WhoPMi wrote: ↑Fri Aug 10, 2018 4:25 am currentProcess = (PEPROCESS)((unsigned char *)currentLink - ACTIVE_PROCESS_LINK_OFFS64); //2f0
currentPID = ((HANDLE*)currentLink - 0x8);
i++;
KdPrint(("Current PID: %d", currentPID));

Are you sure you understand what you do?

currentLink is LIST_ENTRY not EPROCESS object.
Your EPROCESS object is currentProcess

Your Id is currentPID = PsGetProcessId(currentProcess);

And PID is not HANDLE*, it is simple HANDLE.

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: show pids from PEPROCESS and PLIST_ENTRY

#31963 by WhoPMi
Sat Aug 11, 2018 9:17 pm

I've already resolved ty

Username

WhoPMi

Posts

18

Joined

Thu Aug 09, 2018 2:14 pm