is there a way to walk through all processes and to obtain its respective process id in Kernel mode ?
Please advise.
Install Ps process create/destroy callbacks, and maintain your own process tree parallel to the kernel’s one.
–
Maxim S. Shatskih
Microsoft MVP on File System And Storage
xxxxx@storagecraft.com
http://www.storagecraft.com
wrote in message news:xxxxx@ntfsd…
> is there a way to walk through all processes and to obtain its respective process id in Kernel mode ?
>
> Please advise.
>
>
You can use PsSetCreateProcessNotifyRoutine to retrieve pids. Travesing
the internal process list can’t be done without using undocumented stuff.
2013/7/18
> is there a way to walk through all processes and to obtain its respective
> process id in Kernel mode ?
>
> Please advise.
>
>
> —
> NTFSD is sponsored by OSR
>
> OSR is hiring!! Info at http://www.osr.com/careers
>
> For our schedule of debugging and file system seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
enumerate ,like you said,walk through pid from 0 to 0xxxxxx by pslookupprocesspid()
i hope it works for you:)
PsLookupProcessByProcessId… imaginative solution 
You’ve gotten some answers, but there is a more basic question: what do
you think you can do with this information? There are many possible
answers, some of which already have features in Windows that implement
what you need. So it is more useful to know what you are trying to
accomplish.
joe
is there a way to walk through all processes and to obtain its respective
process id in Kernel mode ?Please advise.
NTFSD is sponsored by OSR
OSR is hiring!! Info at http://www.osr.com/careers
For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminarsTo unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
> enumerate ,like you said,walk through pid from 0 to 0xxxxxx by
pslookupprocesspid()
i hope it works for you:)
But the PIDs are 32-bit values, and if each time you are trying to look up
one of 4.2 billion processes, this is hardly effective.
joe
NTFSD is sponsored by OSR
OSR is hiring!! Info at http://www.osr.com/careers
For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminarsTo unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
invoked ZwQuerySystemInformation by passing a parmeter with SystemProcessesAndThreadsInformation into? (sounds like not documented…)
@joe,yes if he calls each time ,there is surely a effective problem.
so he should call it only the first time when he loads the driver,and then PsSetCreateProcessNotifyRoutine
Maxim, Julian,
- I have used PsSetCreateProcessNotifyRoutine() but its notify routine
only happened when there is application loaded, process like “explorer.exe”
is loaded before my minifilter, so I need know how to get explorer.exe
and its process id/PID.
Julian,
“…Travesing the internal process…”
- How to get the full path of “explorer.exe” from notify routine based
on only ParentID and ProcessID ?
kindof,
“…through pid from 0 to 0xxxxxx by pslookupprocesspid”
- How fast is the process by using the above method ?
- How to get full path of “explorer.exe” from PEPROCESS ?
Joseph,
“…what do you think you can do with this information?..”
- I want to find the full path of “explorer.exe” and its process id
via enumerating processes at the DriverEntry() once. - Since my minfilter driver is loaded after “explorer.exe”, I cannot
capture via PsSetLoadImageNotifyRoutine() and definitely not via
PsSetCreateProcessNotifyRoutine() which I did not know what is
the PID for “explorer.exe” at first.
By the way, I am write to this post upon implementation on Windows 2000
for personal study and understanding.
Please advise.
You can configure your fsf driver to load before any process is created and
then your notification routine will be invoked for all process created
except System. As you are just investigating you can also move to Vista+
and use PsSetCreateProcessNotifyRoutineEx instead.
If you want the process full path from EPROCESS you use “dt nt!_EPROCESS”
on WinDbg to discover the path offset inside EPROCESS struct. The path
could be a PUNICODE_STRING . Be aware that this offset can change with
Service Pack version so it’s not a real world solution.
There are good OSR articles covering this topic if I remember correctly.
Regards
2013/7/19
> Maxim, Julian,
> - I have used PsSetCreateProcessNotifyRoutine() but its notify routine
> only happened when there is application loaded, process like
> “explorer.exe”
> is loaded before my minifilter, so I need know how to get explorer.exe
> and its process id/PID.
>
> Julian,
> “…Travesing the internal process…”
> - How to get the full path of “explorer.exe” from notify routine based
> on only ParentID and ProcessID ?
