[WhoPMi]

Hello guys, today, i'm trying to create a simple driver that lists all processes using the plist_entry structure (blink,flink).
Now, i understand that if i want to exploit it i gotta access in this structure from the PEPROCESS structure, so that's what i tried to do:

PLIST_ENTRY currentLink;


ULONG thisProcessAddr;

thisProcess = PsGetCurrentProcess();// system process, pid 4

thisProcessAddr = (ULONG)thisProcess; //getting base addr of the PEPROCESS

currentLink = ((PLIST_ENTRY)thisProcessAddr + ACTIVE_PROCESS_LINK_OFFS64); //win 10 x64 offset ACTIVE_PROCESS_LINK_OFFS64

[Vrtule]

Hello,

1) never assign a pointer into an ULONG variable since ULONGs are (on x64) 32-bit, pointers 64-bit, so you loose half of the address. Use ULONG_PTR (or SIZE_T) instead,

2) read about how pointer arithmetic works. For a pointer A pointing to type B and offset x

Code: Select all

a + x = (ULONG_PTR)a + x*sizeof(B);

3) The linked list of running processes has a head (i.e. an extra entry that is not a process). You may detect it by checking whether it is within ntoskrnl boundaries. Since process objects (EPROCESS structures) are allocated from heap (nonpaged pool), they do not belong to memory of any kernel driver.

4) Keep in mind that the list may change "under your hands" any time. To resolve this issue, you need to find and use a lock primitive used by the system to synchronize access to the list. Well, this probably is not a trivial task.

Anyway, here is (I hope) your corrected code.

Code: Select all

PEPROCESS currentProcess = PsGetCurrentProcess();
PLIST_ENTRY currentLink = (unsigned char *)currentProcess + ACTIVE_PROCESS_LINK_OFFS64;

do {
   // Do something with the process
   . . .
   // Go to the next process
   currentLinkst = currentLink->Flink;
   currentProcess = (PEPROCESS)((unsigned char *)currentLinkst - ACTIVE_PROCESS_LINK_OFFS64);
} while (currentProcess != PsGetCurrentProcess());

[WhoPMi]

Thank you, rly.. :)