OpenRCE

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Topic created on: June 15, 2010 10:40 CDT by Genius .

Hi there ,
there's bunch of methods for acquiring specific process image name (like NtQuerySystemInformation, using PEB, or EPROCESS).
I should implement all of them, using various methods for specific task, just acquiring current running process image name .
I already implemented the first method (NtQuerySystemInformation) but the dark side i've encountered is EPROCESS .
the EPROCESS (& well of course a pointer to it) has already defined in ntifs.h (from WDK/DDK) but the problem is where's the image name of the process .
the sectionObject, segment , controldata, fileObject & in last filename.buffer doesn't exist for me (as intelliSense told me) .
I'm confusing how to acquire image name using EPROCESS strucure .
thank you .

Piotr		June 15, 2010 11:05.17 CDT
The EPROCESS's filename (ImageFileName) address changes among different windows versions - on XP-32 it is 0x174 bytes from the start of EPROCESS structure but for example on WIN7-32 it is located at a different offset - 0x16C. The most obvious way to cover all of the windows systems without trying multiple offsets would be to: 1) get the EPROCESS structre pointer for a system process (by using PsInitialSystemProcess or whatsoever) 2) scan it for "System" text string. The rel. offset (found text string) will be your ImageFileName offset for this machine. - piotr --------------------------------------------- kd> dt _EPROCESS poi(PsInitialSystemProcess) nt!_EPROCESS +0x000 Pcb : _KPROCESS +0x06c ProcessLock : _EX_PUSH_LOCK +0x070 CreateTime : _LARGE_INTEGER 0x0 +0x078 ExitTime : _LARGE_INTEGER 0x0 +0x080 RundownProtect : _EX_RUNDOWN_REF +0x084 UniqueProcessId : 0x00000004 +0x088 ActiveProcessLinks : _LIST_ENTRY [ 0x82077638 - 0x8055a1d8 ] +0x090 QuotaUsage : [3] 0 +0x09c QuotaPeak : [3] 0 +0x0a8 CommitCharge : 7 +0x0ac PeakVirtualSize : 0x2a1000 +0x0b0 VirtualSize : 0x1d9000 +0x0b4 SessionProcessLinks : _LIST_ENTRY [ 0x0 - 0x0 ] +0x0bc DebugPort : (null) +0x0c0 ExceptionPort : (null) +0x0c4 ObjectTable : 0xe1001c50 _HANDLE_TABLE +0x0c8 Token : _EX_FAST_REF +0x0cc WorkingSetLock : _FAST_MUTEX +0x0ec WorkingSetPage : 0 +0x0f0 AddressCreationLock : _FAST_MUTEX +0x110 HyperSpaceLock : 0 +0x114 ForkInProgress : (null) +0x118 HardwareTrigger : 0 +0x11c VadRoot : 0x825c3220 +0x120 VadHint : 0x823b86c8 +0x124 CloneRoot : (null) +0x128 NumberOfPrivatePages : 3 +0x12c NumberOfLockedPages : 0 +0x130 Win32Process : (null) +0x134 Job : (null) +0x138 SectionObject : (null) +0x13c SectionBaseAddress : (null) +0x140 QuotaBlock : 0x8055a280 _EPROCESS_QUOTA_BLOCK +0x144 WorkingSetWatch : (null) +0x148 Win32WindowStation : (null) +0x14c InheritedFromUniqueProcessId : (null) +0x150 LdtInformation : (null) +0x154 VadFreeHint : (null) +0x158 VdmObjects : (null) +0x15c DeviceMap : 0xe1005440 +0x160 PhysicalVadList : _LIST_ENTRY [ 0x825c77c0 - 0x825c77c0 ] +0x168 PageDirectoryPte : _HARDWARE_PTE +0x168 Filler : 0 +0x170 Session : (null) +0x174 ImageFileName : [16] "System" <-- your thing ----------------------------------------------------

