show pids from PEPROCESS and PLIST_ENTRY

Ask your beginner questions here.
Post Reply
WhoPMi
Posts: 16
Joined: Thu Aug 09, 2018 2:14 pm

show pids from PEPROCESS and PLIST_ENTRY

Post by WhoPMi » Fri Aug 10, 2018 4:25 am

Hello guys, today i'm here to ask you a simple question about listing all processes ids in wdd, the problem is that i can't obtain the currentPID of the currentProcess, showing just some rand values and then zeroes, so please I'm literally stucked in these lines of code and idk how to get out of it, if you could explain me what am i doing wrong.

Thank you

PEPROCESS currentProcess = PsGetCurrentProcess();
PLIST_ENTRY currentLink = (unsigned char *)currentProcess + ACTIVE_PROCESS_LINK_OFFS64;
HANDLE *currentPID;

do {
currentLink = currentLink->Flink;

currentProcess = (PEPROCESS)((unsigned char *)currentLink - ACTIVE_PROCESS_LINK_OFFS64); //2f0
currentPID = ((HANDLE*)currentLink - 0x8);
i++;
KdPrint(("Current PID: %d", currentPID));

} while (currentProcess != PsGetCurrentProcess());

User avatar
EP_X0FF
Global Moderator
Posts: 4792
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: show pids from PEPROCESS and PLIST_ENTRY

Post by EP_X0FF » Fri Aug 10, 2018 1:15 pm

WhoPMi wrote:
Fri Aug 10, 2018 4:25 am
currentProcess = (PEPROCESS)((unsigned char *)currentLink - ACTIVE_PROCESS_LINK_OFFS64); //2f0
currentPID = ((HANDLE*)currentLink - 0x8);
i++;
KdPrint(("Current PID: %d", currentPID));
Are you sure you understand what you do?

currentLink is LIST_ENTRY not EPROCESS object.
Your EPROCESS object is currentProcess

Your Id is currentPID = PsGetProcessId(currentProcess);

And PID is not HANDLE*, it is simple HANDLE.
Ring0 - the source of inspiration

WhoPMi
Posts: 16
Joined: Thu Aug 09, 2018 2:14 pm

Re: show pids from PEPROCESS and PLIST_ENTRY

Post by WhoPMi » Sat Aug 11, 2018 9:17 pm

I've already resolved ty

Post Reply