Get PEPROCESS by PID!

By the way, how are all these unpublished functions got?I mean in IFS Document, there is no info about those functions. How can U get them? I want to know about that for I think the way to get them must be very interesting!

Hi, EP_XOFF!

I tried hard but I still failed to call the function of PsLookupProcessByProcessId. But I have proven that I can easily get the name of parent process of certain process by traversing the ActiveProcessLinks.

I wrote the code below to enumurate all the active process and I succeed. If I add some restriction condition, I can of course get the name of parent process.

VOID TraverseProcessLinkList( IN PEPROCESS EProcess ){
 int nCount = 0;
 int     *iPtr;
 char    *cPtr;
 PEPROCESS   pProc;
 PLIST_ENTRY   pNext;
 PLIST_ENTRY   pFirst;

 pProc = EProcess;
 pNext = pFirst = (LIST_ENTRY *)((char *)EProcess + 0x0A0);

 do {
  nCount ++;
  pProc = (PEPROCESS)((char *)pNext - 0X0A0);
  DbgPrint("--- process %d --- \n", nCount);
  
  //Get PID of the process pointed by pProc
  iPtr = (int *)((char *)pProc + 0x09C);
  DbgPrint("process id: %d \n", *iPtr );

  //Get name of the process pointed by pProc
  cPtr = (char *)pProc + 0x1FC;
  DbgPrint("process image file: %s \n", cPtr );

  //Forward the pNext pointer
  pNext = pNext->Flink;
  DbgPrint("\n");
   
 } while(pNext != pFirst);

 DbgPrint("proces total count %d \n", nCount);
}

But I don't konw whether getting the parent process's name in this way may lead to some unsafe status or not. Do I need to acquire a lock when accessing the active process linked-list?

Waiting for your suggestion!Thanks!

In fact, I did try to call the function PsLookupProcessByProcessId. But every time I call this function, it never returns a successful status. I mean  my call to this function never succeeded in get the PEPROCESS.

But I did pass through the compiling. No error occured duiring compiling.

Hi, EP_XOFF! My code is below. The problem is that I can pass compiling, but every time I call PsLookupProcessByProcessId it

never returns a successful status.

//I declare PsLookupProcessByProcessId
NTSTATUS NTAPI PsLookupProcessByProcessId (IN PVOID ProcessId, OUT PEPROCESS *      Process );

//Code where PsLookupProcessByProcessId is called
//A simple dispatch funcion called when a IRP_MJ_CREATE is intercepted
//The code is just a test to demonstrate my idea.
NTSTATUS HDCreate(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
{
 PVOID    pProc;
 PEPROCESS   EProcess;
 NTSTATUS   status;
 PIO_STACK_LOCATION irpSp = IoGetCurrentIrpStackLocation( Irp );
 PDEVICE_EXTENSION devExt;

 //Display the MajorFunction code
 DbgPrint( "HEAD(HDDispatch): IRP CODE : %s \n", IRP_CODE[irpSp->MajorFunction] );

 //Get the EPROCESS pointer of parent process
 pProc = (PVOID)((char *)PsGetCurrentProcess() + 0x1C8);
 status = PsLookupProcessByProcessId( pProc, &EProcess );
 if( NT_SUCCESS(status) )
  DbgPrint( "HEAD(HDCreate): Name of parent process is %s\n", (char *)EProcess + 0x1FC);//Never executed
 else
  DbgPrint( "HEAD(HDCreate): Fail to get PEPROCESS of parent process...\n" );//This code is always executed

 //Relay the IRP packet
 IoSkipCurrentIrpStackLocation( Irp );
 devExt=DeviceObject->DeviceExtension;
 return IoCallDriver( devExt->AttachedToDeviceObject, Irp );
}

I really do not konw why it can never work properly!