EPROCESS question

Hi all.
I have a question regarding accessing EPROCESS structures in the kernel
(yes I know EPROCESS is undocumented, and yes I know not to depend on
certain offsets in the EPROCESS structure).
My basic question is this: Is there a way to obtain (for NT4/2K/XP) the
address of the EPROCESS structure for any given process that is *not* the
currently executing process (so using PsGetCurrentProcess is not an
option)?

I’m trying to do this because I want to call KeAttachProcess to attach to
a certain process (namely csrss.exe)…

The only semi-sane way that I can think to do this that should
(might?)work on NT4, 2K, and XP would be to have a user-land app obtain
the PID of the process I want to get the EPROCESS block for, and send the
PID down to the driver… then the driver could use
PsLookupProcessByProcessId to grab the EPROCESS structure’s address…

I had thought about using PsActiveProcessHead and iterating through the
list, comparing image filenames until I found the process I wanted, but
that would require using offsets to the beginning of the EPROCESS struct
and for accessing the image filename member (which would put in strict OS
version (and possibly even service-pack level) dependencies which would
suck…
Under XP I could even possibly iterate through all the various process
IDs, grabbing the EPROCESS for that ID and then using
PsGetProcessImageFileName to obtain the image name to compare with (ugly
but it should work), but this isn’t available in Win2k/NT4…

Also, if I go with the ‘userland finds pid, passes to driver for lookup’
approach, is it possible that the PID in the EPROCESS struct could change
after the userland app looks up the pid and before the driver queries it?

Any thoughts would be appreciated… (even if the only answer is “you’re
on crack. you can’t do this in a sane way. move on.”)

Thanks,
sean

ObReferenceObjectByHandle on a process handle will get you a pointer to
the corresponding EPROCESS object. You probably want to have OROBH
check the object type to ensure some bogus app isn’t handing you an
event handle in order to crash the system. If you’re going to specify
KernelMode in order to bypass those annoying security checks you need to
first check and make sure the handle passed to you isn’t a kernel handle
also.

if you have the app open the process handle, hand it ot the driver and
then close the handle you’ll be ensured that the process object can’t go
away and you don’t need to know the PID.

why do you want to attach to csrss?

sometimes I wish people would mention their product names so I can have
a little more food for thought when purchasing software

-p

-----Original Message-----
From: xxxxx@stg.com [mailto:xxxxx@stg.com]
Sent: Friday, October 18, 2002 2:11 PM
To: NT Developers Interest List
Subject: [ntdev] EPROCESS question

Hi all.
I have a question regarding accessing EPROCESS structures in the kernel
(yes I know EPROCESS is undocumented, and yes I know not to depend on
certain offsets in the EPROCESS structure). My basic question is this:
Is there a way to obtain (for NT4/2K/XP) the address of the EPROCESS
structure for any given process that is *not* the currently executing
process (so using PsGetCurrentProcess is not an option)?

I’m trying to do this because I want to call KeAttachProcess to attach
to a certain process (namely csrss.exe)…

The only semi-sane way that I can think to do this that should
(might?)work on NT4, 2K, and XP would be to have a user-land app obtain
the PID of the process I want to get the EPROCESS block for, and send
the PID down to the driver… then the driver could use
PsLookupProcessByProcessId to grab the EPROCESS structure’s address…

I had thought about using PsActiveProcessHead and iterating through the
list, comparing image filenames until I found the process I wanted, but
that would require using offsets to the beginning of the EPROCESS struct
and for accessing the image filename member (which would put in strict
OS version (and possibly even service-pack level) dependencies which
would suck… Under XP I could even possibly iterate through all the
various process IDs, grabbing the EPROCESS for that ID and then using
PsGetProcessImageFileName to obtain the image name to compare with (ugly
but it should work), but this isn’t available in Win2k/NT4…

Also, if I go with the ‘userland finds pid, passes to driver for lookup’
approach, is it possible that the PID in the EPROCESS struct could
change after the userland app looks up the pid and before the driver
queries it?

