I have written a driver for getting the name of an open handle. I pass a
handle to an open file and process Id of a process to my driver using an
IOCTL from another process. In the driver device control handler, i do
following:
- Call PsLookupProcessByProcessId to obtain handle to the process Id
- KeAttachProcess
- ObReferenceObjectByHandle
- ObQueryNameString
- ObDereferenceObject on Object for handle
- KeDetachProcess
- ObDerefenceObject on EPROCESS i got from PsLookupProcessByProcessId
This code works fine as i expected but I am told that
ObReferenceObjectByHandle is not synchronized for process exit. The person
said that this function is meant to be used inside a thread which runs in
given process’s context. My current implementation can corrupt system state
if a process is exiting.
If whats said above is correct then what is the solution to the problem? Do
i need to do a PsCreateSystemThread in the context of the process (to which
the handle belongs) and then call ObReferenceObjectByHandle in that thread?
I saw bunch of code which does exactly that i do. Does this mean that all
those drivers can cause BSOD?
Also isn’t it that because PsLookupProcessByProcessId increase the reference
count of the EPROCESS, it will force the process to *not* exit before i call
ObReferenceObjectByHandle?
Thanks
Pankaj
http://www.intellectualheaven.com
Do not attach to the process - this doesn’t provide synchronization for
ObReferenceObjectByHandle.
Use ZwDuplicateObject to duplicate the target’s process handle into your
context and then navigate to the
object with ObReferenceObjectByHandle. Google for ZwDuplicateObject
(unfortunately, it’s not documented in the DDK).
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Pankaj Garg
Sent: Monday, October 04, 2004 5:38 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] ObReferenceObjectByHandle question
I have written a driver for getting the name of an open handle. I pass a
handle to an open file and process Id of a process to my driver using an
IOCTL from another process. In the driver device control handler, i do
following:
- Call PsLookupProcessByProcessId to obtain handle to the process Id
- KeAttachProcess
- ObReferenceObjectByHandle
- ObQueryNameString
- ObDereferenceObject on Object for handle
- KeDetachProcess
- ObDerefenceObject on EPROCESS i got from PsLookupProcessByProcessId
This code works fine as i expected but I am told that
ObReferenceObjectByHandle is not synchronized for process exit. The
person said that this function is meant to be used inside a thread which
runs in given process’s context. My current implementation can corrupt
system state if a process is exiting.
If whats said above is correct then what is the solution to the problem?
Do i need to do a PsCreateSystemThread in the context of the process (to
which the handle belongs) and then call ObReferenceObjectByHandle in
that thread? I saw bunch of code which does exactly that i do. Does this
mean that all those drivers can cause BSOD?
Also isn’t it that because PsLookupProcessByProcessId increase the
reference count of the EPROCESS, it will force the process to *not* exit
before i call ObReferenceObjectByHandle?
Thanks
Pankaj
http://www.intellectualheaven.com
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: xxxxx@relicore.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
Vitaly is right, just use ZwDuplicateObject with the same access flag
(if you want to know the object’s name), if you’re in trouble finding
documentation, look the user mode function DuplicateHandle.
Daniel
On Tue, 5 Oct 2004 10:59:05 -0400, Vitaly Vatnikov
wrote:
> Do not attach to the process - this doesn’t provide synchronization for
> ObReferenceObjectByHandle.
> Use ZwDuplicateObject to duplicate the target’s process handle into your
> context and then navigate to the
> object with ObReferenceObjectByHandle. Google for ZwDuplicateObject
> (unfortunately, it’s not documented in the DDK).
>
> - Vitaly
>
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Pankaj Garg
> Sent: Monday, October 04, 2004 5:38 PM
> To: Windows System Software Devs Interest List
> Subject: [ntdev] ObReferenceObjectByHandle question
>
> I have written a driver for getting the name of an open handle. I pass a
> handle to an open file and process Id of a process to my driver using an
> IOCTL from another process. In the driver device control handler, i do
> following:
>
> - Call PsLookupProcessByProcessId to obtain handle to the process Id
> - KeAttachProcess
> - ObReferenceObjectByHandle
> - ObQueryNameString
> - ObDereferenceObject on Object for handle
> - KeDetachProcess
> - ObDerefenceObject on EPROCESS i got from PsLookupProcessByProcessId
>
> This code works fine as i expected but I am told that
> ObReferenceObjectByHandle is not synchronized for process exit. The
> person said that this function is meant to be used inside a thread which
> runs in given process’s context. My current implementation can corrupt
> system state if a process is exiting.
