The !process extension already supports looking up a process by process id. Just use that support instead of trying to do it the hard way manually (supply a process id instead of a process object pointer).
yeah, because this method is used by security tools and I would like make
a small tool, I do not want to hack anything, dude, just I would like learn to do it
hack doesnt mean what it means in english in this context
hack here means parse the structures yourself whether by single
stepping / googling / binging / hardcoding address / etc / by
deciphering what
#word ##[R#+0x38] would mean in a specific os / hotpatch / update
and when updated / hotpatched / os changed / whatever do it all over
again from scratch
simply said hack your way means you are on your own no support / no
answers whatsoever might be available from official sources / and as
usuals black/ greyhats willl have all the answers unofficially
On 7/3/12, xxxxx@hotmail.com wrote: > yeah, because this method is used by security tools and I would like make > a small tool, I do not want to hack anything, dude, just I would like learn > to do it > > — > WINDBG is sponsored by OSR > > For our schedule of WDF, WDM, debugging and other seminars visit: > http://www.osr.com/seminars > > To unsubscribe, visit the List Server section of OSR Online at > http://www.osronline.com/page.cfm?name=ListServer >
yeah, because this method is used by security tools and I would like make
a small tool, I do not want to hack anything, dude, just I would like learn to do it
Tools to enumerate the process list already exist in user-mode, which is
where process enumeration belongs in the first place.
Look, here’s the trouble you’re going to have with this mailing list.
Most of us write real drivers for a living – drivers that ship to the
real world and run on real client computers. What you are asking for
would never be useful in a real kernel driver. These undocumented
structures DO change over time, so whatever you wrote would be delicate
and unsupported. There’s no way to do it in a reliable way.
If you are just embarking on a project to learn how processes are
implemented in the Windows kernel, then you’re just going to have to
continue on the path you are on, reading the hacker web sites and
plowing through undocumented structures. That’s perfectly fine,
although somewhat frustrating. I might wonder what you would gain,
however. I’ve been writing Windows drivers professionally for 22 years,
and I’ve never needed to poke through an EPROCESS structure.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.