find PID from handle in ZwTerminateProcess

Ask your beginner questions here.
Post Reply
User avatar
R00tKit
Posts: 129
Joined: Tue Nov 16, 2010 8:23 pm
Contact:

find PID from handle in ZwTerminateProcess

Post by R00tKit » Thu Mar 10, 2011 8:37 am

hi
sorry for too many question , after hours search in google cant find how find PID from handle in ZwTerminateProcess ?

i hook ZwTerminateProcess in fake function i use following code to find Which process is get Terminate : and according to PID take good action

Code: Select all

NTSTATUS fakeZwTerminateProcess(HANDLE ProcessHandle , NTSTATUS ExitStatus )
{

	DbgPrint("zwterminateprocess");


    ObReferenceObjectByHandle(ProcessHandle, 0, *PsProcessType, KernelMode, (PVOID*)eProcess, 0);
    id =(int)PsGetProcessId(eProcess);
    ObDereferenceObject(eProcess);
	DbgPrint("process PID is ",id);
.......
	return STATUS_ACCESS_DENIED ;
}

code result is BSOD with 0xC0000005: STATUS_ACCESS_VIOLATION indicates that a memory access violation occurred.
can use ObReferenceObjectByHandle with kernel object ?
@R00tkitSMM

User avatar
Alex
Posts: 268
Joined: Sun Mar 07, 2010 11:34 am

Re: find PID from handle in ZwTerminateProcess

Post by Alex » Thu Mar 10, 2011 10:49 am

Code: Select all

NTSTATUS fakeZwTerminateProcess(HANDLE ProcessHandle , NTSTATUS ExitStatus )
{
    NTSTATUS NtStatus;
    PEPROCESS Process = NULL;

    DbgPrint("zwterminateprocess");

    __asm int 3; // break point

    NtStatus = ObReferenceObjectByHandle(
        ProcessHandle,
        0,
        *PsProcessType,
        KernelMode, 
        (PVOID*)Process,
        0);

    if(NT_SUCCESS(NtStatus))
    {
        id =(int)PsGetProcessId(Process);
        ObDereferenceObject(Process);
        DbgPrint("process PID is %d",id);
    }
    return STATUS_ACCESS_DENIED ;
}
Your code should looks like this one. If you will create remote debugging environment (Driver Debugging with WinDbg and VMWare) it should help you to understand where is the mistake which causes BSoD's.
I am Jack's NULL pointer (actual e-mail contact.ntinternals_at_gmail.com)

User avatar
R00tKit
Posts: 129
Joined: Tue Nov 16, 2010 8:23 pm
Contact:

Re: find PID from handle in ZwTerminateProcess

Post by R00tKit » Thu Mar 10, 2011 6:54 pm

thanks Mr alex

i debug it with windbg :
Access violation - code c0000005 (!!! second chance !!!)
nt!ObReferenceObjectByHandle+0x1a:
805af5aa 891f mov dword ptr [edi],ebx
http://www.nynaeve.net/?p=210 show many problem with ObReferenceObjectByHandle

Access violation with ObReferenceObjectByHandle is Mostly problem for programmer ( ass result of google)

what i do? please help?
@R00tkitSMM

User avatar
Alex
Posts: 268
Joined: Sun Mar 07, 2010 11:34 am

Re: find PID from handle in ZwTerminateProcess

Post by Alex » Thu Mar 10, 2011 7:13 pm

Code: Select all

NTSTATUS 
  ObReferenceObjectByHandle(
    IN HANDLE  Handle,
    IN ACCESS_MASK  DesiredAccess,
    IN POBJECT_TYPE  ObjectType  OPTIONAL,
    IN KPROCESSOR_MODE  AccessMode,
    OUT PVOID  *Object
    OUT POBJECT_HANDLE_INFORMATION  HandleInformation  OPTIONAL
    );

Code: Select all

NtStatus = ObReferenceObjectByHandle(
        ProcessHandle,
        0,
        *PsProcessType,
        KernelMode, 
        (PVOID*)&Process,
        NULL);
It was my fault :oops:
I am Jack's NULL pointer (actual e-mail contact.ntinternals_at_gmail.com)

User avatar
R00tKit
Posts: 129
Joined: Tue Nov 16, 2010 8:23 pm
Contact:

Re: find PID from handle in ZwTerminateProcess

Post by R00tKit » Thu Mar 10, 2011 8:38 pm

very thanks
@R00tkitSMM

segark
Posts: 6
Joined: Mon Jan 04, 2016 4:47 pm

Re: find PID from handle in ZwTerminateProcess

Post by segark » Thu Mar 31, 2016 4:00 am

hi,
first of all, this was helpful.

secondly, I have a question to add on to this...
I am hooking ZwCreateThreadEx and am looking to find if the call is coming from CreateThread or CreateRemoteThread.
I'm using ObReferenceObjectByHandle to retrieve the handle to the process with no success until I came across this post.

1. Could someone explain why the parameters
NtStatus = ObReferenceObjectByHandle(
ProcessHandle,
0,
*PsProcessType,
KernelMode,
(PVOID*)&Process,
NULL);
Why is the ACCESS_MASK 0?
Also why KernelMode as AccessType? on the msdn documentation of the function is states: Drivers should always specify UserMode for handles they receive from user address space

2. When a handle is passed from a UM application lets say through NtCreateSection... one of the parameters is the Handle parameter, clearly in UM the handle is local to the process and is something like
0x00000004 after some time looking at the handles I received upon hooking this function I saw they are masked with 0x80000000, does this mean the handles are converted to KM handles upon entering KM?

User avatar
EP_X0FF
Global Moderator
Posts: 4882
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: find PID from handle in ZwTerminateProcess

Post by EP_X0FF » Fri Apr 01, 2016 2:05 am

OP hooked ZwTerminateProcess stub in kernelmode, not NtTerminateProcess from table. In this example desired access is any and used by Alex to get EPROCESS pointer from handle.
Ring0 - the source of inspiration

Post Reply