Genius		June 15, 2010 18:10.23 CDT
Hi Piotr . thanks, the method you're mentioned is good but I'm not be so reliable way . btw, as you might already know there's another methods you could use to achieve the process image path, it's not only dependent on 16 bit ImageFile name, look at this full structure which I obtained from ntifs.h: typedef struct _EPROCESS { KPROCESS Pcb; // +0x000 EX_PUSH_LOCK ProcessLock; // +0x06c LARGE_INTEGER CreateTime; // +0x070 LARGE_INTEGER ExitTime; // +0x078 EX_RUNDOWN_REF RundownProtect; // +0x080 ULONG UniqueProcessId; // +0x084 LIST_ENTRY ActiveProcessLinks; // +0x088 ULONG QuotaUsage[3]; // +0x090 ULONG QuotaPeak[3]; // +0x09c ULONG CommitCharge; // +0x0a8 ULONG PeakVirtualSize; // +0x0ac ULONG VirtualSize; // +0x0b0 LIST_ENTRY SessionProcessLinks; // +0x0b4 PVOID DebugPort; // +0x0bc PVOID ExceptionPort; // +0x0c0 PHANDLE_TABLE ObjectTable; // +0x0c4 EX_FAST_REF Token; // +0x0c8 ULONG WorkingSetPage; // +0x0cc KGUARDED_MUTEX AddressCreationLock; // +0x0d0 ULONG HyperSpaceLock; // +0x0f0 PETHREAD ForkInProgress; // +0x0f4 ULONG HardwareTrigger; // +0x0f8 PMM_AVL_TABLE PhysicalVadRoot; // +0x0fc PVOID CloneRoot; // +0x100 ULONG NumberOfPrivatePages; // +0x104 ULONG NumberOfLockedPages; // +0x108 PVOID Win32Process; // +0x10c PEJOB Job; // +0x110 PVOID SectionObject; // +0x114 PVOID SectionBaseAddress; // +0x118 PEPROCESS_QUOTA_BLOCK QuotaBlock; // +0x11c PPAGEFAULT_HISTORY WorkingSetWatch; // +0x120 PVOID Win32WindowStation; // +0x124 ULONG InheritedFromUniqueProcessId; // +0x128 PVOID LdtInformation; // +0x12c PVOID VadFreeHint; // +0x130 PVOID VdmObjects; // +0x134 PVOID DeviceMap; // +0x138 PVOID Spare0[3]; // +0x13c union { HARDWARE_PTE PageDirectoryPte; // +0x148 UINT64 Filler; // +0x148 }; PVOID Session; // +0x150 UCHAR ImageFileName[16]; // +0x154 LIST_ENTRY JobLinks; // +0x164 PVOID LockedPagesList; // +0x16c LIST_ENTRY ThreadListHead; // +0x170 PVOID SecurityPort; // +0x178 PVOID PaeTop; // +0x17c ULONG ActiveThreads; // +0x180 ULONG GrantedAccess; // +0x184 ULONG DefaultHardErrorProcessing; // +0x188 SHORT LastThreadExitStatus; // +0x18c PPEB Peb; // +0x190 EX_FAST_REF PrefetchTrace; // +0x194 LARGE_INTEGER ReadOperationCount; // +0x198 LARGE_INTEGER WriteOperationCount; // +0x1a0 LARGE_INTEGER OtherOperationCount; // +0x1a8 LARGE_INTEGER ReadTransferCount; // +0x1b0 LARGE_INTEGER WriteTransferCount; // +0x1b8 LARGE_INTEGER OtherTransferCount; // +0x1c0 ULONG CommitChargeLimit; // +0x1c8 ULONG CommitChargePeak; // +0x1cc PVOID AweInfo; // +0x1d0 SE_AUDIT_PROCESS_CREATION_INFO SeAuditProcessCreationInfo; // +0x1d4 MMSUPPORT Vm; // +0x1d8 LIST_ENTRY MmProcessLinks; // +0x238 ULONG ModifiedPageCount; // +0x240 ULONG JobStatus; // +0x244 union { ULONG Flags; // 0x248 struct { ULONG CreateReported : 1; ULONG NoDebugInherit : 1; ULONG ProcessExiting : 1; ULONG ProcessDelete : 1; ULONG Wow64SplitPages : 1; ULONG VmDeleted : 1; ULONG OutswapEnabled : 1; ULONG Outswapped : 1; ULONG ForkFailed : 1; ULONG Wow64VaSpace4Gb : 1; ULONG AddressSpaceInitialized : 2; ULONG SetTimerResolution : 1; ULONG BreakOnTermination : 1; ULONG SessionCreationUnderway : 1; ULONG WriteWatch : 1; ULONG ProcessInSession : 1; ULONG OverrideAddressSpace : 1; ULONG HasAddressSpace : 1; ULONG LaunchPrefetched : 1; ULONG InjectInpageErrors : 1; ULONG VmTopDown : 1; ULONG ImageNotifyDone : 1; ULONG PdeUpdateNeeded : 1; ULONG VdmAllowed : 1; ULONG Unused : 7; }; }; NTSTATUS ExitStatus; // +0x24c USHORT NextPageColor; // +0x250 union { struct { UCHAR SubSystemMinorVersion; // +0x252 UCHAR SubSystemMajorVersion; // +0x253 }; USHORT SubSystemVersion; // +0x252 }; UCHAR PriorityClass; // +0x254 MM_AVL_TABLE VadRoot; // +0x258 } EPROCESS, PEPROCESS; // 0x278 in total There's a member in EPROCESS structure named SectionObject, if you can access to it then you would like to see segment and if you walk through this member you can finally access to a sub-member named "filename" which contains a buffer that is related to processName . I mean something like this code : NtStatus = PsLookupProcessByProcessId((HANDLE)5600, (PEEPROCESS)&Process); if (!NT_SUCCESS(NtStatus)) return 0; psSection = (PSECTION_OBJECT)(Process + 0x110); if (MmIsAddressValid(psSection)) { if (MmIsAddressValid(psSection->Segment)) { if (MmIsAddressValid(((PSEGMENT)psSection->Segment)->ControlArea)) { flObj = ((PSEGMENT)psSection->Segment)->ControlArea->FilePointer; if (MmIsAddressValid(flObj) == 0) return 0; NtStatus = ObQueryNameString(flObj, (POBJECT_NAME_INFORMATION)processName, 0, &returnLength); if (NtStatus != STATUS_INFO_LENGTH_MISMATCH) return 0; processName = (PUNICODE_STRING)ExAllocatePoolWithTag(NonPagedPool, returnLength, 'blah'); if (!processName) return 0; NtStatus = ObQueryNameString(flObj, (POBJECT_NAME_INFORMATION)processName, returnLength, &returnLength); This is actually what I did and what I looked for . I have already implemented this technique but it's not working as well (regardless of the right idea & implementation aspect) . anyway, that's it . (where 5600 is our PID, but in this case I don't know it's right or not!) regards, __Genius__