Any thoughts would be appreciated… (even if the only answer is “you’re
on crack. you can’t do this in a sane way. move on.”)

Thanks,
sean

You are currently subscribed to ntdev as: xxxxx@microsoft.com To
unsubscribe send a blank email to %%email.unsub%%

Cool, thank you very much for the info

The reason that I’m attaching to csrss.exe is because I need to call
another kernel function that requires that you be in the context of
csrss.exe… (ie: similar to what the video port driver does).

As far as the software reliability issue goes, I’m doing this for a client
and want to do it right… hence my question to the list… I know that
this sequence of calls works and achieves what I need to do… I just
wanted to make sure that if I do take this approach to solving a problem,
I do it in as safe and clean a manner as possible (which is why I’m not
just doing hard-coded offsets from the LIST_ENTRY member in EPROCESS)…
I also wanted to double check with people on the list to see if anyone
would smack me and say “I know you think you can and want to do this, but
don’t go attaching yourself to csrss.exe and making calls because…”

So I’m trying to write correct (and stable) code, I really am, honest

Thanks again for the help…

sean

Why do you need a kernel driver?
You can inject a DLL into another process by opening the process (CSRSS),
allocating memory in that process, copying a short piece of code that calls
LoadLibrary on the DLL you want to inject, and then use CreateRemoteThread
to run that load library code.
You need to do this from a service or as an administrator.

Bill Wandel

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of xxxxx@stg.com
Sent: Friday, October 18, 2002 6:56 PM
To: NT Developers Interest List
Subject: [ntdev] RE: EPROCESS question

Cool, thank you very much for the info

The reason that I’m attaching to csrss.exe is because I need to call
another kernel function that requires that you be in the context of
csrss.exe… (ie: similar to what the video port driver does).

As far as the software reliability issue goes, I’m doing this for a client
and want to do it right… hence my question to the list… I know that
this sequence of calls works and achieves what I need to do… I just
wanted to make sure that if I do take this approach to solving a problem,
I do it in as safe and clean a manner as possible (which is why I’m not
just doing hard-coded offsets from the LIST_ENTRY member in EPROCESS)…
I also wanted to double check with people on the list to see if anyone
would smack me and say “I know you think you can and want to do this, but
don’t go attaching yourself to csrss.exe and making calls because…”

So I’m trying to write correct (and stable) code, I really am, honest

Thanks again for the help…

sean

You are currently subscribed to ntdev as: xxxxx@bwandel.com
To unsubscribe send a blank email to %%email.unsub%%

You cannot inject DLLs to CSRSS, since it is not a Win32 process.

----- Original Message -----
From: “Bill Bwandel”
To: “NT Developers Interest List”
Sent: Saturday, October 19, 2002 4:56 AM
Subject: [ntdev] RE: EPROCESS question

> Why do you need a kernel driver?
> You can inject a DLL into another process by opening the process
(CSRSS),
> allocating memory in that process, copying a short piece of code
that calls
> LoadLibrary on the DLL you want to inject, and then use
CreateRemoteThread
> to run that load library code.
> You need to do this from a service or as an administrator.
>
> Bill Wandel
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com]On Behalf Of xxxxx@stg.com
> Sent: Friday, October 18, 2002 6:56 PM
> To: NT Developers Interest List
> Subject: [ntdev] RE: EPROCESS question
>
>
> Cool, thank you very much for the info
>
> The reason that I’m attaching to csrss.exe is because I need to call
> another kernel function that requires that you be in the context of
> csrss.exe… (ie: similar to what the video port driver does).
>
> As far as the software reliability issue goes, I’m doing this for a
client
> and want to do it right… hence my question to the list… I know
that
> this sequence of calls works and achieves what I need to do… I
just
> wanted to make sure that if I do take this approach to solving a
problem,
> I do it in as safe and clean a manner as possible (which is why I’m
not
> just doing hard-coded offsets from the LIST_ENTRY member in
EPROCESS)…
> I also wanted to double check with people on the list to see if
anyone
> would smack me and say “I know you think you can and want to do
this, but
> don’t go attaching yourself to csrss.exe and making calls
because…”
>
> So I’m trying to write correct (and stable) code, I really am,
honest
>
> Thanks again for the help…
>
> sean
>
> —
> You are currently subscribed to ntdev as: xxxxx@bwandel.com
> To unsubscribe send a blank email to %%email.unsub%%
>
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to %%email.unsub%%
>

