Process handle from EPROCESS ?

Hello there,
I’ve PEPROCESS from PsGetCurrentProcess(), but I a handle to this process.
I saw that there is a field in PEPROCESS called "Win32Process ", is that what I need?

THX :slight_smile:

No, you should not be using any fields in PEPROCESS since this is an
undocumented structure that changes fairly often. You might look at
PsGetCurrentProcessId

Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

-----Original Message-----
From: xxxxx@live.com [mailto:xxxxx@live.com]
Posted At: Wednesday, March 03, 2010 2:07 PM
Posted To: ntdev
Conversation: Process handle from EPROCESS ?
Subject: Process handle from EPROCESS ?

Hello there,
I’ve PEPROCESS from PsGetCurrentProcess(), but I a handle to this
process.
I saw that there is a field in PEPROCESS called "Win32Process ", is
that what I need?

THX :slight_smile:

__________ Information from ESET Smart Security, version of virus
signature database 4913 (20100303) __________

The message was checked by ESET Smart Security.

http://www.eset.com

THX,
but I need handle to use in user-mode not the PID…
is PsGetCurrentProcessId() == win32 OpenProcess(…) ???

Anyway… what is "Win32Process " field in PEPROCESS?

xxxxx@live.com wrote:

Anyway… what is "Win32Process " field in PEPROCESS?

It is undocumented.

However, 30 seconds with Google led me to a hacker web site that
explained it. It isn’t what you need.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Take a look at ObOpenObjectByPointer for how to get a user handle.
Nothing in PEPROCESS is docuemented or should be used, so why do you
care what “Win32Process” is?

Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

-----Original Message-----
From: xxxxx@live.com [mailto:xxxxx@live.com]
Posted At: Wednesday, March 03, 2010 2:20 PM
Posted To: ntdev
Conversation: Process handle from EPROCESS ?
Subject: RE: Process handle from EPROCESS ?

THX,
but I need handle to use in user-mode not the PID…
is PsGetCurrentProcessId() == win32 OpenProcess(…) ???

Anyway… what is "Win32Process " field in PEPROCESS?

__________ Information from ESET Smart Security, version of virus
signature database 4913 (20100303) __________

The message was checked by ESET Smart Security.

http://www.eset.com

THX :).
I’ll see ObOpenObjectByPointer now…
I care about “Win32Process”, cause I thought it equals to the handle from OpenProcess .

Since there’s one EPROCESS to a process and could be many open handles to that process it seems really unlikely that a single field in the EPROCESS structure would be able to hold all of those.

-p

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@live.com
Sent: Wednesday, March 03, 2010 11:45 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Process handle from EPROCESS ?

THX :).
I’ll see ObOpenObjectByPointer now…
I care about “Win32Process”, cause I thought it equals to the handle from OpenProcess .


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer