Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTDEV

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Before Posting...

Please check out the Community Guidelines in the Announcements and Administration Category.

ObOpenObjectByPointer causing crash while extracting WTS ID from process ID

chetanchauhan111992chetanchauhan111992 Member Posts: 6

I am extracting the WTS ID from process ID but sometimes getting crash due to ObOpenObjectByPointer API

Code :

BOOLEAN GetSessionIdOfProcess(UINT64 dwPid, UINT32* sessionId)
{
    HANDLE hprocess, htoken;
    NTSTATUS status;
    OBJECT_ATTRIBUTES objectAttributes;
    CLIENT_ID myCid;
    PEPROCESS eProcess;
    InitializeObjectAttributes(&objectAttributes, 0, 0, 0, 0);

    myCid.UniqueProcess = (HANDLE)dwPid;
    myCid.UniqueThread = 0;
    BOOLEAN result = FALSE;
    //Open the process and get the handle
    status = ZwOpenProcess(&hprocess, PROCESS_ALL_ACCESS, &objectAttributes, &myCid);
    if (!NT_SUCCESS(status))
    {
        DbgPrintEx(DPFLTR_NDE_MASK, DPFLTR_NDE_ERROR_LEVEL, "Error occured while accessing the process handle for PID : %llu , error code : %x\r\n", dwPid, status);
        goto Exit;
    }

    //Get EPROCESS from the process handle
    status = ObReferenceObjectByHandle(hprocess, FILE_READ_DATA, 0, KernelMode, &eProcess, 0);
    if (!NT_SUCCESS(status) || eProcess == NULL)
    {
        DbgPrintEx(DPFLTR_NDE_MASK, DPFLTR_NDE_ERROR_LEVEL, "Error occured while accessing the EPROCESS structure for PID : %llu , error code : %x\r\n", dwPid, status);
    }
    else
    {
        // Get Process token from the EPROCESS
        PVOID token = PsReferencePrimaryToken(eProcess);

        if (token)
        {
            // Now that we have a token reference, get a handle to it
            // so that we can query it.
            status = ObOpenObjectByPointer(token, 0, NULL, TOKEN_QUERY, NULL, KernelMode, &htoken);
            if (!NT_SUCCESS(status))
            {
                DbgPrintEx(DPFLTR_NDE_MASK, DPFLTR_NDE_ERROR_LEVEL, "Error occured while accessing the token handle for PID : %llu , error code : %x\r\n", dwPid, status);
            }
            else
            {
                ULONG retLen = 0;
                ZwQueryInformationToken(htoken, TokenSessionId, sessionId, sizeof(UINT32), &retLen);
                DbgPrintEx(DPFLTR_NDE_MASK, DPFLTR_NDE_DEBUG_LEVEL, "Extracted information, PID : %llu WTS ID : %d\r\n", dwPid, *sessionId);
                result = TRUE;
                ZwClose(htoken);
            }
            ObDereferenceObject(token);
        }
        else
        {
            DbgPrintEx(DPFLTR_NDE_MASK, DPFLTR_NDE_ERROR_LEVEL, "Token value for PID : %llu is NULL\r\n", dwPid);
        }
        ObDereferenceObject(eProcess);
    }   
    ZwClose(hprocess);

Exit:
    return result;
}

Error Data :-

STACK_TEXT:

fffffb88706ce4c8 fffff8072d409b69 : 000000000000000a ffffad841e8ff018 0000000000000002 0000000000000000 : nt+0x3f6b90
fffffb88706ce4d0 fffff8072d405e69 : fffffb88706ceaf0 fffffb88706ce8a8 0000000000000000 0000000000000000 : nt+0x408b69
fffffb88706ce610 fffff8072d5f765b : 0000000000000000 fffffb8800000000 0000000000000000 ffffad8413e59030 : nt+0x404e69
fffffb88706ce7a0 fffff8072d6d5189 : ffffad8413e59060 0000000000000000 fffff287fc5607bb 002e006700000008 : nt+0x5f665b
fffffb88706ce990 fffff80732316635 : 01d7590566503ed7 fffffb88706cf9d0 fffffb88706cf010 0000000000000000 : nt+0x6d4189
fffffb88706cec10 fffff80732317385 : 0000000000000490 fffffb88706ced00 fffff80732316910 fffffb88706cf638 : GetSessionIdOfProcess+0x175

FAULTING_SOURCE_LINE_NUMBER: 677

FAULTING_SOURCE_CODE:
673: if (token)
674: {
675: // Now that we have a token reference, get a handle to it
676: // so that we can query it.
677: status = ObOpenObjectByPointer(token, 0, NULL, TOKEN_QUERY, NULL, KernelMode, &htoken);
678: if (!NT_SUCCESS(status))
679: {
680: DbgPrintEx(DPFLTR_NDE_MASK, DPFLTR_NDE_ERROR_LEVEL, "Error occured while accessing the token handle for PID : %llu , error code : %x\r\n", dwPid, status);
681: }
682: else

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an interrupt request level (IRQL) that is too high. This is usually caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: ffffad841e8ff018, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000000, bitfield :
bit 0 : value 0 = read operation, 1 = write operation
bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: fffff8072d5f765b, address which referenced memory

Please let me know how I can extract the WTS ID from process ID

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Developing Minifilters 24 May 2021 Live, Online
Writing WDF Drivers 14 June 2021 Live, Online
Internals & Software Drivers 27 September 2021 Live, Online
Kernel Debugging 15 November 2021 Live, Online