And how does ntdll.dll get into CSRSS? Ntdll.dll is a win32 dll.
The original objective was to make a kernel call in the context of CSRSS. I
don’t think that you need a kernel driver to accomplish this. This doesn’t
address the question of is this a safe and reliable thing to do.

Bill Wandel

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Maxim S. Shatskih
Sent: Saturday, October 19, 2002 7:48 AM
To: NT Developers Interest List
Subject: [ntdev] RE: EPROCESS question

You cannot inject DLLs to CSRSS, since it is not a Win32 process.

----- Original Message -----
From: “Bill Bwandel”
To: “NT Developers Interest List”
Sent: Saturday, October 19, 2002 4:56 AM
Subject: [ntdev] RE: EPROCESS question

> Why do you need a kernel driver?
> You can inject a DLL into another process by opening the process
(CSRSS),
> allocating memory in that process, copying a short piece of code
that calls
> LoadLibrary on the DLL you want to inject, and then use
CreateRemoteThread
> to run that load library code.
> You need to do this from a service or as an administrator.
>
> Bill Wandel
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com]On Behalf Of xxxxx@stg.com
> Sent: Friday, October 18, 2002 6:56 PM
> To: NT Developers Interest List
> Subject: [ntdev] RE: EPROCESS question
>
>
> Cool, thank you very much for the info
>
> The reason that I’m attaching to csrss.exe is because I need to call
> another kernel function that requires that you be in the context of
> csrss.exe… (ie: similar to what the video port driver does).
>
> As far as the software reliability issue goes, I’m doing this for a
client
> and want to do it right… hence my question to the list… I know
that
> this sequence of calls works and achieves what I need to do… I
just
> wanted to make sure that if I do take this approach to solving a
problem,
> I do it in as safe and clean a manner as possible (which is why I’m
not
> just doing hard-coded offsets from the LIST_ENTRY member in
EPROCESS)…
> I also wanted to double check with people on the list to see if
anyone
> would smack me and say “I know you think you can and want to do
this, but
> don’t go attaching yourself to csrss.exe and making calls
because…”
>
> So I’m trying to write correct (and stable) code, I really am,
honest
>
> Thanks again for the help…
>
> sean
>
> —
> You are currently subscribed to ntdev as: xxxxx@bwandel.com
> To unsubscribe send a blank email to %%email.unsub%%
>
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to %%email.unsub%%
>

—
You are currently subscribed to ntdev as: xxxxx@bwandel.com
To unsubscribe send a blank email to %%email.unsub%%

NTDLL is not a win32 subsystem DLL.

----- Original Message -----
From: “Bill Bwandel”
To: “NT Developers Interest List”
Sent: Saturday, October 19, 2002 7:00 PM
Subject: [ntdev] RE: EPROCESS question

