How do I get a process id from a process handle?

NTFSD
1

Hi,
I’m trapping the system call:
ZwDuplicateObject(IN HANDLE SourceProcessHandle,
IN HANDLE SourceHandle,
IN HANDLE TargetProcessHandle,
OUT PHANDLE TargetHandle OPTIONAL,
IN ACCESS_MASK DesiredAccess,
IN ULONG Attributes,
IN ULONG Options
)
Can I get the process id from SourceProcessHandle and TargetProcessHandle?
If so, how?
Thank you,
Marc

2

DWORD pId = (DWORD)PsGetCurrentProcessId();
“Marc Cruz” wrote in message news:xxxxx@ntfsd…
Hi,

I’m trapping the system call:

ZwDuplicateObject(IN HANDLE SourceProcessHandle,
IN HANDLE SourceHandle,
IN HANDLE TargetProcessHandle,
OUT PHANDLE TargetHandle OPTIONAL,
IN ACCESS_MASK DesiredAccess,
IN ULONG Attributes,
IN ULONG Options
)

Can I get the process id from SourceProcessHandle and TargetProcessHandle?
If so, how?

Thank you,

Marc

3

You can try : (DWORD)SourceHandle and (DWORD)TargetProcessHandle

“Marc Cruz” wrote in message news:xxxxx@ntfsd…
Hi,

I’m trapping the system call:

ZwDuplicateObject(IN HANDLE SourceProcessHandle,
IN HANDLE SourceHandle,
IN HANDLE TargetProcessHandle,
OUT PHANDLE TargetHandle OPTIONAL,
IN ACCESS_MASK DesiredAccess,
IN ULONG Attributes,
IN ULONG Options
)

Can I get the process id from SourceProcessHandle and TargetProcessHandle?
If so, how?

Thank you,

Marc

4

Marc

When you say “trapping” do you mean hooking? If so … please why do you want to hook this function? I ask becuase such hooks are unsafe and there might be a much better way to do whatever it is you want to do.

Cheers
Lyndon
“Marc Cruz” wrote in message news:xxxxx@ntfsd…
Hi,

I’m trapping the system call:

ZwDuplicateObject(IN HANDLE SourceProcessHandle,
IN HANDLE SourceHandle,
IN HANDLE TargetProcessHandle,
OUT PHANDLE TargetHandle OPTIONAL,
IN ACCESS_MASK DesiredAccess,
IN ULONG Attributes,
IN ULONG Options
)

Can I get the process id from SourceProcessHandle and TargetProcessHandle? If so, how?

Thank you,

Marc

5

Hi Lyndon,
I hook this system call because I want to record what process’s call it.
Why is hooking unsafe?
Thanks,
Marc

On 11/3/05, Lyndon J Clarke wrote:
>
> Marc
> When you say “trapping” do you mean hooking? If so … please why do you
> want to hook this function? I ask becuase such hooks are unsafe and there
> might be a much better way to do whatever it is you want to do.
> Cheers
> Lyndon
>
> “Marc Cruz” wrote in message news:xxxxx@ntfsd…
> Hi,
> I’m trapping the system call:
> ZwDuplicateObject(IN HANDLE SourceProcessHandle,
> IN HANDLE SourceHandle,
> IN HANDLE TargetProcessHandle,
> OUT PHANDLE TargetHandle OPTIONAL,
> IN ACCESS_MASK DesiredAccess,
> IN ULONG Attributes,
> IN ULONG Options
> )
> Can I get the process id from SourceProcessHandle and
> TargetProcessHandle? If so, how?
> Thank you,
> Marc
>
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
>
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

6

>> “Marc Cruz” wrote in message:
>> Why is hooking unsafe?

A number of these have been discussed before, but lets count the ways:

1. First once you hook you can never unhook. The problem is that you have
to assume someone may have come along after you and hooked, if you unhook
and unload they will still call you, and their goes the system.

2. Second, you have no control over hooking order, so lets say you and
another driver start hooking at the same time, you hook five calls and the
other driver hooks the same five calls. Well since there is no control,
some of the calls will invoke your hook, then the other drivers, and the
other calls will invoke the other drivers then your hook.

3. Third, are you using stack in your hook? How can you tell if you are
using too much? It is possible to do without much stack, or leaving any on
the stack, but most people are too lazy to do this.

