I can not found the EPROCESS in Windbg

WINDBG
1

Hello all, people, I have trouble finding the EPROCESS in the HANDLE_TABLE
could anyone help me? please

I’m triyng so:

kd> dd pspcidtable
8055a260 e1000860 00000002 00000000 00000000
8055a270 00000000 00000000 00000000 00000000
8055a280 00000000 00000000 00000000 00000000

kd> dt _handle_table e1000860
ntdll!_HANDLE_TABLE
+0x000 TableCode : 0xe1003000
+0x004 QuotaProcess : (null)
+0x008 UniqueProcessId : (null)
+0x00c HandleTableLock : [4] _EX_PUSH_LOCK
+0x01c HandleTableList : _LIST_ENTRY [0xe100087c - 0xe100087c]
+0x024 HandleContentionEvent : _EX_PUSH_LOCK
+0x028 DebugInfo : (null)
+0x02c ExtraInfoPages : 0
+0x030 FirstFree : 0x50c
+0x034 LastFree : 0x364
+0x038 NextHandleNeedingPool : 0x800
+0x03c HandleCount : 373
+0x040 Flags : 1
+0x040 StrictFIFO : 0y1

kd> dd 0xe1003000
e1003000 00000000 fffffffe 843ca831 00000000
e1003010 843ca5b9 00000000 843c9021 00000000
e1003020 843c9da9 00000000 843c9b31 00000000
e1003030 843c98b9 00000000 843c9641 00000000
e1003040 843c93c9 00000000 843c8021 00000000
e1003050 843c8da9 00000000 843c8b31 00000000
e1003060 843c88b9 00000000 843c8641 00000000
e1003070 843c83c9 00000000 843c7021 00000000

then, I’m confused, I do know not what do…
843ca831 or 843ca5b9 … ?

2

The !process extension already supports looking up a process by process id. Just use that support instead of trying to do it the hard way manually (supply a process id instead of a process object pointer).

  • S (Msft)

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@hotmail.com
Sent: Monday, July 02, 2012 9:27 PM
To: Kernel Debugging Interest List
Subject: [windbg] I can not found the EPROCESS in Windbg

Hello all, people, I have trouble finding the EPROCESS in the HANDLE_TABLE could anyone help me? please

I’m triyng so:

kd> dd pspcidtable
8055a260 e1000860 00000002 00000000 00000000
8055a270 00000000 00000000 00000000 00000000
8055a280 00000000 00000000 00000000 00000000

kd> dt _handle_table e1000860
ntdll!_HANDLE_TABLE
+0x000 TableCode : 0xe1003000
+0x004 QuotaProcess : (null)
+0x008 UniqueProcessId : (null)
+0x00c HandleTableLock : [4] _EX_PUSH_LOCK
+0x01c HandleTableList : _LIST_ENTRY [0xe100087c - 0xe100087c]
+0x024 HandleContentionEvent : _EX_PUSH_LOCK
+0x028 DebugInfo : (null)
+0x02c ExtraInfoPages : 0
+0x030 FirstFree : 0x50c
+0x034 LastFree : 0x364
+0x038 NextHandleNeedingPool : 0x800
+0x03c HandleCount : 373
+0x040 Flags : 1
+0x040 StrictFIFO : 0y1

kd> dd 0xe1003000
e1003000 00000000 fffffffe 843ca831 00000000
e1003010 843ca5b9 00000000 843c9021 00000000
e1003020 843c9da9 00000000 843c9b31 00000000
e1003030 843c98b9 00000000 843c9641 00000000
e1003040 843c93c9 00000000 843c8021 00000000
e1003050 843c8da9 00000000 843c8b31 00000000
e1003060 843c88b9 00000000 843c8641 00000000
e1003070 843c83c9 00000000 843c7021 00000000

then, I’m confused, I do know not what do…
843ca831 or 843ca5b9 … ?

WINDBG is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

3

Ken Johnson, thanks a lot, but I would like do it manually because I would like make a driver to listing all processes

4

Why do you need to list processes in your driver?

Not supported in any way to hack your way through these oft-restructured data structures yourself.

  • S (Msft)

From: xxxxx@hotmail.com
Sent: 7/2/2012 22:03
To: Kernel Debugging Interest List
Subject: RE:[windbg] I can not found the EPROCESS in Windbg

Ken Johnson, thanks a lot, but I would like do it manually because I would like make a driver to listing all processes

WINDBG is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

5

yeah, because this method is used by security tools and I would like make
a small tool, I do not want to hack anything, dude, just I would like learn to do it

6

hack doesnt mean what it means in english in this context

hack here means parse the structures yourself whether by single
stepping / googling / binging / hardcoding address / etc / by
deciphering what

#word ##[R#+0x38] would mean in a specific os / hotpatch / update

and when updated / hotpatched / os changed / whatever do it all over
again from scratch

simply said hack your way means you are on your own no support / no
answers whatsoever might be available from official sources / and as
usuals black/ greyhats willl have all the answers unofficially

On 7/3/12, xxxxx@hotmail.com wrote:
> yeah, because this method is used by security tools and I would like make
> a small tool, I do not want to hack anything, dude, just I would like learn
> to do it
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

7

xxxxx@hotmail.com wrote:

yeah, because this method is used by security tools and I would like make
a small tool, I do not want to hack anything, dude, just I would like learn to do it

Tools to enumerate the process list already exist in user-mode, which is
where process enumeration belongs in the first place.

Look, here’s the trouble you’re going to have with this mailing list.
Most of us write real drivers for a living – drivers that ship to the
real world and run on real client computers. What you are asking for
would never be useful in a real kernel driver. These undocumented
structures DO change over time, so whatever you wrote would be delicate
and unsupported. There’s no way to do it in a reliable way.

If you are just embarking on a project to learn how processes are
implemented in the Windows kernel, then you’re just going to have to
continue on the path you are on, reading the hacker web sites and
plowing through undocumented structures. That’s perfectly fine,
although somewhat frustrating. I might wonder what you would gain,
however. I’ve been writing Windows drivers professionally for 22 years,
and I’ve never needed to poke through an EPROCESS structure.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.