> And how does ntdll.dll get into CSRSS? Ntdll.dll is a win32 dll.
> The original objective was to make a kernel call in the context of CSRSS.
I
> don’t think that you need a kernel driver to accomplish this. This doesn’t
> address the question of is this a safe and reliable thing to do.
>
> Bill Wandel
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com]On Behalf Of Maxim S. Shatskih
> Sent: Saturday, October 19, 2002 7:48 AM
> To: NT Developers Interest List
> Subject: [ntdev] RE: EPROCESS question
>
>
> You cannot inject DLLs to CSRSS, since it is not a Win32 process.
>
> ----- Original Message -----
> From: “Bill Bwandel”
> To: “NT Developers Interest List”
> Sent: Saturday, October 19, 2002 4:56 AM
> Subject: [ntdev] RE: EPROCESS question
>
>
> > Why do you need a kernel driver?
> > You can inject a DLL into another process by opening the process
> (CSRSS),
> > allocating memory in that process, copying a short piece of code
> that calls
> > LoadLibrary on the DLL you want to inject, and then use
> CreateRemoteThread
> > to run that load library code.
> > You need to do this from a service or as an administrator.
> >
> > Bill Wandel
> >
> >
> > -----Original Message-----
> > From: xxxxx@lists.osr.com
> > [mailto:xxxxx@lists.osr.com]On Behalf Of xxxxx@stg.com
> > Sent: Friday, October 18, 2002 6:56 PM
> > To: NT Developers Interest List
> > Subject: [ntdev] RE: EPROCESS question
> >
> >
> > Cool, thank you very much for the info
> >
> > The reason that I’m attaching to csrss.exe is because I need to call
> > another kernel function that requires that you be in the context of
> > csrss.exe… (ie: similar to what the video port driver does).
> >
> > As far as the software reliability issue goes, I’m doing this for a
> client
> > and want to do it right… hence my question to the list… I know
> that
> > this sequence of calls works and achieves what I need to do… I
> just
> > wanted to make sure that if I do take this approach to solving a
> problem,
> > I do it in as safe and clean a manner as possible (which is why I’m
> not
> > just doing hard-coded offsets from the LIST_ENTRY member in
> EPROCESS)…
> > I also wanted to double check with people on the list to see if
> anyone
> > would smack me and say “I know you think you can and want to do
> this, but
> > don’t go attaching yourself to csrss.exe and making calls
> because…”
> >
> > So I’m trying to write correct (and stable) code, I really am,
> honest
> >
> > Thanks again for the help…
> >
> > sean
> >
> > —
> > You are currently subscribed to ntdev as: xxxxx@bwandel.com
> > To unsubscribe send a blank email to %%email.unsub%%
> >
> >
> >
> > —
> > You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> > To unsubscribe send a blank email to %%email.unsub%%
> >
>
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@bwandel.com
> To unsubscribe send a blank email to %%email.unsub%%
>
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@rdsor.ro
> To unsubscribe send a blank email to %%email.unsub%%
>

> And how does ntdll.dll get into CSRSS? Ntdll.dll is a win32 dll.

No. NTDLL is like a user-mode part of the kernel, and it is impossible
to create a process on NT without NTDLL, be it Win32 or not.

Max

Actually, it is.
Dumpbin lists the ntdll.dll header as subsystem as 3 - Windows CUI. The
depends utility calls the ntdll.dll subsystem WIN32 console.
CSRSS.exe and csrsrv.dll (which is used by csrss) is subsystem Native.

Bill Wandel

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Dan Partelly
Sent: Saturday, October 19, 2002 1:30 PM
To: NT Developers Interest List
Subject: [ntdev] RE: EPROCESS question

NTDLL is not a win32 subsystem DLL.

----- Original Message -----
From: “Bill Bwandel”
To: “NT Developers Interest List”
Sent: Saturday, October 19, 2002 7:00 PM
Subject: [ntdev] RE: EPROCESS question

