A forum for reverse engineering, OS internals and malware analysis 

PEPROCESS to PFILE_OBJECT

Forum for discussion about kernel-mode development.

PEPROCESS to PFILE_OBJECT

 #1885  by xqrzd
 Wed Aug 11, 2010 5:05 am
I am wondering what is the best way to convert a process object pointer over to a file object pointer. I am currently using this method:

1. pass PEPROCESS to ObOpenObjectByPointer to get handle to process
2. call ZwQueryInformationProcess to get ProcessImageFileName
3. call ZwCreateFile with ProcessImageFileName to get file handle
4. finally pass file handle to ObReferenceObjectByHandle to get PFILE_OBJECT

It is very ugly, I am wondering if there is a better way. Thanks!

Re: PEPROCESS to PFILE_OBJECT

 #1886  by EP_X0FF
 Wed Aug 11, 2010 5:16 am
Code: Select all
PEPROCESS Process;
PSECTION_OBJECT sec1;

sec1 = *(PSECTION_OBJECT *)((PBYTE)Process + SectionObjectOffset);
....validate pointers...
PFILE_OBJECT	fobj = ((PSEGMENT)sec1->Segment)->ControlArea->FilePointer;

Re: PEPROCESS to PFILE_OBJECT

 #1887  by xqrzd
 Wed Aug 11, 2010 6:01 am
thanks for the fast reply :mrgreen:
Is there a documented way? I'm very new to driver development and hunting down these structures takes me a long time (I don't know how to get them myself).

Re: PEPROCESS to PFILE_OBJECT

 #1889  by EP_X0FF
 Wed Aug 11, 2010 6:15 am
AFAIK this is not documented way.
However it work everywhere, you just need proper offsets and structures definitions.

You can dump all required structures from PDB symbols with for example WinDBG or PDBDUMP.

Re: PEPROCESS to PFILE_OBJECT

 #1891  by EP_X0FF
 Wed Aug 11, 2010 6:39 am
Yes :) WinDBG also.

Re: PEPROCESS to PFILE_OBJECT

 #1893  by xqrzd
 Wed Aug 11, 2010 6:52 am
I downloaded and installed it, but I cannot find ntoskrnl. Other components are there like hal and fltmgr, but no ntoskrnl.

Re: PEPROCESS to PFILE_OBJECT

 #1894  by EP_X0FF
 Wed Aug 11, 2010 7:06 am
Look for ntkrnlpa.pdb, ntkrpamp.exe etc

Re: PEPROCESS to PFILE_OBJECT

 #1895  by xqrzd
 Wed Aug 11, 2010 7:22 am
I found it :D How do I go about dumping the structures? I have WinDbg, but I haven't used it much.

Re: PEPROCESS to PFILE_OBJECT

 #1896  by EP_X0FF
 Wed Aug 11, 2010 7:47 am
run in windbg console

.sympath c:\windows\symbols
.symfix c:\windows\symbols
.reload

//wait few seconds until update of symbols (depends on your internet connection speed)

then use

dt nt!_SECTION_OBJECT
dt nt!_SEGMENT_OBJECT
dt nt!_CONTROL_AREA
dt nt!_EPROCESS

example output
lkd> dt nt!_SECTION_OBJECT
+0x000 StartingVa : Ptr32 Void
+0x004 EndingVa : Ptr32 Void
+0x008 Parent : Ptr32 Void
+0x00c LeftChild : Ptr32 Void
+0x010 RightChild : Ptr32 Void
+0x014 Segment : Ptr32 _SEGMENT_OBJECT
lkd> dt nt!_SEGMENT_OBJECT
+0x000 BaseAddress : Ptr32 Void
+0x004 TotalNumberOfPtes : Uint4B
+0x008 SizeOfSegment : _LARGE_INTEGER
+0x010 NonExtendedPtes : Uint4B
+0x014 ImageCommitment : Uint4B
+0x018 ControlArea : Ptr32 _CONTROL_AREA
+0x01c Subsection : Ptr32 _SUBSECTION
+0x020 LargeControlArea : Ptr32 _LARGE_CONTROL_AREA
+0x024 MmSectionFlags : Ptr32 _MMSECTION_FLAGS
+0x028 MmSubSectionFlags : Ptr32 _MMSUBSECTION_FLAGS
lkd> dt nt!_CONTROL_AREA
+0x000 Segment : Ptr32 _SEGMENT
+0x004 DereferenceList : _LIST_ENTRY
+0x00c NumberOfSectionReferences : Uint4B
+0x010 NumberOfPfnReferences : Uint4B
+0x014 NumberOfMappedViews : Uint4B
+0x018 NumberOfSubsections : Uint2B
+0x01a FlushInProgressCount : Uint2B
+0x01c NumberOfUserReferences : Uint4B
+0x020 u : __unnamed
+0x024 FilePointer : Ptr32 _FILE_OBJECT
+0x028 WaitingForDeletion : Ptr32 _EVENT_COUNTER
+0x02c ModifiedWriteCount : Uint2B
+0x02e NumberOfSystemCacheViews : Uint2B
lkd> dt nt!_EPROCESS
+0x000 Pcb : _KPROCESS
+0x06c ProcessLock : _EX_PUSH_LOCK
+0x070 CreateTime : _LARGE_INTEGER
+0x078 ExitTime : _LARGE_INTEGER
+0x080 RundownProtect : _EX_RUNDOWN_REF
+0x084 UniqueProcessId : Ptr32 Void
+0x088 ActiveProcessLinks : _LIST_ENTRY
+0x090 QuotaUsage : [3] Uint4B
+0x09c QuotaPeak : [3] Uint4B
+0x0a8 CommitCharge : Uint4B
+0x0ac PeakVirtualSize : Uint4B
+0x0b0 VirtualSize : Uint4B
+0x0b4 SessionProcessLinks : _LIST_ENTRY
+0x0bc DebugPort : Ptr32 Void
+0x0c0 ExceptionPort : Ptr32 Void
+0x0c4 ObjectTable : Ptr32 _HANDLE_TABLE
+0x0c8 Token : _EX_FAST_REF
+0x0cc WorkingSetLock : _FAST_MUTEX
+0x0ec WorkingSetPage : Uint4B
+0x0f0 AddressCreationLock : _FAST_MUTEX
+0x110 HyperSpaceLock : Uint4B
+0x114 ForkInProgress : Ptr32 _ETHREAD
+0x118 HardwareTrigger : Uint4B
+0x11c VadRoot : Ptr32 Void
+0x120 VadHint : Ptr32 Void
+0x124 CloneRoot : Ptr32 Void
+0x128 NumberOfPrivatePages : Uint4B
+0x12c NumberOfLockedPages : Uint4B
+0x130 Win32Process : Ptr32 Void
+0x134 Job : Ptr32 _EJOB
+0x138 SectionObject : Ptr32 Void
 +0x13c SectionBaseAddress : Ptr32 Void
+0x140 QuotaBlock : Ptr32 _EPROCESS_QUOTA_BLOCK
+0x144 WorkingSetWatch : Ptr32 _PAGEFAULT_HISTORY
+0x148 Win32WindowStation : Ptr32 Void
+0x14c InheritedFromUniqueProcessId : Ptr32 Void
+0x150 LdtInformation : Ptr32 Void
+0x154 VadFreeHint : Ptr32 Void
+0x158 VdmObjects : Ptr32 Void
+0x15c DeviceMap : Ptr32 Void
+0x160 PhysicalVadList : _LIST_ENTRY
+0x168 PageDirectoryPte : _HARDWARE_PTE
+0x168 Filler : Uint8B
+0x170 Session : Ptr32 Void
+0x174 ImageFileName : [16] UChar
+0x184 JobLinks : _LIST_ENTRY
+0x18c LockedPagesList : Ptr32 Void
+0x190 ThreadListHead : _LIST_ENTRY
+0x198 SecurityPort : Ptr32 Void
+0x19c PaeTop : Ptr32 Void
+0x1a0 ActiveThreads : Uint4B
+0x1a4 GrantedAccess : Uint4B
+0x1a8 DefaultHardErrorProcessing : Uint4B
+0x1ac LastThreadExitStatus : Int4B
+0x1b0 Peb : Ptr32 _PEB
+0x1b4 PrefetchTrace : _EX_FAST_REF
+0x1b8 ReadOperationCount : _LARGE_INTEGER
+0x1c0 WriteOperationCount : _LARGE_INTEGER
+0x1c8 OtherOperationCount : _LARGE_INTEGER
+0x1d0 ReadTransferCount : _LARGE_INTEGER
+0x1d8 WriteTransferCount : _LARGE_INTEGER
+0x1e0 OtherTransferCount : _LARGE_INTEGER
+0x1e8 CommitChargeLimit : Uint4B
+0x1ec CommitChargePeak : Uint4B
+0x1f0 AweInfo : Ptr32 Void
+0x1f4 SeAuditProcessCreationInfo : _SE_AUDIT_PROCESS_CREATION_INFO
+0x1f8 Vm : _MMSUPPORT
+0x238 LastFaultCount : Uint4B
+0x23c ModifiedPageCount : Uint4B
+0x240 NumberOfVads : Uint4B
+0x244 JobStatus : Uint4B
+0x248 Flags : Uint4B
+0x248 CreateReported : Pos 0, 1 Bit
+0x248 NoDebugInherit : Pos 1, 1 Bit
+0x248 ProcessExiting : Pos 2, 1 Bit
+0x248 ProcessDelete : Pos 3, 1 Bit
+0x248 Wow64SplitPages : Pos 4, 1 Bit
+0x248 VmDeleted : Pos 5, 1 Bit
+0x248 OutswapEnabled : Pos 6, 1 Bit
+0x248 Outswapped : Pos 7, 1 Bit
+0x248 ForkFailed : Pos 8, 1 Bit
+0x248 HasPhysicalVad : Pos 9, 1 Bit
+0x248 AddressSpaceInitialized : Pos 10, 2 Bits
+0x248 SetTimerResolution : Pos 12, 1 Bit
+0x248 BreakOnTermination : Pos 13, 1 Bit
+0x248 SessionCreationUnderway : Pos 14, 1 Bit
+0x248 WriteWatch : Pos 15, 1 Bit
+0x248 ProcessInSession : Pos 16, 1 Bit
+0x248 OverrideAddressSpace : Pos 17, 1 Bit
+0x248 HasAddressSpace : Pos 18, 1 Bit
+0x248 LaunchPrefetched : Pos 19, 1 Bit
+0x248 InjectInpageErrors : Pos 20, 1 Bit
+0x248 VmTopDown : Pos 21, 1 Bit
+0x248 Unused3 : Pos 22, 1 Bit
+0x248 Unused4 : Pos 23, 1 Bit
+0x248 VdmAllowed : Pos 24, 1 Bit
+0x248 Unused : Pos 25, 5 Bits
+0x248 Unused1 : Pos 30, 1 Bit
+0x248 Unused2 : Pos 31, 1 Bit
+0x24c ExitStatus : Int4B
+0x250 NextPageColor : Uint2B
+0x252 SubSystemMinorVersion : UChar
+0x253 SubSystemMajorVersion : UChar
+0x252 SubSystemVersion : Uint2B
+0x254 PriorityClass : UChar
+0x255 WorkingSetAcquiredUnsafe : UChar
+0x258 Cookie : Uint4B
that's all you have all your offsets
 Return to “Kernel-Mode Development”