>
> If whats said above is correct then what is the solution to the problem?
> Do i need to do a PsCreateSystemThread in the context of the process (to
> which the handle belongs) and then call ObReferenceObjectByHandle in
> that thread? I saw bunch of code which does exactly that i do. Does this
> mean that all those drivers can cause BSOD?
>
> Also isn’t it that because PsLookupProcessByProcessId increase the
> reference count of the EPROCESS, it will force the process to not exit
> before i call ObReferenceObjectByHandle?
>
> Thanks
> Pankaj
> http://www.intellectualheaven.com
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@relicore.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@gmail.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
I get the PID of a process in my driver and a handle opened by that process.
Are you saying i do something like
“PsLookupProcessByProcessId” to get EPROCESS for PID
“ObOpenObjectByPointer” to get a handle to that process
“ZwDuplicateObject(sourceProcess, handle, NtCurrentProcess(), &target …”
and so on?
Or shall i use ZwOpenProcess on the PID of the source process? Which
approach is better even though both involve
undocumented functions.
Is there any other better approach to do this?
–
Pankaj Garg
This posting is provided “AS IS” with no warranties and confers no rights.
“Daniel Pistelli” wrote in message
news:xxxxx@ntdev…
> Vitaly is right, just use ZwDuplicateObject with the same access flag
> (if you want to know the object’s name), if you’re in trouble finding
> documentation, look the user mode function DuplicateHandle.
>
> Daniel
>
>
> On Tue, 5 Oct 2004 10:59:05 -0400, Vitaly Vatnikov
> wrote:
> > Do not attach to the process - this doesn’t provide synchronization for
> > ObReferenceObjectByHandle.
> > Use ZwDuplicateObject to duplicate the target’s process handle into your
> > context and then navigate to the
> > object with ObReferenceObjectByHandle. Google for ZwDuplicateObject
> > (unfortunately, it’s not documented in the DDK).
> >
> > - Vitaly
> >
> >
> >
> > -----Original Message-----
> > From: xxxxx@lists.osr.com
> > [mailto:xxxxx@lists.osr.com] On Behalf Of Pankaj Garg
> > Sent: Monday, October 04, 2004 5:38 PM
> > To: Windows System Software Devs Interest List
> > Subject: [ntdev] ObReferenceObjectByHandle question
> >
> > I have written a driver for getting the name of an open handle. I pass a
> > handle to an open file and process Id of a process to my driver using an
> > IOCTL from another process. In the driver device control handler, i do
> > following:
> >
> > - Call PsLookupProcessByProcessId to obtain handle to the process Id
> > - KeAttachProcess
> > - ObReferenceObjectByHandle
> > - ObQueryNameString
> > - ObDereferenceObject on Object for handle
> > - KeDetachProcess
> > - ObDerefenceObject on EPROCESS i got from PsLookupProcessByProcessId
> >
> > This code works fine as i expected but I am told that
> > ObReferenceObjectByHandle is not synchronized for process exit. The
> > person said that this function is meant to be used inside a thread which
> > runs in given process’s context. My current implementation can corrupt
> > system state if a process is exiting.
> >
> > If whats said above is correct then what is the solution to the problem?
> > Do i need to do a PsCreateSystemThread in the context of the process (to
> > which the handle belongs) and then call ObReferenceObjectByHandle in
> > that thread? I saw bunch of code which does exactly that i do. Does this
> > mean that all those drivers can cause BSOD?
> >
> > Also isn’t it that because PsLookupProcessByProcessId increase the
> > reference count of the EPROCESS, it will force the process to not exit
> > before i call ObReferenceObjectByHandle?