> And how does ntdll.dll get into CSRSS? Ntdll.dll is a win32 dll.
> The original objective was to make a kernel call in the context of CSRSS.
I
> don’t think that you need a kernel driver to accomplish this. This doesn’t
> address the question of is this a safe and reliable thing to do.
>
> Bill Wandel
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com]On Behalf Of Maxim S. Shatskih
> Sent: Saturday, October 19, 2002 7:48 AM
> To: NT Developers Interest List
> Subject: [ntdev] RE: EPROCESS question
>
>
> You cannot inject DLLs to CSRSS, since it is not a Win32 process.
>
> ----- Original Message -----
> From: “Bill Bwandel”
> To: “NT Developers Interest List”
> Sent: Saturday, October 19, 2002 4:56 AM
> Subject: [ntdev] RE: EPROCESS question
>
>
> > Why do you need a kernel driver?
> > You can inject a DLL into another process by opening the process
> (CSRSS),
> > allocating memory in that process, copying a short piece of code
> that calls
> > LoadLibrary on the DLL you want to inject, and then use
> CreateRemoteThread
> > to run that load library code.
> > You need to do this from a service or as an administrator.
> >
> > Bill Wandel
> >
> >
> > -----Original Message-----
> > From: xxxxx@lists.osr.com
> > [mailto:xxxxx@lists.osr.com]On Behalf Of xxxxx@stg.com
> > Sent: Friday, October 18, 2002 6:56 PM
> > To: NT Developers Interest List
> > Subject: [ntdev] RE: EPROCESS question
> >
> >
> > Cool, thank you very much for the info
> >
> > The reason that I’m attaching to csrss.exe is because I need to call
> > another kernel function that requires that you be in the context of
> > csrss.exe… (ie: similar to what the video port driver does).
> >
> > As far as the software reliability issue goes, I’m doing this for a
> client
> > and want to do it right… hence my question to the list… I know
> that
> > this sequence of calls works and achieves what I need to do… I
> just
> > wanted to make sure that if I do take this approach to solving a
> problem,
> > I do it in as safe and clean a manner as possible (which is why I’m
> not
> > just doing hard-coded offsets from the LIST_ENTRY member in
> EPROCESS)…
> > I also wanted to double check with people on the list to see if
> anyone
> > would smack me and say “I know you think you can and want to do
> this, but
> > don’t go attaching yourself to csrss.exe and making calls
> because…”
> >
> > So I’m trying to write correct (and stable) code, I really am,
> honest
> >
> > Thanks again for the help…
> >
> > sean
> >
> > —
> > You are currently subscribed to ntdev as: xxxxx@bwandel.com
> > To unsubscribe send a blank email to %%email.unsub%%
> >
> >
> >
> > —
> > You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> > To unsubscribe send a blank email to %%email.unsub%%
> >
>
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@bwandel.com
> To unsubscribe send a blank email to %%email.unsub%%
>
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@rdsor.ro
> To unsubscribe send a blank email to %%email.unsub%%
>

—
You are currently subscribed to ntdev as: xxxxx@bwandel.com
To unsubscribe send a blank email to %%email.unsub%%

Actually , it is not. Dont insist.

My best.

----- Original Message -----
From: “Bill Bwandel”
To: “NT Developers Interest List”
Sent: Sunday, October 20, 2002 5:15 PM
Subject: [ntdev] RE: EPROCESS question