>
> kindof,
> “…through pid from 0 to 0xxxxxx by pslookupprocesspid”
> - How fast is the process by using the above method ?
> - How to get full path of “explorer.exe” from PEPROCESS ?
>
> Joseph,
> “…what do you think you can do with this information?..”
> - I want to find the full path of “explorer.exe” and its process id
> via enumerating processes at the DriverEntry() once.
> - Since my minfilter driver is loaded after “explorer.exe”, I cannot
> capture via PsSetLoadImageNotifyRoutine() and definitely not via
> PsSetCreateProcessNotifyRoutine() which I did not know what is
> the PID for “explorer.exe” at first.
>
> By the way, I am write to this post upon implementation on Windows 2000
> for personal study and understanding.
>
> Please advise.
>
>
> —
> NTFSD is sponsored by OSR
>
> OSR is hiring!! Info at http://www.osr.com/careers
>
> For our schedule of debugging and file system seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
> You can configure your fsf driver to load before any process
is created and then your notification routine will be invoked
for all process created except System.
I would not bother with that; seeing that NtQuerySystemInformation
with SystemProcessInformation is already documented in MSDN,
I would go for that. Works everywhere and at any time.
The only possible hassle is that it could fail when a process
manages to exit between call to NtQuerySysInfo and the
whatever check you are going to do. Just remember - the
process list is only valid at the moment of the call to
NtQuerySystemInformation.
L.
And what does knowing the process is called “explorer.exe” get you? Of
course, you have to make sure it is THE “explorer.exe”, that is, the
Windows Exploer, a d not some random program I wrote, and called
“explorer.exe”. But there is practically nothing useful you can derive by
knowing this information. So it goes back to the original question: why
are you doing this? Yes, intellectual curiosity is fine, but if you think
you have learned how to do something, such as detecting a process launched
from explorer, or a file dropped from explorer, but that ignores all the
possible ways a process can be instantiated, or ll possible drag/drop
scenarios, etc. I always become suspicious when I hear of anything that
needs to know the name of the currently-running progrsm. This has to rank
as one of the most totally useless pieces of information you could ask
for. This september will mark my 50th year in the profession, and over
that tine, I have worked in a large number of operating systems. One of
the first ideas that many programmers have is “If I knew the name of the
user process, we could…”. After a while, all the other systems people
would send these enthusiasts to me, because I could always demolish their
idea in about ten minutes, by showing a large set of cases that did
whatever tey were trying to prevent, or, alternatively, what legitimate
actions their solution would prevent. I have yet to have anyone who could
do anything useful with this information. So it’s interesting that you
can learn this information, but unless it has some purpose, it is only
intellectual amusement. I have no problem with intellectual amusement,
but if you think that you can use this information to solve some problem,
it would be useful to know what you would do with this information, before
you go off and try to use this information for some purpose it is
ill-suited for. Turns out there are lots of useful things you could
imagine doing with this information, such as tracking process creation;
too much time spent running Solitaire, for example, might indicate a
serious employee problem. But in that case, you care solely about the exe
utable name, and don’t care exactly /what/ the name is, or have a need to
compare it to some name like “explorer.exe”.
Q: What’s worse than having security?
A: Having no security
Q: What’s worse than having no security?
A: Having something that provides the illusion of security, but doesn’t
actually work correctly.
Since I’ve been concerned by security issues since the late 1960s, there’s
very few bad ideas I haven’t seen. And very few bad ideas I have not been
able to crack with only a few minutes of thinking about the problem. In a
few cases, I had to write a program to demonstrate to the managers that
the newly-installed “armor plate” they had just expended a couple
man-years of precious programmer time to build was about as effective
armor as wet tissue. So I eventually became the gatekeeper for bad ideas.
The only system that didn’t need “aftermarket kludges” to make it secure
was the Hydra operating system (and no, I never worked in Multics). All
other systems only gave the illusion of security. [A partial list: IBM’s
OS/360, DOS/360, TSS/360, and CPM–no, not CP/M; DEC’s TOPS-10 and TOPS-20
and VMS; various flavors of Unix; Windows NT+ (and by extension, OS/2,
although I never worked in it, but someone who knew my reputation from CMU
did, and most of my Windows attacks, he assured me, would have worked in
OS/2. He “paid” me by buying the pizzas and beverages at our favorite
conference room, and gave me free copies of OS/2, which didn’t even work
well as paperweights)]
I used to teach a course on how to attack Windows. I once talked about
this to DCA, the Defense Communications Agency. When I described the
content of my talk to friends, one of them said “And they let you walk out
without confiscating your slides, marking them ‘Top Secret’, and invoking
the ITARS to prevent you from ever talking about this again?” [For those
of you who have not heard of the ITARS, these are the rules that are
invoked to prohibit the export of strong cryptographic software; their
main concern is the export of potential weapons technology]. My response
was simple: “Everything I talked about is documented in te Microsoft
programming manuals.”
So feel free to experiment, but don’t expect to build anything useful by
knowing that the process name is a particular executable image.
joe
Maxim, Julian,
- I have used PsSetCreateProcessNotifyRoutine() but its notify routine
only happened when there is application loaded, process like
“explorer.exe”
is loaded before my minifilter, so I need know how to get explorer.exe
and its process id/PID.Julian,
“…Travesing the internal process…”
- How to get the full path of “explorer.exe” from notify routine based
on only ParentID and ProcessID ?kindof,
“…through pid from 0 to 0xxxxxx by pslookupprocesspid”
- How fast is the process by using the above method ?
- How to get full path of “explorer.exe” from PEPROCESS ?
Joseph,
“…what do you think you can do with this information?..”
- I want to find the full path of “explorer.exe” and its process id
via enumerating processes at the DriverEntry() once.- Since my minfilter driver is loaded after “explorer.exe”, I cannot
capture via PsSetLoadImageNotifyRoutine() and definitely not via
PsSetCreateProcessNotifyRoutine() which I did not know what is
the PID for “explorer.exe” at first.By the way, I am write to this post upon implementation on Windows 2000
for personal study and understanding.Please advise.
NTFSD is sponsored by OSR
OSR is hiring!! Info at http://www.osr.com/careers
For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminarsTo unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
> invoked ZwQuerySystemInformation by passing a parmeter with
SystemProcessesAndThreadsInformation into? (sounds like not documented…)
@joe,yes if he calls each time ,there is surely a effective problem.
so he should call it only the first time when he loads the driver,and then
PsSetCreateProcessNotifyRoutine
No. The information is transient, and MUST be obtained each time. The
solution you posed would be so slow that entire processes coud be
launched, run, and terminate before one iteration of the query could
complete. For all practical purposes, any snapshot of the process
structure can assumed to be obsolete as soon as it is captured. Even done
once, to create the initial structure, would take far too long, and the
information would e obsolete as soon as it is captured. Think about
multicore systems: even a constantly-updated process list will be
potentially obsolete as soon as it is updated
joe
NTFSD is sponsored by OSR
OSR is hiring!! Info at http://www.osr.com/careers
For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminarsTo unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
What happens if there is no process with that binary at the moment? Or
multiple processes with that binary?
This can happen if you check before any user logs in, or if multiple users
are logged in (terminal services / fast user switching), or if explorer.exe
terminates (crash, terminate, logout)
these questions are all notwithstanding Joe’s about how to recognize the
‘true’ explorer.exe from any other processed which might be started from
binaries with that name
wrote in message news:xxxxx@ntfsd…
Maxim, Julian,
- I have used PsSetCreateProcessNotifyRoutine() but its notify routine
only happened when there is application loaded, process like
“explorer.exe”
is loaded before my minifilter, so I need know how to get explorer.exe
and its process id/PID.
Julian,
“…Travesing the internal process…”
- How to get the full path of “explorer.exe” from notify routine based
on only ParentID and ProcessID ?
kindof,
“…through pid from 0 to 0xxxxxx by pslookupprocesspid”
- How fast is the process by using the above method ?
- How to get full path of “explorer.exe” from PEPROCESS ?
Joseph,
“…what do you think you can do with this information?..”
- I want to find the full path of “explorer.exe” and its process id
via enumerating processes at the DriverEntry() once. - Since my minfilter driver is loaded after “explorer.exe”, I cannot
capture via PsSetLoadImageNotifyRoutine() and definitely not via
PsSetCreateProcessNotifyRoutine() which I did not know what is
the PID for “explorer.exe” at first.
By the way, I am write to this post upon implementation on Windows 2000
for personal study and understanding.
Please advise.
>If you want the process full path from EPROCESS you use “dt nt!_EPROCESS” on WinDbg to
Well-known SysInternals source uses runtime attempt to find the “SYSTEM” process name in the EPROCESS of SYSTEM process, and then save the offset for use with other EPROCESSes.
This name is NOT in Unicode, and also it is a short name - not full path. This name is the one displayed by Task Manager.
Anyway these are all hacks, the ZwXxx APIs are the way to go.
–
Maxim S. Shatskih
Microsoft MVP on File System And Storage
xxxxx@storagecraft.com
http://www.storagecraft.com
> course, you have to make sure it is THE “explorer.exe”, that is, the
Windows Exploer, a d not some random program I wrote, and called
“explorer.exe”
In around 1997, I saw the virus named “explorer.exe”, just in the directory other then system32.
It was started first by the logon, and it invoked the real explorer.exe in turn.
–
Maxim S. Shatskih
Microsoft MVP on File System And Storage
xxxxx@storagecraft.com
http://www.storagecraft.com
>> course, you have to make sure it is THE “explorer.exe”, that is, the
> Windows Exploer, a d not some random program I wrote, and called
> “explorer.exe”In around 1997, I saw the virus named “explorer.exe”, just in the
directory other then system32.It was started first by the logon, and it invoked the real explorer.exe in
turn.
I used this proxy mechanism to launch programs I wrote; the systems people
were notoriously slow in installing new versions of programs, so when
someone ran (on TOPS-10) “r something”, it ran the program sys:something
which in turn ran dskc:something[N800JN11]. So I had complete control of
my releases. I invented this technique around 1971, and used it for a
decade. Which is why many spoofing attacks are so screamingly obvious to
me (did you know the crypto DLL is not one of the “knownDLLs”, or at least
it wasn’t through Vista. So by a suitable spoofing attack I could replace
RSA-4096 with ROT-13. Kinda scary, isn’t it?
joe
–
Maxim S. Shatskih
Microsoft MVP on File System And Storage
xxxxx@storagecraft.com
http://www.storagecraft.com
NTFSD is sponsored by OSR
OSR is hiring!! Info at http://www.osr.com/careers
For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminarsTo unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
@maxim
“This name is NOT in Unicode, and also it is a short name - not full path. This
name is the one displayed by Task Manager.”
i dont think that is the name displayed by TaskManager.
Well, if Maxim says that there is no full path in a Win 2000 EPROCESS
struct I believe it. I think he says that the “UCHAR ImageFileName[16];” is
used in TaskMgr.
Beside the facts that it’s just a hack and should not the fundamental part
of security system, etc.I see a reference inside EPROCESS (Win 7) to a
UNICODE_STRING containing the full path. Maybe is there just in Vista+.
Best regards,
Julian
2013/7/22 <5771067@qq.com>
@maxim
“This name is NOT in Unicode, and also it is a short name - not full path.
This
name is the one displayed by Task Manager.”
i dont think that is the name displayed by TaskManager.
NTFSD is sponsored by OSR
OSR is hiring!! Info at http://www.osr.com/careers
For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminarsTo unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
There are some problems using EPROCESS, one of which is definitely a
buzz-kill: you have no way to synchornize access to the EPROCESS
structure, so you have no way to know that between the time you got it and
the time you try to access it that it has been changed, in particular,
detroyed. Using undocumented hacks is not good for children, or other
living things. And the OP has not really answered the key question:
exactly what problem do you plan to solve with this knowledge?
joe
Well, if Maxim says that there is no full path in a Win 2000 EPROCESS
struct I believe it. I think he says that the “UCHAR ImageFileName[16];”
is
used in TaskMgr.Beside the facts that it’s just a hack and should not the fundamental part
of security system, etc.I see a reference inside EPROCESS (Win 7) to a
UNICODE_STRING containing the full path. Maybe is there just in Vista+.Best regards,
Julian
2013/7/22 <5771067@qq.com>
> @maxim
> “This name is NOT in Unicode, and also it is a short name - not full
> path.
> This
> name is the one displayed by Task Manager.”
> i dont think that is the name displayed by TaskManager.
>
>
> —
> NTFSD is sponsored by OSR
>
> OSR is hiring!! Info at http://www.osr.com/careers
>
> For our schedule of debugging and file system seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
NTFSD is sponsored by OSR
OSR is hiring!! Info at http://www.osr.com/careers
For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminarsTo unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer