Hi,
I’m very confused now about PEB structure and EEPROCESS and FS:[30h]
so, what I now is that: in user-mode, fs:30h points to PEB. Now, what about kernel mode? is this true?
suppose I get my EEPROCESS structure using PsGetCurrentProcess(), that structure has a pointer to Peb, is it the same as fs:30h? (I’m confused what’s happening in kernel mode).
I may think that PEB is not accessible because PEB is in user space. (am I right?)
and, my next question is: if there is no PEB for kernel drivers, and fs:30h points to nowhere, how do I get my self ImageName for example ? (is that accessible in EEPROCESS structure, and then the only role of PEB is in user-land?)
PS: without using ZwQueryInformationProcess( … ProcessImageFileName …)
Thank you,
Marius.
> suppose I get my EEPROCESS structure using PsGetCurrentProcess(), that structure
has a pointer to Peb, is it the same as fs:30h?
Indeed, it is. However; FS register is different for the UM and KM - in the UM it points to PEB, and in the
kernel mode it points to Processor Control Block. The later describes a structure that , among other things, keeps a pointer to ETHREAD of currently running thread, and ETHREAD allows you to get to EPROCCESS and PEB (if any). This is how PsGetCurrentProcess() gets EPROCCESS of currently running process…
and, my next question is: if there is no PEB for kernel drivers, and fs:30h points to nowhere,
how do I get my self ImageName for example
Once drivers are not dedicated processes under Windows, the very concept of EPROCESS and PEB is meaningless for them - they may run in context of any process…
Anton Bassov
The PEB is writable from user mode; in any case, you must not trust its contents from kernel mode.
-----Original Message-----
From: xxxxx@yahoo.com
Sent: Thursday, October 23, 2008 23:57
To: Windows System Software Devs Interest List
Subject: [ntdev] PEB, FS:[30h] … confused…
Hi,
I’m very confused now about PEB structure and EEPROCESS and FS:[30h]
so, what I now is that: in user-mode, fs:30h points to PEB. Now, what about kernel mode? is this true?
suppose I get my EEPROCESS structure using PsGetCurrentProcess(), that structure has a pointer to Peb, is it the same as fs:30h? (I’m confused what’s happening in kernel mode).
I may think that PEB is not accessible because PEB is in user space. (am I right?)
and, my next question is: if there is no PEB for kernel drivers, and fs:30h points to nowhere, how do I get my self ImageName for example ? (is that accessible in EEPROCESS structure, and then the only role of PEB is in user-land?)
PS: without using ZwQueryInformationProcess( … ProcessImageFileName …)
Thank you,
Marius.
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
In kernel, FS segment is a _PCR structure which is described in the
public header files.
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com
wrote in message news:xxxxx@ntdev…
> Hi,
> I’m very confused now about PEB structure and EEPROCESS and FS:[30h]
>
> so, what I now is that: in user-mode, fs:30h points to PEB. Now, what
> about kernel mode? is this true?
>
> suppose I get my EEPROCESS structure using PsGetCurrentProcess(), that
> structure has a pointer to Peb, is it the same as fs:30h? (I’m confused
> what’s happening in kernel mode).
> I may think that PEB is not accessible because PEB is in user space. (am I
> right?)
>
> and, my next question is: if there is no PEB for kernel drivers, and
> fs:30h points to nowhere, how do I get my self ImageName for example ? (is
> that accessible in EEPROCESS structure, and then the only role of PEB is
> in user-land?)
>
> PS: without using ZwQueryInformationProcess( … ProcessImageFileName …)
>
> Thank you,
> Marius.
>
Thank you all, especially Anton Bassov.