> Actually, it is.
> Dumpbin lists the ntdll.dll header as subsystem as 3 - Windows CUI. The
> depends utility calls the ntdll.dll subsystem WIN32 console.
> CSRSS.exe and csrsrv.dll (which is used by csrss) is subsystem Native.
>
> Bill Wandel
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com]On Behalf Of Dan Partelly
> Sent: Saturday, October 19, 2002 1:30 PM
> To: NT Developers Interest List
> Subject: [ntdev] RE: EPROCESS question
>
>
> NTDLL is not a win32 subsystem DLL.
>
>
> ----- Original Message -----
> From: “Bill Bwandel”
> To: “NT Developers Interest List”
> Sent: Saturday, October 19, 2002 7:00 PM
> Subject: [ntdev] RE: EPROCESS question
>
>
> > And how does ntdll.dll get into CSRSS? Ntdll.dll is a win32 dll.
> > The original objective was to make a kernel call in the context of
CSRSS.
> I
> > don’t think that you need a kernel driver to accomplish this. This
doesn’t
> > address the question of is this a safe and reliable thing to do.
> >
> > Bill Wandel
> >
> > -----Original Message-----
> > From: xxxxx@lists.osr.com
> > [mailto:xxxxx@lists.osr.com]On Behalf Of Maxim S. Shatskih
> > Sent: Saturday, October 19, 2002 7:48 AM
> > To: NT Developers Interest List
> > Subject: [ntdev] RE: EPROCESS question
> >
> >
> > You cannot inject DLLs to CSRSS, since it is not a Win32 process.
> >
> > ----- Original Message -----
> > From: “Bill Bwandel”
> > To: “NT Developers Interest List”
> > Sent: Saturday, October 19, 2002 4:56 AM
> > Subject: [ntdev] RE: EPROCESS question
> >
> >
> > > Why do you need a kernel driver?
> > > You can inject a DLL into another process by opening the process
> > (CSRSS),
> > > allocating memory in that process, copying a short piece of code
> > that calls
> > > LoadLibrary on the DLL you want to inject, and then use
> > CreateRemoteThread
> > > to run that load library code.
> > > You need to do this from a service or as an administrator.
> > >
> > > Bill Wandel
> > >
> > >
> > > -----Original Message-----
> > > From: xxxxx@lists.osr.com
> > > [mailto:xxxxx@lists.osr.com]On Behalf Of xxxxx@stg.com
> > > Sent: Friday, October 18, 2002 6:56 PM
> > > To: NT Developers Interest List
> > > Subject: [ntdev] RE: EPROCESS question
> > >
> > >
> > > Cool, thank you very much for the info
> > >
> > > The reason that I’m attaching to csrss.exe is because I need to call
> > > another kernel function that requires that you be in the context of
> > > csrss.exe… (ie: similar to what the video port driver does).
> > >
> > > As far as the software reliability issue goes, I’m doing this for a
> > client
> > > and want to do it right… hence my question to the list… I know
> > that
> > > this sequence of calls works and achieves what I need to do… I
> > just
> > > wanted to make sure that if I do take this approach to solving a
> > problem,
> > > I do it in as safe and clean a manner as possible (which is why I’m
> > not
> > > just doing hard-coded offsets from the LIST_ENTRY member in
> > EPROCESS)…
> > > I also wanted to double check with people on the list to see if
> > anyone
> > > would smack me and say “I know you think you can and want to do
> > this, but
> > > don’t go attaching yourself to csrss.exe and making calls
> > because…”
> > >
> > > So I’m trying to write correct (and stable) code, I really am,
> > honest
> > >
> > > Thanks again for the help…
> > >
> > > sean
> > >
> > > —
> > > You are currently subscribed to ntdev as: xxxxx@bwandel.com
> > > To unsubscribe send a blank email to %%email.unsub%%
> > >
> > >
> > >
> > > —
> > > You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> > > To unsubscribe send a blank email to %%email.unsub%%
> > >
> >
> >
> >
> > —
> > You are currently subscribed to ntdev as: xxxxx@bwandel.com
> > To unsubscribe send a blank email to %%email.unsub%%
> >
> >
> >
> > —
> > You are currently subscribed to ntdev as: xxxxx@rdsor.ro
> > To unsubscribe send a blank email to %%email.unsub%%
> >
>
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@bwandel.com
> To unsubscribe send a blank email to %%email.unsub%%
>
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@rdsor.ro
> To unsubscribe send a blank email to %%email.unsub%%
>

This is not important in that context, since NTDLL is auto-preloaded
in ANY process created by NT kernel, regardless of it being native or
Win32. In fact, native processes have nothing except NTDLL.

CSRSS cannot be a Win32 process. It is part of the environment
necessary for Win32 to work - namely the console windows. All Win32
processes are registered in CSRSS.

Max

----- Original Message -----
From: “Bill Bwandel”
To: “NT Developers Interest List”
Sent: Sunday, October 20, 2002 6:15 PM
Subject: [ntdev] RE: EPROCESS question

