Search code examples
cwinapi64-bitdriverioctl

ZwQueryInformationProcess strange behavior when ProcessBasicInformation requeqsted

I have this peace of code as part of driver. This driver is for Windows 7 x64, so it executes on the same system.

PVOID GetProcessInformation(ULONG PID)
{
    NTSTATUS ntStatus = STATUS_UNSUCCESSFUL;

    HANDLE hProcess;
    PEPROCESS pProcess = NULL;

    PVOID pProcInfo = NULL;

    ULONG ulRet = 0;

    if ((pProcInfo = ExAllocatePoolWithTag(NonPagedPool, sizeof(PROCESS_BASIC_INFORMATION), 'QPI')) == NULL)
    {
        DbgPrint("ExAllocatePoolWithTag failed");
        return NULL;
    }
    ntStatus = PsLookupProcessByProcessId(PID, &pProcess);
    if (!NT_SUCCESS(ntStatus))
    {
        DbgPrint("PsLookupProcessByProcessId Returned: 0x%08x\n", ntStatus);
        ExFreePool(pProcInfo);
        return NULL;
    }
    ntStatus = ObOpenObjectByPointer(pProcess, 0, NULL, 0, 0, KernelMode, &hProcess);
    if (!NT_SUCCESS(ntStatus))
    {
        DbgPrint("ObOpenObjectByPointer sReturned: 0x%08x\n", ntStatus);
        ExFreePool(pProcInfo);
        return NULL;
    }

    ObDereferenceObject(pProcess);
    ntStatus = ZwQueryInformationProcess(hProcess, ProcessBasicInformation, pProcInfo, sizeof(PROCESS_BASIC_INFORMATION), &ulRet);
    if (!NT_SUCCESS(ntStatus))
    {
        DbgPrint("ZwQueryInformationProcess Returned: 0x%08x\n", ntStatus);
        ExFreePool(pProcInfo);
        return NULL;
    }
    if (ulRet != sizeof(PROCESS_BASIC_INFORMATION))
        DbgPrint("Warning : ZwQueryInformationProcess Returned Length is different than ProcessInformationLength");

    return pProcInfo;
}

PROCESS_BASIC_INFORMATION defined in ntddk. PID value is correct. But result of ZwQueryInformationProcess is odd. I get only lower part of PEB address (PPEB part in PROCESS_BASIC_INFORMATION structure). For example, another tool says PPEB is equal to 0x000007FFFFFDC000. My drivers knows only 0xFFFDC000. Also i try PsGetprocessPeb(...) function, with the same result. ZwQueryInformationProcess function is successed.

Solution

  • Corrected:
    To address the I get only lower part of PEB address part of your question,
    because pProcess is a pointer, use the pointer format specifier: %p.

    ntStatus = PsLookupProcessByProcessId(PID, &pProcess);
// your error handling code
printf("PsLookupProcessByProcessId: 0x%p\n", pProcess);

    The "%p" pointer format specifier displays the argument as a hexadecimal address.