[R00tKit]

hi
sorry for too many question , after hours search in google cant find how find PID from handle in ZwTerminateProcess ?

i hook ZwTerminateProcess in fake function i use following code to find Which process is get Terminate : and according to PID take good action

Code: Select all

NTSTATUS fakeZwTerminateProcess(HANDLE ProcessHandle , NTSTATUS ExitStatus )
{

	DbgPrint("zwterminateprocess");


    ObReferenceObjectByHandle(ProcessHandle, 0, *PsProcessType, KernelMode, (PVOID*)eProcess, 0);
    id =(int)PsGetProcessId(eProcess);
    ObDereferenceObject(eProcess);
	DbgPrint("process PID is ",id);
.......
	return STATUS_ACCESS_DENIED ;
}

code result is BSOD with 0xC0000005: STATUS_ACCESS_VIOLATION indicates that a memory access violation occurred.
can use ObReferenceObjectByHandle with kernel object ?

[Alex]

Code: Select all

NTSTATUS fakeZwTerminateProcess(HANDLE ProcessHandle , NTSTATUS ExitStatus )
{
    NTSTATUS NtStatus;
    PEPROCESS Process = NULL;

    DbgPrint("zwterminateprocess");

    __asm int 3; // break point

    NtStatus = ObReferenceObjectByHandle(
        ProcessHandle,
        0,
        *PsProcessType,
        KernelMode, 
        (PVOID*)Process,
        0);

    if(NT_SUCCESS(NtStatus))
    {
        id =(int)PsGetProcessId(Process);
        ObDereferenceObject(Process);
        DbgPrint("process PID is %d",id);
    }
    return STATUS_ACCESS_DENIED ;
}

Your code should looks like this one. If you will create remote debugging environment (Driver Debugging with WinDbg and VMWare) it should help you to understand where is the mistake which causes BSoD's.

[R00tKit]

thanks Mr alex

i debug it with windbg :

Access violation - code c0000005 (!!! second chance !!!)
nt!ObReferenceObjectByHandle+0x1a:
805af5aa 891f mov dword ptr [edi],ebx

http://www.nynaeve.net/?p=210 show many problem with ObReferenceObjectByHandle

Access violation with ObReferenceObjectByHandle is Mostly problem for programmer ( ass result of google)

what i do? please help?

[Alex]

Code: Select all

NTSTATUS 
  ObReferenceObjectByHandle(
    IN HANDLE  Handle,
    IN ACCESS_MASK  DesiredAccess,
    IN POBJECT_TYPE  ObjectType  OPTIONAL,
    IN KPROCESSOR_MODE  AccessMode,
    OUT PVOID  *Object
    OUT POBJECT_HANDLE_INFORMATION  HandleInformation  OPTIONAL
    );

Code: Select all

NtStatus = ObReferenceObjectByHandle(
        ProcessHandle,
        0,
        *PsProcessType,
        KernelMode, 
        (PVOID*)&Process,
        NULL);

It was my fault

[R00tKit]

very thanks

[segark]

hi,
first of all, this was helpful.

secondly, I have a question to add on to this...
I am hooking ZwCreateThreadEx and am looking to find if the call is coming from CreateThread or CreateRemoteThread.
I'm using ObReferenceObjectByHandle to retrieve the handle to the process with no success until I came across this post.

1. Could someone explain why the parameters
NtStatus = ObReferenceObjectByHandle(
ProcessHandle,
0,
*PsProcessType,
KernelMode,
(PVOID*)&Process,
NULL);
Why is the ACCESS_MASK 0?
Also why KernelMode as AccessType? on the msdn documentation of the function is states: Drivers should always specify UserMode for handles they receive from user address space

2. When a handle is passed from a UM application lets say through NtCreateSection... one of the parameters is the Handle parameter, clearly in UM the handle is local to the process and is something like
0x00000004 after some time looking at the handles I received upon hooking this function I saw they are masked with 0x80000000, does this mean the handles are converted to KM handles upon entering KM?

[EP_X0FF]

OP hooked ZwTerminateProcess stub in kernelmode, not NtTerminateProcess from table. In this example desired access is any and used by Alex to get EPROCESS pointer from handle.