4. Fourth, the native system calls are undocumented and can change. The
common case on this is the changing of the call numbers, but Windows has
also added options, changed the parameters and even replaced the call with a
newer one. Basically, most hooking drivers lock themselves into a small set
of OS versions, but never bother to check if this is correct.

5. Five, Microsoft has blocked system call hooking on AMD64. I request
that they offer the same capability under X86. I realize it will break
stupid but common programs. If this was controlable by a boot switch then I
can choose if I want to break these!

6. Six, a number of companies are running rootkit detectors, and rejecting
software that does hooking. So basically you are using a technique that can
get your company thrown out of firms permanently.

I’m sure there are a lot more, these are just the highlights.


Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply

7

Don,

Very informative email.

Thanks.

Amitrajit

8

On Nov 4, 2005, at 1:55 PM, Don Burn wrote:

  1. Fourth, the native system calls are undocumented and can
    change. The
    common case on this is the changing of the call numbers, but
    Windows has
    also added options, changed the parameters and even replaced the
    call with a
    newer one. Basically, most hooking drivers lock themselves into a
    small set
    of OS versions, but never bother to check if this is correct.

To add to Don’s comments, think about the security implications:

  • If Windows Update runs, your hook may break
  • If you tell your users to turn off Windows Update, you are guilty
    of compromising the security of their computers, not to mention the
    security of the entire computing ecosystem
  • If Microsoft releases an important patch that breaks your
    software, your users will have to choose between e.g. being
    vulnerable to Blaster or disabling your software until you patch.

Do you want to be in the position of telling users to not patch their
systems?

If you “try your best” and turn patches to your software around
within hours of Microsoft releasing an update, you are, by
definition, giving your users poorly-tested software; yours is
particularly bad because it’s so invasive that it has to hook, so it
needs extra testing, not less.

I realize there are some things that can be done no other way, but
please consider the above if you think your problem is one of the
special few that justify doing it anyway. It probably isn’t.

Steve Dispensa
MVP - Windows DDK
www.kernelmustard.com

9

Marc

I seem thanks for letting us know. Please why do you want to know which process cals ZwDuplicateObject? Is this for tesying in yur lab or it is for a product to be released to customers?

Thanks
Lyndon
“Marc Cruz” wrote in message news:xxxxx@ntfsd…
Hi,

I’m trapping the system call:

ZwDuplicateObject(IN HANDLE SourceProcessHandle,
IN HANDLE SourceHandle,
IN HANDLE TargetProcessHandle,
OUT PHANDLE TargetHandle OPTIONAL,
IN ACCESS_MASK DesiredAccess,
IN ULONG Attributes,
IN ULONG Options
)

Can I get the process id from SourceProcessHandle and TargetProcessHandle? If so, how?

Thank you,

Marc

10
  1. Hookers cannot safely unload (unresolvable race condition)
  2. 2 hookers in the same system will develop the arbitrary interops,
    including crashes.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: “Marc Cruz”
To: “Windows File Systems Devs Interest List”
Sent: Friday, November 04, 2005 10:30 PM
Subject: Re: [ntfsd] How do I get a process id from a process handle?

Hi Lyndon,
I hook this system call because I want to record what process’s call it.
Why is hooking unsafe?
Thanks,
Marc

On 11/3/05, Lyndon J Clarke wrote:
>
> Marc
> When you say “trapping” do you mean hooking? If so … please why do you
> want to hook this function? I ask becuase such hooks are unsafe and there
> might be a much better way to do whatever it is you want to do.
> Cheers
> Lyndon
>
> “Marc Cruz” wrote in message news:xxxxx@ntfsd…
> Hi,
> I’m trapping the system call:
> ZwDuplicateObject(IN HANDLE SourceProcessHandle,
> IN HANDLE SourceHandle,
> IN HANDLE TargetProcessHandle,
> OUT PHANDLE TargetHandle OPTIONAL,
> IN ACCESS_MASK DesiredAccess,
> IN ULONG Attributes,
> IN ULONG Options
> )
> Can I get the process id from SourceProcessHandle and
> TargetProcessHandle? If so, how?
> Thank you,
> Marc
>
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
>
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>


Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com