[r3shl4k1sh]

I am getting BSOD when trying to get to the ProtectedProcess bit in the EPROCESS.
Here is my function:

Code: Select all

BOOLEAN IsProtected( BYTE* EPROCESS )
{
	DWORD *Flags2ptr;
	DWORD Flags2;
	BOOLEAN protect;
	DWORD masker;
        
        // Offsets.Flags2 = 0x26C (win7)
	Flags2ptr = (DWORD*) (EPROCESS + Offsets.Flags2);
	Flags2 = (DWORD)*Flags2ptr; // <-- BSOD 
	

	masker = 0;
	masker = 1 << 11;

	protect = (Flags2 & masker) ? TRUE : FALSE;

	if (protect)
	{
		return (TRUE);
	}

	return (FALSE);
}

What am i doing wrong?
I know the problem lies where i deference the Flags2ptr, but why?

Thanks.

[EP_X0FF]

Code: Select all

#define GET_BIT(Integer, Bit) (((Integer) >> (Bit)) & 0x1)
#define StrOff(object, offset) ((PCHAR)(object) + offset)
...
CHAR Result;
OffEpProtectedProcessBit = 0xb;
OffEpProtectedProcessOff = 0x26c;

Status = PsLookupProcessByProcessId(ProcessId, &processObject);
if (NT_SUCCESS(Status)) {
	Result = (CHAR)GET_BIT(*(PULONG)StrOff(processObject, OffEpProtectedProcessOff), OffEpProtectedProcessBit);
.....
	ObfDereferenceObject(processObject);
}

[r3shl4k1sh]

That works, Thanks.

Is there any point to get the ProtectedProcess Bit in between the PsLookupProcessByProcessId and ObfDereferenceObject?
What if i have EPROCESS addressees in array ?

[EP_X0FF]

That works, Thanks.

Is there any point to get the ProtectedProcess Bit in between the PsLookupProcessByProcessId and ObfDereferenceObject?
What if i have EPROCESS addressees in array ?

Yes. This increases reference count to this object preventing it from being disposed while you work with it. Your array is just array of addresses, they are nohow binded and can point to nowhere, so random access to memory can lead to random BSOD. Ensure this object is still alive and reference it, for pointers see ObReferenceObjectByPointer.