A forum for reverse engineering, OS internals and malware analysis 

Forum for discussion about kernel-mode development.
 #26390  by Pancake
 Mon Jul 27, 2015 5:52 pm
Hello. Im tryin to do something which seems very simple from usermode but in kernel something goes wrong. So i read about ZwQueryInformationProcess which would be helpful in that case, prepared parameters and voila. But the problem is that the (im running under usermode debugger so i can confirm the steps live) DbgPrint("Peb adres %X\n", pbi.PebBaseAddress); return 7EFDF000 (which is wrong and desnt fit to the PEB structure), while usermode fs:[30] gives the good result, 7EFDE000 - 0x1000 address more. Why is that?
 #26397  by Brock
 Tue Jul 28, 2015 4:20 pm

WOW64 processes have 2 PEBs, one is a 64-bit PEB which you're getting the address of and the other is the 32-bit PEB. Since you want the 32-bit PEB you'll want to use ZwQueryInformationProcess(hProcess, ProcessWow64Information, ...);
 #26399  by Pancake
 Tue Jul 28, 2015 4:53 pm
Gonna check it. i also want to ask about KeStackAttach process. I target (only x32 processes runnin in wow64). So as far as i understand i attach my driver to processes memory and i can simply dereference any addresses from 0 to 7fffffff and read its value, well it works. But is it possible to call a function from the process i am attached (just simple like ((void(__cdecl*)())address)() where address is function address) to or its impossible since driver is x64?
 #26405  by Brock
 Wed Jul 29, 2015 8:12 pm
If you want to execute code inside a process in userland from your driver you'll need to either schedule an APC pointing to the code to execute (thread must be in an alertable wait state for APC to fire), hijack an existing thread or simply create a new thread pointing to your function. Other methods exist too such as hooking an API that you know is bound to be called and inside your hook callback function execute any code you want. Maybe this question is better suited as a new thread topic