none
ZwOpenProcess handle argument RRS feed

  • Question

  • Hello,

    I am developping a driver which monitors the function ZwOpenProcess. For any calls to it, I manage to recover the handle to the process given as an argument to this function. I would like to be able to identify the targeted process with this handle (i.e. get an EPROCESS structure or at least a process ID).

    Could tell me how to do that?

    (I have tried to use the ObReferenceObjectByHandle function but it gives me an STATUS_INVALID_HANDLE result.)

     

    Best regards,

    Max H.

    Friday, May 17, 2013 12:12 PM

Answers

  • How are you doing this?  When you say monitor ZwOpenProcess are you using the ObRegisterCallbacks or are you hooking?  If you are using ObRegisterCallbacks the post operation gives you the process.  If you are hooking, stop doing it you can't make this work reliably or work at all on a 64-bit OS.


    Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com Blog: http://msmvps.com/blogs/WinDrvr

    Friday, May 17, 2013 12:16 PM
  • Hooking is totally unreliable, and in fact Microsoft specifically blocks hooking on 64-bit OS'es.  If you go to http://www.osronline.com/ and look at the NTDEV archives you will see many discussions of all the problems with hooking,  I won't try to sumarize them here, because writing it all down would take hours.   As someone who used hooking before the dangers were recognized, I can say never do it again.

    If you use ObRegisterCallbacks, you will get the pointer to the PEPROCESS structure, then calling PsGetProcessId with that call will give you the pid.


    Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com Blog: http://msmvps.com/blogs/WinDrvr

    Friday, May 17, 2013 1:03 PM

All replies

  • How are you doing this?  When you say monitor ZwOpenProcess are you using the ObRegisterCallbacks or are you hooking?  If you are using ObRegisterCallbacks the post operation gives you the process.  If you are hooking, stop doing it you can't make this work reliably or work at all on a 64-bit OS.


    Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com Blog: http://msmvps.com/blogs/WinDrvr

    Friday, May 17, 2013 12:16 PM
  • I am currently hooking. I understand it is not completely reliable but I would like to know if there is a way to get the pid nevertheless. Is there a way?

    Why hooking is not possible on 64-bits OS?

    Friday, May 17, 2013 12:43 PM
  • Hooking is totally unreliable, and in fact Microsoft specifically blocks hooking on 64-bit OS'es.  If you go to http://www.osronline.com/ and look at the NTDEV archives you will see many discussions of all the problems with hooking,  I won't try to sumarize them here, because writing it all down would take hours.   As someone who used hooking before the dangers were recognized, I can say never do it again.

    If you use ObRegisterCallbacks, you will get the pointer to the PEPROCESS structure, then calling PsGetProcessId with that call will give you the pid.


    Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com Blog: http://msmvps.com/blogs/WinDrvr

    Friday, May 17, 2013 1:03 PM
  • Thank you for your answers. I will stop hooking.

    What I am trying to do in the end is to protect a specific process from code injection. I would like, from my driver, to be able to prevent any unwanted dll to be injected in this process (to make sure its IAT is not corrupted for instance).

    Could you give ideas on how to do it?

    Best regards,

    Max H.

    Sunday, May 19, 2013 9:49 PM
  • The simplest method is to simply not allow any process to open you process.  You can get more sophisticated by using the flags such as PROCESS_VM_OPERATIONS and PROCESS_VM_WRITE and only block the open if one of those is set.


    Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com Blog: http://msmvps.com/blogs/WinDrvr

    Sunday, May 19, 2013 10:03 PM
  • Do you know any simple code example on how to use ObRegisterCallbacks, available on the web? I've checked the msdn but it does not make it obvious to me and all the source codes I have looked at are rather long and not so simple for a first try.

    Thank you for all your help,

    Best regards,

    Max H.

    Sunday, May 19, 2013 11:25 PM
  • I managed to make it work. I have one last question:

    Is there a way to get some information in the the PreOperationCallback about the process which is trying to use OpenProcess? 

    Wednesday, May 22, 2013 2:41 PM
  • Unfortunately, the call is specified as being in an arbitrary thread context so you can't do much.  Perhaps someone from Microsoft can suggest a way.


    Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com Blog: http://msmvps.com/blogs/WinDrvr

    Wednesday, May 22, 2013 2:47 PM