I have not any experience at all in driver development. I want to access to an attribute of the structure PEPROCESS. I have a pointer pointing to the process object, obtained via PsGetCurrentProcess routine. I have seeing already some web describing the structure internals (attributes) declaration, so I could use the offset of these attributes to get them, something like:
hprocess = PsGetCurrentProcess();
List = (LIST_ENTRY*)((ULONG)hproces + 0x88); //Active Process Link Offset
However this way leave me in the middle of a problem. I would like to make a build of this code that could be able to run in other kind of platforms (ex: x86, x86_64) and others version of Windows (XP, 7, ...); and I suppose that is not possible with that way because the offset would not be the same.
Question: Is there a not lame solution for this? Ex: something like
List = process->ActiveProcessLink
or something.
Try to use macro: PCHAR CONTAINING_RECORD( [in] PCHAR Address, [in] TYPE Type, [in] PCHAR Field);