> Actually, it is.
> Dumpbin lists the ntdll.dll header as subsystem as 3 - Windows CUI.
The
> depends utility calls the ntdll.dll subsystem WIN32 console.
> CSRSS.exe and csrsrv.dll (which is used by csrss) is subsystem
Native.
>
> Bill Wandel
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com]On Behalf Of Dan Partelly
> Sent: Saturday, October 19, 2002 1:30 PM
> To: NT Developers Interest List
> Subject: [ntdev] RE: EPROCESS question
>
>
> NTDLL is not a win32 subsystem DLL.
>
>
> ----- Original Message -----
> From: “Bill Bwandel”
> To: “NT Developers Interest List”
> Sent: Saturday, October 19, 2002 7:00 PM
> Subject: [ntdev] RE: EPROCESS question
>
>
> > And how does ntdll.dll get into CSRSS? Ntdll.dll is a win32 dll.
> > The original objective was to make a kernel call in the context of
CSRSS.
> I
> > don’t think that you need a kernel driver to accomplish this. This
doesn’t
> > address the question of is this a safe and reliable thing to do.
> >
> > Bill Wandel
> >
> > -----Original Message-----
> > From: xxxxx@lists.osr.com
> > [mailto:xxxxx@lists.osr.com]On Behalf Of Maxim S.
Shatskih
> > Sent: Saturday, October 19, 2002 7:48 AM
> > To: NT Developers Interest List
> > Subject: [ntdev] RE: EPROCESS question
> >
> >
> > You cannot inject DLLs to CSRSS, since it is not a Win32 process.
> >
> > ----- Original Message -----
> > From: “Bill Bwandel”
> > To: “NT Developers Interest List”
> > Sent: Saturday, October 19, 2002 4:56 AM
> > Subject: [ntdev] RE: EPROCESS question
> >
> >
> > > Why do you need a kernel driver?
> > > You can inject a DLL into another process by opening the process
> > (CSRSS),
> > > allocating memory in that process, copying a short piece of code
> > that calls
> > > LoadLibrary on the DLL you want to inject, and then use
> > CreateRemoteThread
> > > to run that load library code.
> > > You need to do this from a service or as an administrator.
> > >
> > > Bill Wandel
> > >
> > >
> > > -----Original Message-----
> > > From: xxxxx@lists.osr.com
> > > [mailto:xxxxx@lists.osr.com]On Behalf Of xxxxx@stg.com
> > > Sent: Friday, October 18, 2002 6:56 PM
> > > To: NT Developers Interest List
> > > Subject: [ntdev] RE: EPROCESS question
> > >
> > >
> > > Cool, thank you very much for the info
> > >
> > > The reason that I’m attaching to csrss.exe is because I need to
call
> > > another kernel function that requires that you be in the context
of
> > > csrss.exe… (ie: similar to what the video port driver does).
> > >
> > > As far as the software reliability issue goes, I’m doing this
for a
> > client
> > > and want to do it right… hence my question to the list… I
know
> > that
> > > this sequence of calls works and achieves what I need to do… I
> > just
> > > wanted to make sure that if I do take this approach to solving a
> > problem,
> > > I do it in as safe and clean a manner as possible (which is why
I’m
> > not
> > > just doing hard-coded offsets from the LIST_ENTRY member in
> > EPROCESS)…
> > > I also wanted to double check with people on the list to see if
> > anyone
> > > would smack me and say “I know you think you can and want to do
> > this, but
> > > don’t go attaching yourself to csrss.exe and making calls
> > because…”
> > >
> > > So I’m trying to write correct (and stable) code, I really am,
> > honest
> > >
> > > Thanks again for the help…
> > >
> > > sean
> > >
> > > —
> > > You are currently subscribed to ntdev as: xxxxx@bwandel.com
> > > To unsubscribe send a blank email to %%email.unsub%%
> > >
> > >
> > >
> > > —
> > > You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> > > To unsubscribe send a blank email to %%email.unsub%%
> > >
> >
> >
> >
> > —
> > You are currently subscribed to ntdev as: xxxxx@bwandel.com
> > To unsubscribe send a blank email to %%email.unsub%%
> >
> >
> >
> > —
> > You are currently subscribed to ntdev as: xxxxx@rdsor.ro
> > To unsubscribe send a blank email to %%email.unsub%%
> >
>
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@bwandel.com
> To unsubscribe send a blank email to %%email.unsub%%
>
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to %%email.unsub%%
>