ProcessParameters fails in XP

NTDEV
1

HI

I have registered for process create notification through PsSetCreateProceeNotify and in my callback, I have the below code to retrieve the process parameters (imageName and cmdLine).

try {
NTSTATUS ret;
extension = gpDeviceObject->DeviceExtension;
ret = PsLookupProcessByProcessId(ProcessId, &pProcess);
if(NT_SUCCESS(ret)) {
if(NULL != pProcess) {
KPROCESS* pKProc = (KPROCESS*)pProcess;
pPEB = PsGetProcessPeb(pProcess);
if(NULL != pPEB) {
DWORD dwImageLength = 0, dwCmdLineLength = 0;
NTSTATUS ntStatus = 0;
PKAPC_STATE pAPCState = NULL;

pAPCState = ExAllocatePoolWithTag(NonPagedPool,sizeof(KAPC_STATE),‘cpak’);
KeStackAttachProcess(pProcess,pAPCState);

dwImageLength = ((pPEB->ProcessParameters->ImagePathName.Length > 255*sizeof(WCHAR)) ? 255*sizeof(WCHAR): pPEB->ProcessParameters->ImagePathName.Length);
dwCmdLineLength = ((pPEB->ProcessParameters->CommandLine.Length > 255*sizeof(WCHAR)) ? 255*sizeof(WCHAR): pPEB->ProcessParameters->CommandLine.Length);

RtlCopyMemory(imagePathW, pPEB->ProcessParameters->ImagePathName.Buffer, dwImageLength);
RtlCopyMemory(cmdLineW, pPEB->ProcessParameters->CommandLine.Buffer, dwCmdLineLength);

KeUnstackDetachProcess(pAPCState);
ExFreePool(pAPCState);
}

ObDereferenceObject(pProcess);
}
}
} except(EXCEPTION_EXECUTE_HANDLER) {
}

This works fine on Vista and Win7 32/64bit platforms but fails on XP 32bit with bugcheck INVALID_PROCESS_ATTACH_ATTEMPT. Could someone explain me what am I doing wrong in the above code.

Thanks
Ramananda

2

xxxxx@yahoo.com wrote:

I have registered for process create notification through PsSetCreateProceeNotify and in my callback, I have the below code to retrieve the process parameters (imageName and cmdLine).

PKAPC_STATE pAPCState = NULL;
pAPCState = ExAllocatePoolWithTag(NonPagedPool,sizeof(KAPC_STATE),‘cpak’);
KeStackAttachProcess(pProcess,pAPCState);

I can’t answer your BSOD question, but could you answer a question for
me? What led you to do it that way, instead of simply:
KAPC_STATE APCState;
KeStackAttachProcess(pProcess,&APCState);

INVALID_PROCESS_ATTACH_ATTEMPT can occur if the thread is already
attached to the process you are attaching to. Is that possible?


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

3
  1. As Tim said, no need to alloc pAPCState (use stack)
  2. try/except block is only needed for accessing PEB
  3. ImagePathName/CommandLine can be longer than 255 chars! Why do you cut
    it? Do you end imagePathW with zero char if >255? I don’t think so.

> INVALID_PROCESS_ATTACH_ATTEMPT can occur if the thread is already
attached to the process you are attaching to. Is that possible?

this is not correct, you can call KeAttachProcess/KeStackStackProcess
multiple times for the same process
please look at 1st/2nd bugcheck parameter and examine thread/process

Petr

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@yahoo.com
Sent: Saturday, March 26, 2011 1:22 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] ProcessParameters fails in XP

HI

I have registered for process create notification through
PsSetCreateProceeNotify and in my callback, I have the below code to
retrieve the process parameters (imageName and cmdLine).

try {
NTSTATUS ret;
extension = gpDeviceObject->DeviceExtension;
ret = PsLookupProcessByProcessId(ProcessId, &pProcess);
if(NT_SUCCESS(ret)) {
if(NULL != pProcess) {
KPROCESS* pKProc = (KPROCESS*)pProcess;
pPEB = PsGetProcessPeb(pProcess);
if(NULL != pPEB) {
DWORD dwImageLength = 0, dwCmdLineLength = 0;
NTSTATUS ntStatus = 0;
PKAPC_STATE pAPCState = NULL;

pAPCState =
ExAllocatePoolWithTag(NonPagedPool,sizeof(KAPC_STATE),‘cpak’);
KeStackAttachProcess(pProcess,pAPCState);

dwImageLength = ((pPEB->ProcessParameters->ImagePathName.Length >
255*sizeof(WCHAR)) ? 255*sizeof(WCHAR):
pPEB->ProcessParameters->ImagePathName.Length);
dwCmdLineLength = ((pPEB->ProcessParameters->CommandLine.Length >
255*sizeof(WCHAR)) ? 255*sizeof(WCHAR):
pPEB->ProcessParameters->CommandLine.Length);

RtlCopyMemory(imagePathW,
pPEB->ProcessParameters->ImagePathName.Buffer, dwImageLength);
RtlCopyMemory(cmdLineW,
pPEB->ProcessParameters->CommandLine.Buffer, dwCmdLineLength);

KeUnstackDetachProcess(pAPCState);
ExFreePool(pAPCState);
}

ObDereferenceObject(pProcess);
}
}
} except(EXCEPTION_EXECUTE_HANDLER) {
}

This works fine on Vista and Win7 32/64bit platforms but fails on XP 32bit
with bugcheck INVALID_PROCESS_ATTACH_ATTEMPT. Could someone explain me what
am I doing wrong in the above code.

Thanks
Ramananda

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

4

Petr Kurtin wrote:

>> INVALID_PROCESS_ATTACH_ATTEMPT can occur if the thread is alreadyattached to the process you are attaching to. Is that possible?

this is not correct, you can call KeAttachProcess/KeStackStackProcess
multiple times for the same process

Right, I misread the doc page. It can occur if the thread is already
attached to ANOTHER process.
http://msdn.microsoft.com/en-us/library/ff559087.aspx


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.