[ General Problem ] EPROCESS-ImageFileName + NtOpenProcessHook

Ok well a few of my pieces of code here rely upon the ImageFileName element within the EPROCESS structure (which you can find in the ntifs_6001.h) header I’ve uploaded. Again, in 7600 it seems to be missing. Weird.
Anyway, the problem was that ImageFileName was returning nothing. Blank. So evidently the offset has changed. I wrote a peice of code to enumerate the base addresses of each EPROCESS structure and then looked at them in Win Dbg, have a look:
null

That image should pretty much give you an idea of what to do. Count the bytes. Find the new offset.
Previously the offset for ImageFileName was +0×154 now all of a sudden its +0×174. To implement search for this offset programmatically, search the memory from each EPROCESS base for the string “system”. As it will ALWAYS be there, makes for an easy way to determine the correct offset.

I have attached an updated version of my NtOpenProcessHook below with the fix.
The hack (this is too crude to be a fix!) lies in the RetrievePID() function. So have a look there for comparison.

[ Link ] My Old NtOpenProcessHook post
[ C - Source ] New NtOpenProcessHook Driver
[ C - Source ] Old NtOpenProcessHook Driver
[ C - Header ] ntifs_6001.h

Advertisement

~ by Rhys M. on November 21, 2009.

Posted in Programming

One Response to “[ General Problem ] EPROCESS-ImageFileName + NtOpenProcessHook”

  1. [...] [ General Problem ] EPROCESS-ImageFileName + NtOpenProcessHook « said this on November 21, 2009 at 10:01 pm [...]

    [ C ] NtOpenProcess hook. « said this on October 28, 2011 at 12:12 pm

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s

 
Follow

Get every new post delivered to your Inbox.