Note: Registration is required to post to the forums.

There are 28,224 total registered users.

Recently Created Topics
Reverse Engineering ...	Jan/23
Career: DoD Agency I...	Jan/22
"Disappearing&q...	Jan/17
Career: Software Sec...	Jan/11
Where is the call st...	Jan/07
IDA Pro 6.1 Breakpoi...	Jan/01
How to create data s...	Dec/30
can i search all mod...	Dec/23
IDA symbol table exp...	Dec/20
An anti-attach trick	Dec/17

Recent Forum Posts
Reverse Engineering ...	NirIzr
"Disappearing&q...	NirIzr
Reverse Engineering ...	charlie
"Disappearing&q...	charlie
An anti-attach trick	Bass
An anti-attach trick	waleeda...
An anti-attach trick	Bass
An anti-attach trick	waleeda...
An anti-attach trick	Bass
Looking for value in...	NirIzr

Recent Blog Entries
	cmathieu	Feb/07
Hacker Carnival
	waleedassar	Feb/06
OllyDbg v1.10 And Hardware ...
	waleedassar	Jan/31
Yet Another Anti-Debug Trick
	RolfRolles	Jan/22
Finding Bugs in VMs with a ...
	waleedassar	Jan/13
An OllyDbg Bug Disables Sof...
More ...

Recent Blog Comments
	waleedassar on:	Feb/07
OllyDbg v1.10 And Hardware ...
	NirIzr on:	Feb/07
OllyDbg v1.10 And Hardware ...
	NirIzr on:	Feb/05
Yet Another Anti-Debug Trick
	trolotou on:	Feb/05
Doudoune Moncler -Pennies F...
	waleedassar on:	Feb/01
Yet Another Anti-Debug Trick
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit