A forum for reverse engineering, OS internals and malware analysis 

GUI or console?

Forum for discussion about kernel-mode development.

GUI or console?

 #16277  by George118
 Thu Oct 25, 2012 4:32 pm
Given a PID how can I check in kernel space whether it GUI or console application?

Thanks,
George.

Re: GUI or console?

 #16283  by xdeadcode
 Thu Oct 25, 2012 9:14 pm
Hello George118,

Maybe take it straight from Peb block.
Here you can find possible subsystem values: http://msdn.microsoft.com/en-us/library ... s.85).aspx

Here is peb block of cmd.exe in windows xp (field ImageSubsystem):
Code: Select all
kd> dt nt!_peb 7ffdb000  
   +0x000 InheritedAddressSpace : 0 ''
   +0x001 ReadImageFileExecOptions : 0 ''
   +0x002 BeingDebugged    : 0 ''
   +0x003 SpareBool        : 0 ''
   +0x004 Mutant           : 0xffffffff Void
   +0x008 ImageBaseAddress : 0x4ad00000 Void
   +0x00c Ldr              : 0x00251e90 _PEB_LDR_DATA
   +0x010 ProcessParameters : 0x00020000 _RTL_USER_PROCESS_PARAMETERS
   +0x014 SubSystemData    : (null) 
   +0x018 ProcessHeap      : 0x00150000 Void
   +0x01c FastPebLock      : 0x7c97e4c0 _RTL_CRITICAL_SECTION
   +0x020 FastPebLockRoutine : 0x7c901005 Void
   +0x024 FastPebUnlockRoutine : 0x7c9010ed Void
   +0x028 EnvironmentUpdateCount : 1
   +0x02c KernelCallbackTable : 0x77d32970 Void
   +0x030 SystemReserved   : [1] 0
   +0x034 AtlThunkSListPtr32 : 0
   +0x038 FreeList         : (null) 
   +0x03c TlsExpansionCounter : 0
   +0x040 TlsBitmap        : 0x7c97e480 Void
   +0x044 TlsBitmapBits    : [2] 0x3fff
   +0x04c ReadOnlySharedMemoryBase : 0x7f6f0000 Void
   +0x050 ReadOnlySharedMemoryHeap : 0x7f6f0000 Void
   +0x054 ReadOnlyStaticServerData : 0x7f6f0688  -> (null) 
   +0x058 AnsiCodePageData : 0x7ffb0000 Void
   +0x05c OemCodePageData  : 0x7ffc1000 Void
   +0x060 UnicodeCaseTableData : 0x7ffd2000 Void
   +0x064 NumberOfProcessors : 1
   +0x068 NtGlobalFlag     : 0
   +0x070 CriticalSectionTimeout : _LARGE_INTEGER 0xffffe86d`079b8000
   +0x078 HeapSegmentReserve : 0x100000
   +0x07c HeapSegmentCommit : 0x2000
   +0x080 HeapDeCommitTotalFreeThreshold : 0x10000
   +0x084 HeapDeCommitFreeBlockThreshold : 0x1000
   +0x088 NumberOfHeaps    : 8
   +0x08c MaximumNumberOfHeaps : 0x10
   +0x090 ProcessHeaps     : 0x7c97de80  -> 0x00150000 Void
   +0x094 GdiSharedHandleTable : 0x00520000 Void
   +0x098 ProcessStarterHelper : (null) 
   +0x09c GdiDCAttributeList : 0x14
   +0x0a0 LoaderLock       : 0x7c97c0d8 Void
   +0x0a4 OSMajorVersion   : 5
   +0x0a8 OSMinorVersion   : 1
   +0x0ac OSBuildNumber    : 0xa28
   +0x0ae OSCSDVersion     : 0x200
   +0x0b0 OSPlatformId     : 2
   +0x0b4 ImageSubsystem   : 3
   +0x0b8 ImageSubsystemMajorVersion : 4
   +0x0bc ImageSubsystemMinorVersion : 0
   +0x0c0 ImageProcessAffinityMask : 0
   +0x0c4 GdiHandleBuffer  : [34] 0
   +0x14c PostProcessInitRoutine : (null) 
   +0x150 TlsExpansionBitmap : 0x7c97e478 Void
   +0x154 TlsExpansionBitmapBits : [32] 0
   +0x1d4 SessionId        : 0
   +0x1d8 AppCompatFlags   : _ULARGE_INTEGER 0x0
   +0x1e0 AppCompatFlagsUser : _ULARGE_INTEGER 0x0
   +0x1e8 pShimData        : (null) 
   +0x1ec AppCompatInfo    : (null) 
   +0x1f0 CSDVersion       : _UNICODE_STRING "Dodatek Service Pack 2"
   +0x1f8 ActivationContextData : (null) 
   +0x1fc ProcessAssemblyStorageMap : (null) 
   +0x200 SystemDefaultActivationContextData : 0x00140000 Void
   +0x204 SystemAssemblyStorageMap : (null) 
   +0x208 MinimumStackCommit : 0
Best regards,

Re: GUI or console?

 #16289  by SomeUnusedName
 Fri Oct 26, 2012 9:14 am
One way that doesn't work (and I thought it might work) is this:
Code: Select all
kd> dt nt!_EPROCESS 89af1020
   +0x000 Pcb              : _KPROCESS
   +0x06c ProcessLock      : _EX_PUSH_LOCK
[...]
   +0x130 Win32Process     : 0xe1a69008 Void
The Win32Process field is only set for GUI applications. The thing is, this dump was taken from "ping.exe", so I expected it to be NULL but apparently, it isn't. Does anyone know when exactly a process contains a Win32Process pointer or not?

Re: GUI or console?

 #16290  by EP_X0FF
 Fri Oct 26, 2012 9:48 am
This is a pointer to W32PROCESS opaque undocumented structure that is related to windows graphics subsystem known as hydra. If process using anything from hydra it will have this value in EPROCESS filled. Complete native app like for example smss.exe - no. So Win32Process can't be used to determine if process is GUI or console. Best available solution posted by xdeadcode.

Re: GUI or console?

 #16295  by kmd
 Fri Oct 26, 2012 2:05 pm
EP_X0FF wrote:This is a pointer to W32PROCESS opaque undocumented structure that is related to windows graphics subsystem known as hydra. If process using anything from hydra it will have this value in EPROCESS filled. Complete native app like for example smss.exe - no. So Win32Process can't be used to determine if process is GUI or console.
which components needed? i meant if i have empty project what have i do to fill Win32Process with value?

Re: GUI or console?

 #16299  by EP_X0FF
 Fri Oct 26, 2012 2:24 pm
kmd wrote:
EP_X0FF wrote:This is a pointer to W32PROCESS opaque undocumented structure that is related to windows graphics subsystem known as hydra. If process using anything from hydra it will have this value in EPROCESS filled. Complete native app like for example smss.exe - no. So Win32Process can't be used to determine if process is GUI or console.
which components needed? i meant if i have empty project what have i do to fill Win32Process with value?
Just load user32.dll

Re: GUI or console?

 #16324  by George118
 Sat Oct 27, 2012 5:35 pm
Thanks for xdeadcode.
It looks helpful.
But I was more in direction to get it from win32k.sys.
Because in future I will need some more information about GUI
like minimized or size.

George.

Re: GUI or console?

 #16328  by EP_X0FF
 Sun Oct 28, 2012 6:35 am
George118 wrote:But I was more in direction to get it from win32k.sys.
Because in future I will need some more information about GUI
like minimized or size.
There is no such solution and you are going to face all kind of undocumented usage problems. Those routines are not exported, not documented and subject of change between windows versions. Additionaly take in account - you will have to find them by their changing between nt versions indexes and call them from your driver. Do you still need this?

For your additional tasks (like minimized or window size) it will required to create user mode part that will gather all info you so want.

Re: GUI or console?

 #16330  by George118
 Sun Oct 28, 2012 12:27 pm
EP_X0FF wrote:
George118 wrote:But I was more in direction to get it from win32k.sys.
Because in future I will need some more information about GUI
like minimized or size.
There is no such solution and you are going to face all kind of undocumented usage problems. Those routines are not exported, not documented and subject of change between windows versions. Additionaly take in account - you will have to find them by their changing between nt versions indexes and call them from your driver. Do you still need this?

For your additional tasks (like minimized or window size) it will required to create user mode part that will gather all info you so want.
Is it any other way to get GUI information from kernel space, or it should only done from user space?

George.

Re: GUI or console?

 #16331  by EP_X0FF
 Sun Oct 28, 2012 12:37 pm
Hydra is not directly exported like for example NativeAPI. Only this should give you a hint that it wasn't designed to be used from drivers.
 Return to “Kernel-Mode Development”