show pids from PEPROCESS and PLIST_ENTRY

Ask your beginner questions here.
Post Reply
WhoPMi
Posts: 18
Joined: Thu Aug 09, 2018 2:14 pm

Fri Aug 10, 2018 4:25 am

Hello guys, today i'm here to ask you a simple question about listing all processes ids in wdd, the problem is that i can't obtain the currentPID of the currentProcess, showing just some rand values and then zeroes, so please I'm literally stucked in these lines of code and idk how to get out of it, if you could explain me what am i doing wrong.

Thank you

PEPROCESS currentProcess = PsGetCurrentProcess();
PLIST_ENTRY currentLink = (unsigned char *)currentProcess + ACTIVE_PROCESS_LINK_OFFS64;
HANDLE *currentPID;

do {
currentLink = currentLink->Flink;

currentProcess = (PEPROCESS)((unsigned char *)currentLink - ACTIVE_PROCESS_LINK_OFFS64); //2f0
currentPID = ((HANDLE*)currentLink - 0x8);
i++;
KdPrint(("Current PID: %d", currentPID));

} while (currentProcess != PsGetCurrentProcess());
User avatar
EP_X0FF
Global Moderator
Posts: 4886
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Fri Aug 10, 2018 1:15 pm

WhoPMi wrote:
Fri Aug 10, 2018 4:25 am
currentProcess = (PEPROCESS)((unsigned char *)currentLink - ACTIVE_PROCESS_LINK_OFFS64); //2f0
currentPID = ((HANDLE*)currentLink - 0x8);
i++;
KdPrint(("Current PID: %d", currentPID));
Are you sure you understand what you do?

currentLink is LIST_ENTRY not EPROCESS object.
Your EPROCESS object is currentProcess

Your Id is currentPID = PsGetProcessId(currentProcess);

And PID is not HANDLE*, it is simple HANDLE.
Ring0 - the source of inspiration
WhoPMi
Posts: 18
Joined: Thu Aug 09, 2018 2:14 pm

Sat Aug 11, 2018 9:17 pm

I've already resolved ty
Post Reply