> >
> > Thanks
> > Pankaj
> > http://www.intellectualheaven.com
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> > http://www.osronline.com/article.cfm?id=256
> >
> > You are currently subscribed to ntdev as: xxxxx@relicore.com
> > To unsubscribe send a blank email to xxxxx@lists.osr.com
> >
> >
> >
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
> >
> > You are currently subscribed to ntdev as: xxxxx@gmail.com
> > To unsubscribe send a blank email to xxxxx@lists.osr.com
> >
>
>
It should be something like this:
ZwDuplicateObject(hProcess, // process handle
hSourceHandle, // the object in the other process
ZwCurrentProcess(), // your process (it’s a macro for -1)
&hObject, // the handle that you will receive
0, FALSE,
DUPLICATE_SAME_ATTRIBUTES);
to retrieve the name you can simply call ZwQueryObject
Daniel
On Tue, 5 Oct 2004 12:58:53 -0700, Pankaj Garg wrote:
> I get the PID of a process in my driver and a handle opened by that process.
> Are you saying i do something like
>
> “PsLookupProcessByProcessId” to get EPROCESS for PID
> “ObOpenObjectByPointer” to get a handle to that process
> “ZwDuplicateObject(sourceProcess, handle, NtCurrentProcess(), &target …”
> and so on?
>
> Or shall i use ZwOpenProcess on the PID of the source process? Which
> approach is better even though both involve
> undocumented functions.
>
> Is there any other better approach to do this?
>
> –
> Pankaj Garg
> This posting is provided “AS IS” with no warranties and confers no rights.
>
> “Daniel Pistelli” wrote in message
> news:xxxxx@ntdev…
>
>
> > Vitaly is right, just use ZwDuplicateObject with the same access flag
> > (if you want to know the object’s name), if you’re in trouble finding
> > documentation, look the user mode function DuplicateHandle.
> >
> > Daniel
> >
> >
> > On Tue, 5 Oct 2004 10:59:05 -0400, Vitaly Vatnikov
> > wrote:
> > > Do not attach to the process - this doesn’t provide synchronization for
> > > ObReferenceObjectByHandle.
> > > Use ZwDuplicateObject to duplicate the target’s process handle into your
> > > context and then navigate to the
> > > object with ObReferenceObjectByHandle. Google for ZwDuplicateObject
> > > (unfortunately, it’s not documented in the DDK).
> > >
> > > - Vitaly
> > >
> > >
> > >
> > > -----Original Message-----
> > > From: xxxxx@lists.osr.com
> > > [mailto:xxxxx@lists.osr.com] On Behalf Of Pankaj Garg
> > > Sent: Monday, October 04, 2004 5:38 PM
> > > To: Windows System Software Devs Interest List
> > > Subject: [ntdev] ObReferenceObjectByHandle question
> > >
> > > I have written a driver for getting the name of an open handle. I pass a
> > > handle to an open file and process Id of a process to my driver using an
> > > IOCTL from another process. In the driver device control handler, i do
> > > following:
> > >
> > > - Call PsLookupProcessByProcessId to obtain handle to the process Id
> > > - KeAttachProcess
> > > - ObReferenceObjectByHandle
> > > - ObQueryNameString
> > > - ObDereferenceObject on Object for handle
> > > - KeDetachProcess
> > > - ObDerefenceObject on EPROCESS i got from PsLookupProcessByProcessId
> > >
> > > This code works fine as i expected but I am told that
> > > ObReferenceObjectByHandle is not synchronized for process exit. The
> > > person said that this function is meant to be used inside a thread which
> > > runs in given process’s context. My current implementation can corrupt
> > > system state if a process is exiting.
> > >
> > > If whats said above is correct then what is the solution to the problem?
> > > Do i need to do a PsCreateSystemThread in the context of the process (to
> > > which the handle belongs) and then call ObReferenceObjectByHandle in
> > > that thread? I saw bunch of code which does exactly that i do. Does this
> > > mean that all those drivers can cause BSOD?
> > >
> > > Also isn’t it that because PsLookupProcessByProcessId increase the
> > > reference count of the EPROCESS, it will force the process to not exit
> > > before i call ObReferenceObjectByHandle?
