ZwQueryInformationProcess strange behavior when ProcessBasicInformation requeqsted

Question

I have this peace of code as part of driver. This driver is for Windows 7 x64, so it executes on the same system.

PVOID GetProcessInformation(ULONG PID)
{
    NTSTATUS ntStatus = STATUS_UNSUCCESSFUL;

    HANDLE hProcess;
    PEPROCESS pProcess = NULL;

    PVOID pProcInfo = NULL;

    ULONG ulRet = 0;

    if ((pProcInfo = ExAllocatePoolWithTag(NonPagedPool, sizeof(PROCESS_BASIC_INFORMATION), 'QPI')) == NULL)
    {
        DbgPrint("ExAllocatePoolWithTag failed");
        return NULL;
    }
    ntStatus = PsLookupProcessByProcessId(PID, &pProcess);
    if (!NT_SUCCESS(ntStatus))
    {
        DbgPrint("PsLookupProcessByProcessId Returned: 0x%08x\n", ntStatus);
        ExFreePool(pProcInfo);
        return NULL;
    }
    ntStatus = ObOpenObjectByPointer(pProcess, 0, NULL, 0, 0, KernelMode, &hProcess);
    if (!NT_SUCCESS(ntStatus))
    {
        DbgPrint("ObOpenObjectByPointer sReturned: 0x%08x\n", ntStatus);
        ExFreePool(pProcInfo);
        return NULL;
    }

    ObDereferenceObject(pProcess);
    ntStatus = ZwQueryInformationProcess(hProcess, ProcessBasicInformation, pProcInfo, sizeof(PROCESS_BASIC_INFORMATION), &ulRet);
    if (!NT_SUCCESS(ntStatus))
    {
        DbgPrint("ZwQueryInformationProcess Returned: 0x%08x\n", ntStatus);
        ExFreePool(pProcInfo);
        return NULL;
    }
    if (ulRet != sizeof(PROCESS_BASIC_INFORMATION))
        DbgPrint("Warning : ZwQueryInformationProcess Returned Length is different than ProcessInformationLength");

    return pProcInfo;
}

PROCESS_BASIC_INFORMATION defined in ntddk. PID value is correct. But result of ZwQueryInformationProcess is odd. I get only lower part of PEB address (PPEB part in PROCESS_BASIC_INFORMATION structure). For example, another tool says PPEB is equal to 0x000007FFFFFDC000. My drivers knows only 0xFFFDC000. Also i try PsGetprocessPeb(...) function, with the same result. ZwQueryInformationProcess function is successed.

ryyker · Accepted Answer · 2019-04-25T13:45:41.370

0

Corrected:
To address the I get only lower part of PEB address part of your question,
because pProcess is a pointer, use the pointer format specifier: %p.

ntStatus = PsLookupProcessByProcessId(PID, &pProcess);
// your error handling code
printf("PsLookupProcessByProcessId: 0x%p\n", pProcess);

The "%p" pointer format specifier displays the argument as a hexadecimal address.

edited Apr 25 '19 at 13:45

answered Apr 24 '19 at 15:42

ryyker

22,849
3
43
87

Thank you for an answer and for solution. I need to use long long type variable to store address on a application side? – Thomas Andersen Apr 24 '19 at 17:16
`PEPROCESS` is a pointer type (a pointer to an `EPROCESS` structure). To print a pointer type, use the `p` [format specifier](https://learn.microsoft.com/en-us/cpp/c-runtime-library/format-specification-syntax-printf-and-wprintf-functions). `long long` (as well as `%llx`) is wrong for 2 reasons: `long long` is signed (a pointer isn't), and it has the wrong size on a 32-bit build. – IInspectable Apr 25 '19 at 10:03
@IInspectable - I should have had my coffee before answering yesterday! Thank you for pointing out my error. It has been corrected. – ryyker Apr 25 '19 at 13:47
@ThomasAndersen - Please note the correction to this answer. `%llx` is _not_ the right way to print an address pointer variable. Sorry for that mistake. – ryyker Apr 25 '19 at 13:57

ZwQueryInformationProcess strange behavior when ProcessBasicInformation requeqsted

1 Answers1