I am extracting the WTS ID from process ID but sometimes getting crash due to ObOpenObjectByPointer API
Code :
BOOLEAN GetSessionIdOfProcess(UINT64 dwPid, UINT32* sessionId)
{
HANDLE hprocess, htoken;
NTSTATUS status;
OBJECT_ATTRIBUTES objectAttributes;
CLIENT_ID myCid;
PEPROCESS eProcess;
InitializeObjectAttributes(&objectAttributes, 0, 0, 0, 0);
myCid.UniqueProcess = (HANDLE)dwPid;
myCid.UniqueThread = 0;
BOOLEAN result = FALSE;
//Open the process and get the handle
status = ZwOpenProcess(&hprocess, PROCESS_ALL_ACCESS, &objectAttributes, &myCid);
if (!NT_SUCCESS(status))
{
DbgPrintEx(DPFLTR_NDE_MASK, DPFLTR_NDE_ERROR_LEVEL, "Error occured while accessing the process handle for PID : %llu , error code : %x\r\n", dwPid, status);
goto Exit;
}
//Get EPROCESS from the process handle
status = ObReferenceObjectByHandle(hprocess, FILE_READ_DATA, 0, KernelMode, &eProcess, 0);
if (!NT_SUCCESS(status) || eProcess == NULL)
{
DbgPrintEx(DPFLTR_NDE_MASK, DPFLTR_NDE_ERROR_LEVEL, "Error occured while accessing the EPROCESS structure for PID : %llu , error code : %x\r\n", dwPid, status);
}
else
{
// Get Process token from the EPROCESS
PVOID token = PsReferencePrimaryToken(eProcess);
if (token)
{
// Now that we have a token reference, get a handle to it
// so that we can query it.
status = ObOpenObjectByPointer(token, 0, NULL, TOKEN_QUERY, NULL, KernelMode, &htoken);
if (!NT_SUCCESS(status))
{
DbgPrintEx(DPFLTR_NDE_MASK, DPFLTR_NDE_ERROR_LEVEL, "Error occured while accessing the token handle for PID : %llu , error code : %x\r\n", dwPid, status);
}
else
{
ULONG retLen = 0;
ZwQueryInformationToken(htoken, TokenSessionId, sessionId, sizeof(UINT32), &retLen);
DbgPrintEx(DPFLTR_NDE_MASK, DPFLTR_NDE_DEBUG_LEVEL, "Extracted information, PID : %llu WTS ID : %d\r\n", dwPid, *sessionId);
result = TRUE;
ZwClose(htoken);
}
ObDereferenceObject(token);
}
else
{
DbgPrintEx(DPFLTR_NDE_MASK, DPFLTR_NDE_ERROR_LEVEL, "Token value for PID : %llu is NULL\r\n", dwPid);
}
ObDereferenceObject(eProcess);
}
ZwClose(hprocess);
Exit:
return result;
}
Error Data :-
STACK_TEXT:
! fffffb88
706ce4c8 fffff8072d409b69 : 000000000000000a ffffad841e8ff018 0000000000000002 0000000000000000 : nt+0x3f6b90
! fffffb88706ce4d0 fffff8072d405e69 : fffffb88706ceaf0 fffffb88706ce8a8 0000000000000000 0000000000000000 : nt+0x408b69
! fffffb88706ce610 fffff8072d5f765b : 0000000000000000 fffffb8800000000 0000000000000000 ffffad8413e59030 : nt+0x404e69
! fffffb88706ce7a0 fffff8072d6d5189 : ffffad8413e59060 0000000000000000 fffff287fc5607bb 002e006700000008 : nt+0x5f665b
! fffffb88706ce990 fffff80732316635 : 01d7590566503ed7 fffffb88706cf9d0 fffffb88706cf010 0000000000000000 : nt+0x6d4189
! fffffb88706cec10 fffff80732317385 : 0000000000000490 fffffb88706ced00 fffff80732316910 fffffb88706cf638 : GetSessionIdOfProcess+0x175
! FAULTING_SOURCE_LINE_NUMBER: 677
!
! FAULTING_SOURCE_CODE:
! 673: if (token)
! 674: {
! 675: // Now that we have a token reference, get a handle to it
! 676: // so that we can query it.
! 677: status = ObOpenObjectByPointer(token, 0, NULL, TOKEN_QUERY, NULL, KernelMode, &htoken);
! 678: if (!NT_SUCCESS(status))
! 679: {
! 680: DbgPrintEx(DPFLTR_NDE_MASK, DPFLTR_NDE_ERROR_LEVEL, “Error occured while accessing the token handle for PID : %llu , error code : %x\r\n”, dwPid, status);
! 681: }
! 682: else
! IRQL_NOT_LESS_OR_EQUAL (a)
! An attempt was made to access a pageable (or completely invalid) address at an interrupt request level (IRQL) that is too high. This is usually caused by drivers using improper addresses.
! If a kernel debugger is available get the stack backtrace.
! Arguments:
! Arg1: ffffad841e8ff018, memory referenced
! Arg2: 0000000000000002, IRQL
! Arg3: 0000000000000000, bitfield :
! bit 0 : value 0 = read operation, 1 = write operation
! bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
! Arg4: fffff8072d5f765b, address which referenced memory
!
Please let me know how I can extract the WTS ID from process ID