Buffer from ZwQueryInformationProcess overwritten randomly

RsQUE · May 17, 2025, 1:32pm

I use ZwQueryInformationProcess to get the image file name of the process. Which I can succesfully. But after some more lines of code, the string is overwritten randomly, specially when I use it to initialize an object.

Status = ZwQueryInformationProcess(ProcessHandle, ProcessImageFileName, NULL, 0, &ReturnLength);
if (Status == STATUS_INFO_LENGTH_MISMATCH) {
	ImageFileNameBuffer = ExAllocatePoolZero(NonPagedPool, ReturnLength, 0);
	if (ImageFileNameBuffer == NULL) return PkDispatchDenyAccess(Irp);

	ImageFileName = *(PUNICODE_STRING)ImageFileNameBuffer;

	Status = ZwQueryInformationProcess(ProcessHandle, ProcessImageFileName, &ImageFileName, ReturnLength, NULL); // The buffer is right, the string is right.
        // "\Device\Mup\vmware-host\Shared Folders\Debug\Process.exe"
	if (!NT_SUCCESS(Status)) {
		ZwClose(ProcessHandle);
		return PkDispatchDenyAccess(Irp);
	}
} else {
	ZwClose(ProcessHandle);
	return PkDispatchDenyAccess(Irp);
}

ZwClose(ProcessHandle); 

InitializeObjectAttributes(&FileAttributes, &ImageFileName, OBJ_KERNEL_HANDLE, NULL, NULL);

// Now things change."\Device\Mup\vmware-host\Shared F0". Just randomly. Or something else. It differs.

Status = ZwOpenFile(&FileHandle, 0, &FileAttributes, &IoBlock, 0, 0); // Cannot open because object name not found
if (!NT_SUCCESS(Status)) return PkDispatchDenyAccess(Irp);

I am not exactly sure what is causing that. But the Length nor MaximumLength of the UNICODE_STRING does not change. The buffer in memory is overwritten. And yes, I tried to manually initialize the object. The result was same.

UPDATE: The object does not matter. It is overwritten after a few lines. I tried to copy the string.

UPDATE 2: I tried to move the initialization and copy the string right after its written by ZwQueryInformationProcess. I got a SYSTEM_SERVICE_EXCEPTION with access violation at RtlCopyMemory.

lucianpin · May 17, 2025, 7:43pm

I assume ImageFileName is of type UNICODE_STRING. You assign between 2 structures. ImageFileName members are set to not yet initialized values. ZwQueryInformationProcess will then initialize, but you passed a copy of the structure located at other address in memory which doesn t have room for the name buffer following it. You should have passed the ImageFileNameBuffer directly then do some casts. Anyway or at least use pointers and not make that structure copy.

RsQUE · May 18, 2025, 7:19am

I tried both. I tried both to initialize the structure then pass the pointer, and then let function to initialize it. Which resulted in same thing.

lucianpin · May 18, 2025, 8:10am

You don t understand, you pass an address of a wrong variable. Pass the ImageFileNameBuffer as I indicated before.

RsQUE · May 18, 2025, 8:50am

Interesting. It now worked. But why? Why it now works? Why it wasn't before? And how this code changed things?

lucianpin · May 18, 2025, 8:59am

I just explained in first reply. ZwQueryInformationProcess needs room for UNICODE_STRING size + the size of the name buffer. You lied the function that the length is enough but you didn t pass the buffer you just allocated.