How can I access to an attribute of PEPROCESS structure?

I have not any experience at all in driver development. I want to access to an attribute of the structure PEPROCESS. I have a pointer pointing to the process object, obtained via PsGetCurrentProcess routine. I have seeing already some web describing the structure internals (attributes) declaration, so I could use the offset of these attributes to get them, something like:

hprocess = PsGetCurrentProcess();
List = (LIST_ENTRY*)((ULONG)hproces + 0x88); //Active Process Link Offset

However this way leave me in the middle of a problem. I would like to make a build of this code that could be able to run in other kind of platforms (ex: x86, x86_64) and others version of Windows (XP, 7, …); and I suppose that is not possible with that way because the offset would not be the same.

Question: Is there a not lame solution for this? Ex: something like

List = hprocess->ActiveProcessLink

or something.

This is a clearly unsupportable approach that will risk bugcheck or worse when hotfixes (or OS upgrades) shift internal structure layouts around without warning. Not to mention that the locks needed to operate on those fields in a correct fashion may not be exposed outside of the OS (and are certainly subject to change from release to release or hotfix to hotfix), etc.

The answer is simple: Don’t even try to do this at all. It’s wholly unsuitable for any sort of production driver.

What are you trying to accomplish that you believe requires access to the internal, undocumented fields of the OS’s process object? Perhaps the list can suggest a better, supported alternative to your problem with more details given on what you’re trying to do.

  • S (Msft)

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Saturday, November 01, 2014 9:00 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] How can I access to an attribute of PEPROCESS structure?

I have not any experience at all in driver development. I want to access to an attribute of the structure PEPROCESS. I have a pointer pointing to the process object, obtained via PsGetCurrentProcess routine. I have seeing already some web describing the structure internals (attributes) declaration, so I could use the offset of these attributes to get them, something like:

hprocess = PsGetCurrentProcess();
List = (LIST_ENTRY*)((ULONG)hproces + 0x88); //Active Process Link Offset

However this way leave me in the middle of a problem. I would like to make a build of this code that could be able to run in other kind of platforms (ex: x86, x86_64) and others version of Windows (XP, 7, …); and I suppose that is not possible with that way because the offset would not be the same.

Question: Is there a not lame solution for this? Ex: something like

List = hprocess->ActiveProcessLink

or something.


NTDEV is sponsored by OSR

Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

“I have no idea what I’m doing, but I want to jump from a 10th floor. How do I do that?”