Forum Home > Windows Discussions > Internals

New Posts

FAQ

Get PEPROCESS by PID!

Post Reply

Page <12

Author

Share Topic

Topic Search

Topic Options

Post Reply

Create New Topic

Headium2006 View Drop Down

Groupie

Joined: 25 July 2006
Location: China
Online Status: Offline
Posts: 79

Post Options

Post Reply

Quote Headium2006

Report Post

Quote

Topic: Get PEPROCESS by PID!
Posted: 12 August 2006 at 4:07am

I try to use the function PsLookupProcessByProcessId like below:

First, I declare the function in my own file like below and no error occurs during the compiling:

NTKERNELAPI
NTSTATUS
PsLookupProcessByProcessId (
IN PVOID ProcessId,
OUT PEPROCESS *Process
);

Then, I call this funcion like this:

int * iPtr;

PEPROCESS process;

status = PsLookupProcessByProcessId( iPtr, &process );
if( NT_SUCCESS(status) ){
  ProcessName = (char *)process + 0x1FC;
  DbgPrint( "HEAD(HDDispatch): Name of parent process is %s\n", ProcessName );
}
else{
  DbgPrint( "HEAD(HDDispatch): Fail to the name of parent process...\n" );
}

But I always fail to get the PEPROCESS by my process PID.Why? Did I use the function of PsLookupProcesssByProcessId in a wrong way?

EP_X0FF

Senior Member

Joined: 08 March 2006
Location: Russian Federation
Online Status: Offline
Posts: 4753

Post Options

Post Reply

Quote EP_X0FF

Report Post

Quote

Posted: 11 August 2006 at 11:53pm

pseudo code, ignore "nbsp" <- inserted by forum editor

NTSTATUS NTAPI PsLookupProcessByProcessId (IN HANDLE ProcessId, 

OUT PEPROCESS *      Process

     )      

 {

     PHANDLE_TABLE_ENTRY CidEntry;

     PEPROCESS FoundProcess;

     NTSTATUS Status = STATUS_INVALID_PARAMETER;

     KeEnterCriticalRegion();

 

     /* Get the CID Handle Entry */

     CidEntry = ExMapHandleToPointer(PspCidTable, ProcessId);

     if (CidEntry)

     {

         /* Get the Process */

         FoundProcess = CidEntry->Object;

 

         /* Make sure it's really a process */

         if (FoundProcess->Pcb.Header.Type == ProcessObject)

         {

               /* Safe Reference and return it */

               if (ObReferenceObjectSafe(FoundProcess))

               {

                   *Process  = FoundProcess;

                   Status  = STATUS_SUCCESS;

               }

         }

 

         /* Unlock the Entry */

         ExUnlockHandleTableEntry(PspCidTable, CidEntry);

   }

 

/* Return to caller */

KeLeaveCriticalRegion();

return Status;

}

Ring0 - the source of inspiration

Headium2006 View Drop Down

Groupie

Joined: 25 July 2006
Location: China
Online Status: Offline
Posts: 79

Post Options

Post Reply

Quote Headium2006

Report Post

Quote

Posted: 11 August 2006 at 11:46pm

Can I get the source of PsLookupProcessByProcessId?

EP_X0FF

Senior Member

Joined: 08 March 2006
Location: Russian Federation
Online Status: Offline
Posts: 4753

Post Options

Post Reply

Quote EP_X0FF

Report Post

Quote

Posted: 11 August 2006 at 11:42pm

By the way, how do U think about my idea about traversing the process linked-list to get the PEPROCESS of parent process?

PsLookupProcessByProcessId is more easy solution.

Ring0 - the source of inspiration

Headium2006 View Drop Down

Groupie

Joined: 25 July 2006
Location: China
Online Status: Offline
Posts: 79

Post Options

Post Reply

Quote Headium2006

Report Post

Quote

Posted: 11 August 2006 at 10:54pm

Thank U, EP_XOFF!

By the way, how do U think about my idea about traversing the process linked-list to get the PEPROCESS of parent process?

Headium2006 View Drop Down

Groupie

Joined: 25 July 2006
Location: China
Online Status: Offline
Posts: 79

Post Options

Post Reply

Quote Headium2006

Report Post

Quote

Posted: 11 August 2006 at 10:48pm

Or can I traverse all process to get the PEPROCESS via "LIST_ENTRY ActiveProcessLinks"? In fact, this way is OK, but one problem for me is that I know nothing about the struct LIST_ENTRY. So I can not traverse the process linked-lisk.

By the way, is the head of the process linked-list stored in a gloval variable named PsActiveProcessHead?

EP_X0FF

Senior Member

Joined: 08 March 2006
Location: Russian Federation
Online Status: Offline
Posts: 4753

Post Options

Post Reply

Quote EP_X0FF

Report Post

Quote

Posted: 11 August 2006 at 10:44pm

Use our header ntoskrnl.h, located on rkunhooker.narod.ru

IMPORT_FN

NTSTATUS

__stdcall

PsLookupProcessByProcessId (

    IN PVOID        ProcessId,

    OUT PEPROCESS   *Process

);

Ring0 - the source of inspiration

Headium2006 View Drop Down

Groupie

Joined: 25 July 2006
Location: China
Online Status: Offline
Posts: 79

Post Options

Post Reply

Quote Headium2006

Report Post

Quote

Posted: 11 August 2006 at 10:41pm

But I can not find info about this function call. I tried it yesterday, but failed! If I want to use this function, what header file shoud I include?

MP_ART

Members Profile

Send Private Message

Find Members Posts

Visit Members Homepage

Add to Buddy List

Senior Member

Joined: 08 March 2006
Location: Russian Federation
Online Status: Offline
Posts: 947

Post Options

Post Reply

Quote MP_ART

Report Post

Quote

Posted: 11 August 2006 at 10:12pm

Use PsLookupProcessByProcessId function

Headium2006 View Drop Down

Groupie

Joined: 25 July 2006
Location: China
Online Status: Offline
Posts: 79

Post Options

Post Reply

Quote Headium2006

Report Post

Quote

Posted: 11 August 2006 at 10:10pm

Hi!

I want to get the PEPROCESS by a given PID. This is to say, I have get the PID of certain process, how can I get its PEPROCESS? What should I do?

Post Reply

Page <12

Forum Jump

Forum Permissions View Drop Down

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot delete your posts in this forum
You cannot edit your posts in this forum
You cannot create polls in this forum
You cannot vote in polls in this forum