Please note that you cannot use ZwQueryInformationProcess, or any function that need the process handle, from within your callback.
You can only do that for the EXE module itself and for NTDLL. You cannot do that for DLLs modules. So better avoid doing this from within the callback function.
-----Mensaje original-----
De: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] En nombre de Crispin Wright
Enviado el: domingo, 14 de septiembre de 2008 13:07
Para: Windows System Software Devs Interest List
Asunto: RE: [ntdev] Get PEB from PsSetImageLoadNotify callback routine
You can get the PEB base address using ZwQueryInformationProcess with the PROCESS_BASIC_INFO flag, the PebBaseAddress element will hold the base address. Just so you know, you don’t need to write a driver to achieve this goal, it can be done from user mode fairly easily.
I suppose an advantage of doing it from kernel mode is that you avoid any API hooks placed in user mode that might subvert your code…
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Sunday, September 14, 2008 11:08
To: Windows System Software Devs Interest List
Subject: [ntdev] Get PEB from PsSetImageLoadNotify callback routine
Hi,
I’m trying to list loaded module of a just-loaded process, looking for IAT hooks.
My objective is to get the current process PEB, then, using PLDR_DATA_TABLE_ENTRY, checking all LDR_MODULE of the linked list.
My code is running in ring 0, so, to be in process address space I register a callback routine to PsSetImageLoadNotifyRoutine :
…
PsSetLoadImageNotifyRoutine(MyImageLoadNotify);
…
VOID MyImageLoadNotify(IN PUNICODE_STRING FullImageName, IN HANDLE ProcessId, IN PIMAGE_INFO ImageInfo) {
//…
DumpCurentProcessDLL();
}
My problem is when I try to get the process PEB, I got an Access Violation error doing
mov eax, [eax + 0ch] //*(PEB + LDR_OFFSET)
Here is the code :
DWORD GetFirstCurrentProcessPLDR(void)
{
DWORD* module = NULL;
__asm
{
push eax
mov eax, fs:[30h] //PEB
mov eax, [eax + 0ch] //*(PEB + LDR_OFFSET) = _PEB_LDR_DATA and ACCES VIOLATION ERRRRRRROR mov module, eax pop eax }
return (DWORD)module;
}
VOID DumpCurentProcessDLL(void)
{
PLDR_MODULE pCurModule, pFirstModule;
PLDR_DATA_TABLE_ENTRY pldr;
int count = 0;
pldr = (PLDR_DATA_TABLE_ENTRY)GetFirstCurrentProcessPLDR();
pFirstModule = (PLDR_MODULE) pldr->InMemoryOrderLinks.Flink; pFirstModule = ((DWORD)pFirstModule - XP_FLINKOFFSET);
pCurModule = pFirstModule;
for(;![:wink: :wink:](/images/emoji/twitter/wink.png?v=12)
{
if ((count >= 1) && (pCurModule == pFirstModule)) break;
DbgPrint(“dll : %ws\n”, pCurModule->BaseDllName.Buffer); DbgPrint(“path : %ws\n”, pCurModule->FullDllName.Buffer); DbgPrint(“===============\n”);
pCurModule = (PLDR_MODULE) pCurModule->InMemoryOrderModuleList.Flink;
pCurModule = ((DWORD)pCurModule - XP_FLINKOFFSET);
++count;
}
}
Does MyImageLoadNotify really executes in process address space?
Why can’t I get PEB?
Thanks for your help.
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
__________ Information from ESET NOD32 Antivirus, version of virus signature database 3440 (20080913) __________
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
__________ Information from ESET NOD32 Antivirus, version of virus signature database 3440 (20080913) __________
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer