open process from the kernel

OSR_Community_User · August 26, 2002, 5:45pm

Hello,
I’m tring to open a process using NtOpenProcess() and I’m getting error
0xC0000005 STATUS_ACCESS_VIOLATION.

I tried all kind of values to DesiredAccess and I got the same error code.
The process id that I send to the function is the process id number that you
can see in user mode in the windows task manager for example.
I also tried an invalide process id number and I got the same error code.

(After I’ll successes with that I would like to call ZwTerminateProcess).

Thanks in advance.

OS.

HANDLE hProcessHandle;
ACCESS_MASK DesiredAccess = PROCESS_ALL_ACCESS;// PROCESS_TERMINATE;
OBJECT_ATTRIBUTES ObjectAttributes;
CLIENT_ID ClientId;
NTSTATUS ntTerminateStatus;

ObjectAttributes.Length = 0x18;
ObjectAttributes.RootDirectory = 0;
ObjectAttributes.ObjectName = 0;
ObjectAttributes.Attributes = 0;
ObjectAttributes.SecurityDescriptor = 0;
ObjectAttributes.SecurityQualityOfService = 0;

ClientId.UniqueProcess = (HANDLE)dwProcessID;
ClientId.UniqueThread = 0; //(HANDLE)dwProcessID;

ntTerminateStatus = NtOpenProcess(&hProcessHandle, DesiredAccess,
&ObjectAttributes, &ClientId);

OSR_Community_User · August 26, 2002, 7:00pm

What process context are you calling this from?

Pete

Peter Scott
xxxxx@KernelDrivers.com
http://www.KernelDrivers.com

>-----Original Message-----
>From: xxxxx@lists.osr.com [mailto:bounce-ntdev-
>xxxxx@lists.osr.com] On Behalf Of OS
>Sent: Monday, August 26, 2002 4:45 PM
>To: NT Developers Interest List
>Subject: [ntdev] open process from the kernel
>
>Hello,
>I’m tring to open a process using NtOpenProcess() and I’m getting
error
>0xC0000005 STATUS_ACCESS_VIOLATION.
>
>I tried all kind of values to DesiredAccess and I got the same error
code.
>The process id that I send to the function is the process id number
that
>you
>can see in user mode in the windows task manager for example.
>I also tried an invalide process id number and I got the same error
code.
>
>(After I’ll successes with that I would like to call
ZwTerminateProcess).
>
>Thanks in advance.
>
>OS.
>
>
>
> HANDLE hProcessHandle;
> ACCESS_MASK DesiredAccess = PROCESS_ALL_ACCESS;//
PROCESS_TERMINATE;
> OBJECT_ATTRIBUTES ObjectAttributes;
> CLIENT_ID ClientId;
> NTSTATUS ntTerminateStatus;
>
> ObjectAttributes.Length = 0x18;
> ObjectAttributes.RootDirectory = 0;
> ObjectAttributes.ObjectName = 0;
> ObjectAttributes.Attributes = 0;
> ObjectAttributes.SecurityDescriptor = 0;
> ObjectAttributes.SecurityQualityOfService = 0;
>
> ClientId.UniqueProcess = (HANDLE)dwProcessID;
> ClientId.UniqueThread = 0; //(HANDLE)dwProcessID;
>
> ntTerminateStatus = NtOpenProcess(&hProcessHandle, DesiredAccess,
>&ObjectAttributes, &ClientId);
>
>
>
>—
>You are currently subscribed to ntdev as: xxxxx@KernelDrivers.com
>To unsubscribe send a blank email to %%email.unsub%%

OSR_Community_User · August 26, 2002, 7:11pm

I’m going to guess that you’re doing this in an arbitrary process
context (ie. not the system process context). This thread’s
PreviousMode is UserMode and so NtOpenProcess is attempting to probe the
parameters you’re handing in as if they came from a ring-3 system call.
Since your parameters are on the kernel stack they don’t have valid user
addresses and the probe code is detecting this and returning the status
STATUS_ACCESS_VIOLATION.

if you’re going to do this you should call the Zw version of the API so
that previous mode is set to KernelMode and the probe code is avoided.
Unfortuantely this will also bypass security checks for the object in
question so you’ll be creating a security hole.

you could probably take the process object you get back and call
ObReferenceObjectByPointer on the object specifyign the desired access
(PROCESS_TERMINATE) and UserMode for the AccessMode parameter to cause a
security check after you’ve found the process object.

-p

-----Original Message-----
From: OS [mailto:xxxxx@hotmail.com]
Sent: Monday, August 26, 2002 3:45 PM
To: NT Developers Interest List
Subject: [ntdev] open process from the kernel

Hello,
I’m tring to open a process using NtOpenProcess() and I’m getting error
0xC0000005 STATUS_ACCESS_VIOLATION.

I tried all kind of values to DesiredAccess and I got the same error
code. The process id that I send to the function is the process id
number that you can see in user mode in the windows task manager for
example. I also tried an invalide process id number and I got the same
error code.

(After I’ll successes with that I would like to call
ZwTerminateProcess).

Thanks in advance.

OS.

HANDLE hProcessHandle;
ACCESS_MASK DesiredAccess = PROCESS_ALL_ACCESS;// PROCESS_TERMINATE;
OBJECT_ATTRIBUTES ObjectAttributes;
CLIENT_ID ClientId;
NTSTATUS ntTerminateStatus;

ObjectAttributes.Length = 0x18;
ObjectAttributes.RootDirectory = 0;
ObjectAttributes.ObjectName = 0;
ObjectAttributes.Attributes = 0;
ObjectAttributes.SecurityDescriptor = 0;
ObjectAttributes.SecurityQualityOfService = 0;

ClientId.UniqueProcess = (HANDLE)dwProcessID; ClientId.UniqueThread =
0; //(HANDLE)dwProcessID;

ntTerminateStatus = NtOpenProcess(&hProcessHandle, DesiredAccess,
&ObjectAttributes, &ClientId);

You are currently subscribed to ntdev as: xxxxx@microsoft.com To
unsubscribe send a blank email to %%email.unsub%%

OSR_Community_User · August 27, 2002, 12:24pm

Thanks Peter (Wieland),
The answer is using ZwOpenProcess() instead of NtOpenProcess().

Thanks again,

OS.

----- Original Message -----
From: “Peter Wieland”
To: “NT Developers Interest List”
Sent: Tuesday, August 27, 2002 1:08 AM
Subject: [ntdev] RE: open process from the kernel

I’m going to guess that you’re doing this in an arbitrary process
context (ie. not the system process context). This thread’s
PreviousMode is UserMode and so NtOpenProcess is attempting to probe the
parameters you’re handing in as if they came from a ring-3 system call.
Since your parameters are on the kernel stack they don’t have valid user
addresses and the probe code is detecting this and returning the status
STATUS_ACCESS_VIOLATION.

if you’re going to do this you should call the Zw version of the API so
that previous mode is set to KernelMode and the probe code is avoided.
Unfortuantely this will also bypass security checks for the object in
question so you’ll be creating a security hole.

you could probably take the process object you get back and call
ObReferenceObjectByPointer on the object specifyign the desired access
(PROCESS_TERMINATE) and UserMode for the AccessMode parameter to cause a
security check after you’ve found the process object.

-p

-----Original Message-----
From: OS [mailto:xxxxx@hotmail.com]
Sent: Monday, August 26, 2002 3:45 PM
To: NT Developers Interest List
Subject: [ntdev] open process from the kernel

Hello,
I’m tring to open a process using NtOpenProcess() and I’m getting error
0xC0000005 STATUS_ACCESS_VIOLATION.

I tried all kind of values to DesiredAccess and I got the same error
code. The process id that I send to the function is the process id
number that you can see in user mode in the windows task manager for
example. I also tried an invalide process id number and I got the same
error code.

(After I’ll successes with that I would like to call
ZwTerminateProcess).

Thanks in advance.

OS.

HANDLE hProcessHandle;
ACCESS_MASK DesiredAccess = PROCESS_ALL_ACCESS;// PROCESS_TERMINATE;
OBJECT_ATTRIBUTES ObjectAttributes;
CLIENT_ID ClientId;
NTSTATUS ntTerminateStatus;

ObjectAttributes.Length = 0x18;
ObjectAttributes.RootDirectory = 0;
ObjectAttributes.ObjectName = 0;
ObjectAttributes.Attributes = 0;
ObjectAttributes.SecurityDescriptor = 0;
ObjectAttributes.SecurityQualityOfService = 0;

ClientId.UniqueProcess = (HANDLE)dwProcessID; ClientId.UniqueThread =
0; //(HANDLE)dwProcessID;

ntTerminateStatus = NtOpenProcess(&hProcessHandle, DesiredAccess,
&ObjectAttributes, &ClientId);

—
You are currently subscribed to ntdev as: xxxxx@microsoft.com To
unsubscribe send a blank email to %%email.unsub%%

—
You are currently subscribed to ntdev as: xxxxx@hotmail.com
To unsubscribe send a blank email to %%email.unsub%%