> > >
> > > Thanks
> > > Pankaj
> > > http://www.intellectualheaven.com
> > >
> > > —
> > > Questions? First check the Kernel Driver FAQ at
> > > http://www.osronline.com/article.cfm?id=256
> > >
> > > You are currently subscribed to ntdev as: xxxxx@relicore.com
> > > To unsubscribe send a blank email to xxxxx@lists.osr.com
> > >
> > >
> > >
> > >
> > > —
> > > Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
> > >
> > > You are currently subscribed to ntdev as: xxxxx@gmail.com
> > > To unsubscribe send a blank email to xxxxx@lists.osr.com
> > >
> >
> >
>
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@gmail.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
ZwOpenProcess should be fine to get the process’ handle from the pid.
Then, feed that handle as an input parameter to ZwDuplicateObject.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Pankaj Garg
Sent: Tuesday, October 05, 2004 3:59 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] ObReferenceObjectByHandle question
I get the PID of a process in my driver and a handle opened by that
process. Are you saying i do something like
“PsLookupProcessByProcessId” to get EPROCESS for PID
“ObOpenObjectByPointer” to get a handle to that process
“ZwDuplicateObject(sourceProcess, handle, NtCurrentProcess(), &target
…” and so on?
Or shall i use ZwOpenProcess on the PID of the source process? Which
approach is better even though both involve undocumented functions.
Is there any other better approach to do this?
–
Pankaj Garg
This posting is provided “AS IS” with no warranties and confers no
rights.
“Daniel Pistelli” wrote in message
news:xxxxx@ntdev…
> Vitaly is right, just use ZwDuplicateObject with the same access flag
> (if you want to know the object’s name), if you’re in trouble finding
> documentation, look the user mode function DuplicateHandle.
>
> Daniel
>
>
> On Tue, 5 Oct 2004 10:59:05 -0400, Vitaly Vatnikov
> wrote:
> > Do not attach to the process - this doesn’t provide synchronization
> > for ObReferenceObjectByHandle. Use ZwDuplicateObject to duplicate
> > the target’s process handle into your context and then navigate to
> > the object with ObReferenceObjectByHandle. Google for
> > ZwDuplicateObject (unfortunately, it’s not documented in the DDK).
> >
> > - Vitaly
> >
> >
> >
> > -----Original Message-----
> > From: xxxxx@lists.osr.com
> > [mailto:xxxxx@lists.osr.com] On Behalf Of Pankaj Garg
> > Sent: Monday, October 04, 2004 5:38 PM
> > To: Windows System Software Devs Interest List
> > Subject: [ntdev] ObReferenceObjectByHandle question
> >
> > I have written a driver for getting the name of an open handle. I
> > pass a handle to an open file and process Id of a process to my
> > driver using an IOCTL from another process. In the driver device
> > control handler, i do
> > following:
> >
> > - Call PsLookupProcessByProcessId to obtain handle to the process Id
> > - KeAttachProcess
> > - ObReferenceObjectByHandle
> > - ObQueryNameString
> > - ObDereferenceObject on Object for handle
> > - KeDetachProcess
> > - ObDerefenceObject on EPROCESS i got from
> > PsLookupProcessByProcessId
> >
> > This code works fine as i expected but I am told that
> > ObReferenceObjectByHandle is not synchronized for process exit. The
> > person said that this function is meant to be used inside a thread
> > which runs in given process’s context. My current implementation can
> > corrupt system state if a process is exiting.
> >
> > If whats said above is correct then what is the solution to the
> > problem? Do i need to do a PsCreateSystemThread in the context of
> > the process (to which the handle belongs) and then call
> > ObReferenceObjectByHandle in that thread? I saw bunch of code which
> > does exactly that i do. Does this mean that all those drivers can
> > cause BSOD?
> >
> > Also isn’t it that because PsLookupProcessByProcessId increase the
> > reference count of the EPROCESS, it will force the process to not
> > exit before i call ObReferenceObjectByHandle?
> >
> > Thanks
> > Pankaj
> > http://www.intellectualheaven.com
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> > http://www.osronline.com/article.cfm?id=256
> >
> > You are currently subscribed to ntdev as:
> > xxxxx@relicore.com To unsubscribe send a blank email to
> > xxxxx@lists.osr.com
> >
> >
> >
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
> >
> > You are currently subscribed to ntdev as: xxxxx@gmail.com
> > To unsubscribe send a blank email to
> > xxxxx@lists.osr.com
> >
>
>
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: xxxxx@relicore.com
To unsubscribe send a blank email to xxxxx@lists.osr.com