Given a PID how can I check in kernel space whether it GUI or console application?
Thanks,
George.
Thanks,
George.
A forum for reverse engineering, OS internals and malware analysis
kd> dt nt!_peb 7ffdb000
+0x000 InheritedAddressSpace : 0 ''
+0x001 ReadImageFileExecOptions : 0 ''
+0x002 BeingDebugged : 0 ''
+0x003 SpareBool : 0 ''
+0x004 Mutant : 0xffffffff Void
+0x008 ImageBaseAddress : 0x4ad00000 Void
+0x00c Ldr : 0x00251e90 _PEB_LDR_DATA
+0x010 ProcessParameters : 0x00020000 _RTL_USER_PROCESS_PARAMETERS
+0x014 SubSystemData : (null)
+0x018 ProcessHeap : 0x00150000 Void
+0x01c FastPebLock : 0x7c97e4c0 _RTL_CRITICAL_SECTION
+0x020 FastPebLockRoutine : 0x7c901005 Void
+0x024 FastPebUnlockRoutine : 0x7c9010ed Void
+0x028 EnvironmentUpdateCount : 1
+0x02c KernelCallbackTable : 0x77d32970 Void
+0x030 SystemReserved : [1] 0
+0x034 AtlThunkSListPtr32 : 0
+0x038 FreeList : (null)
+0x03c TlsExpansionCounter : 0
+0x040 TlsBitmap : 0x7c97e480 Void
+0x044 TlsBitmapBits : [2] 0x3fff
+0x04c ReadOnlySharedMemoryBase : 0x7f6f0000 Void
+0x050 ReadOnlySharedMemoryHeap : 0x7f6f0000 Void
+0x054 ReadOnlyStaticServerData : 0x7f6f0688 -> (null)
+0x058 AnsiCodePageData : 0x7ffb0000 Void
+0x05c OemCodePageData : 0x7ffc1000 Void
+0x060 UnicodeCaseTableData : 0x7ffd2000 Void
+0x064 NumberOfProcessors : 1
+0x068 NtGlobalFlag : 0
+0x070 CriticalSectionTimeout : _LARGE_INTEGER 0xffffe86d`079b8000
+0x078 HeapSegmentReserve : 0x100000
+0x07c HeapSegmentCommit : 0x2000
+0x080 HeapDeCommitTotalFreeThreshold : 0x10000
+0x084 HeapDeCommitFreeBlockThreshold : 0x1000
+0x088 NumberOfHeaps : 8
+0x08c MaximumNumberOfHeaps : 0x10
+0x090 ProcessHeaps : 0x7c97de80 -> 0x00150000 Void
+0x094 GdiSharedHandleTable : 0x00520000 Void
+0x098 ProcessStarterHelper : (null)
+0x09c GdiDCAttributeList : 0x14
+0x0a0 LoaderLock : 0x7c97c0d8 Void
+0x0a4 OSMajorVersion : 5
+0x0a8 OSMinorVersion : 1
+0x0ac OSBuildNumber : 0xa28
+0x0ae OSCSDVersion : 0x200
+0x0b0 OSPlatformId : 2
+0x0b4 ImageSubsystem : 3
+0x0b8 ImageSubsystemMajorVersion : 4
+0x0bc ImageSubsystemMinorVersion : 0
+0x0c0 ImageProcessAffinityMask : 0
+0x0c4 GdiHandleBuffer : [34] 0
+0x14c PostProcessInitRoutine : (null)
+0x150 TlsExpansionBitmap : 0x7c97e478 Void
+0x154 TlsExpansionBitmapBits : [32] 0
+0x1d4 SessionId : 0
+0x1d8 AppCompatFlags : _ULARGE_INTEGER 0x0
+0x1e0 AppCompatFlagsUser : _ULARGE_INTEGER 0x0
+0x1e8 pShimData : (null)
+0x1ec AppCompatInfo : (null)
+0x1f0 CSDVersion : _UNICODE_STRING "Dodatek Service Pack 2"
+0x1f8 ActivationContextData : (null)
+0x1fc ProcessAssemblyStorageMap : (null)
+0x200 SystemDefaultActivationContextData : 0x00140000 Void
+0x204 SystemAssemblyStorageMap : (null)
+0x208 MinimumStackCommit : 0
kd> dt nt!_EPROCESS 89af1020
+0x000 Pcb : _KPROCESS
+0x06c ProcessLock : _EX_PUSH_LOCK
[...]
+0x130 Win32Process : 0xe1a69008 Void
EP_X0FF wrote:This is a pointer to W32PROCESS opaque undocumented structure that is related to windows graphics subsystem known as hydra. If process using anything from hydra it will have this value in EPROCESS filled. Complete native app like for example smss.exe - no. So Win32Process can't be used to determine if process is GUI or console.which components needed? i meant if i have empty project what have i do to fill Win32Process with value?
kmd wrote:Just load user32.dllEP_X0FF wrote:This is a pointer to W32PROCESS opaque undocumented structure that is related to windows graphics subsystem known as hydra. If process using anything from hydra it will have this value in EPROCESS filled. Complete native app like for example smss.exe - no. So Win32Process can't be used to determine if process is GUI or console.which components needed? i meant if i have empty project what have i do to fill Win32Process with value?
George118 wrote:But I was more in direction to get it from win32k.sys.There is no such solution and you are going to face all kind of undocumented usage problems. Those routines are not exported, not documented and subject of change between windows versions. Additionaly take in account - you will have to find them by their changing between nt versions indexes and call them from your driver. Do you still need this?
Because in future I will need some more information about GUI
like minimized or size.
EP_X0FF wrote:Is it any other way to get GUI information from kernel space, or it should only done from user space?George118 wrote:But I was more in direction to get it from win32k.sys.There is no such solution and you are going to face all kind of undocumented usage problems. Those routines are not exported, not documented and subject of change between windows versions. Additionaly take in account - you will have to find them by their changing between nt versions indexes and call them from your driver. Do you still need this?
Because in future I will need some more information about GUI
like minimized or size.
For your additional tasks (like minimized or window size) it will required to create user mode part that will gather all info you so want.