I am extracting the WTS ID from process ID but sometimes getting crash due to ObOpenObjectByPointer API
Code :
BOOLEAN GetSessionIdOfProcess(UINT64 dwPid, UINT32* sessionId)
{
HANDLE hprocess, htoken;
NTSTATUS status;
OBJECT_ATTRIBUTES objectAttributes;
CLIENT_ID myCid;
PEPROCESS eProcess;
InitializeObjectAttributes(&objectAttributes, 0, 0, 0, 0);
myCid.UniqueProcess = (HANDLE)dwPid;
myCid.UniqueThread = 0;
BOOLEAN result = FALSE;
//Open the process and get the handle
status = ZwOpenProcess(&hprocess, PROCESS_ALL_ACCESS, &objectAttributes, &myCid);
if (!NT_SUCCESS(status))
{
DbgPrintEx(DPFLTR_NDE_MASK, DPFLTR_NDE_ERROR_LEVEL, "Error occured while accessing the process handle for PID : %llu , error code : %x\r\n", dwPid, status);
goto Exit;
}
//Get EPROCESS from the process handle
status = ObReferenceObjectByHandle(hprocess, FILE_READ_DATA, 0, KernelMode, &eProcess, 0);
if (!NT_SUCCESS(status) || eProcess == NULL)
{
DbgPrintEx(DPFLTR_NDE_MASK, DPFLTR_NDE_ERROR_LEVEL, "Error occured while accessing the EPROCESS structure for PID : %llu , error code : %x\r\n", dwPid, status);
}
else
{
// Get Process token from the EPROCESS
PVOID token = PsReferencePrimaryToken(eProcess);
if (token)
{
// Now that we have a token reference, get a handle to it
// so that we can query it.
status = ObOpenObjectByPointer(token, 0, NULL, TOKEN_QUERY, NULL, KernelMode, &htoken);
if (!NT_SUCCESS(status))
{
DbgPrintEx(DPFLTR_NDE_MASK, DPFLTR_NDE_ERROR_LEVEL, "Error occured while accessing the token handle for PID : %llu , error code : %x\r\n", dwPid, status);
}
else
{
ULONG retLen = 0;
ZwQueryInformationToken(htoken, TokenSessionId, sessionId, sizeof(UINT32), &retLen);
DbgPrintEx(DPFLTR_NDE_MASK, DPFLTR_NDE_DEBUG_LEVEL, "Extracted information, PID : %llu WTS ID : %d\r\n", dwPid, *sessionId);
result = TRUE;
ZwClose(htoken);
}
ObDereferenceObject(token);
}
else
{
DbgPrintEx(DPFLTR_NDE_MASK, DPFLTR_NDE_ERROR_LEVEL, "Token value for PID : %llu is NULL\r\n", dwPid);
}
ObDereferenceObject(eProcess);
}
ZwClose(hprocess);
Exit:
return result;
}
Error Data :-
fffffb88
706ce4c8 fffff807
2d409b69 : 000000000000000a ffffad84
1e8ff018 0000000000000002 00000000
00000000 : nt+0x3f6b90
fffffb88706ce4d0 fffff807
2d405e69 : fffffb88706ceaf0 fffffb88
706ce8a8 0000000000000000 00000000
00000000 : nt+0x408b69
fffffb88706ce610 fffff807
2d5f765b : 0000000000000000 fffffb88
00000000 0000000000000000 ffffad84
13e59030 : nt+0x404e69
fffffb88706ce7a0 fffff807
2d6d5189 : ffffad8413e59060 00000000
00000000 fffff287fc5607bb 002e0067
00000008 : nt+0x5f665b
fffffb88706ce990 fffff807
32316635 : 01d7590566503ed7 fffffb88
706cf9d0 fffffb88706cf010 00000000
00000000 : nt+0x6d4189
fffffb88706cec10 fffff807
32317385 : 0000000000000490 fffffb88
706ced00 fffff80732316910 fffffb88
706cf638 : GetSessionIdOfProcess+0x175
FAULTING_SOURCE_LINE_NUMBER: 677
FAULTING_SOURCE_CODE:
673: if (token)
674: {
675: // Now that we have a token reference, get a handle to it
676: // so that we can query it.
677: status = ObOpenObjectByPointer(token, 0, NULL, TOKEN_QUERY, NULL, KernelMode, &htoken);
678: if (!NT_SUCCESS(status))
679: {
680: DbgPrintEx(DPFLTR_NDE_MASK, DPFLTR_NDE_ERROR_LEVEL, "Error occured while accessing the token handle for PID : %llu , error code : %x\r\n", dwPid, status);
681: }
682: else
IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an interrupt request level (IRQL) that is too high. This is usually caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: ffffad841e8ff018, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000000, bitfield :
bit 0 : value 0 = read operation, 1 = write operation
bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: fffff8072d5f765b, address which referenced memory
Please let me know how I can extract the WTS ID from process ID