PsGetCurrentProcess and PsActiveProcessHead

Hello All ,
I want to enumrate the EPROCESS struct information for all running process
and want to manipulate it.

I have PsActiveProcessHead pointer,I saw it in debug symbols… I want to
trverse the Process list using AcriveProcessHead pointer , can anybody
explain me , what type of PsAciveProcessHead is , and How can I
read/write the EPROCESS struct obtained by next/prev links of
ActiveProcesshead or PsGetCurruntProcess.

One more …
When a driver is called because of ReadFile , can I see memory (Actually I
mean EPROCESS structures) of all running processes , can I modify it ??
What rules I have to follow for safe read/write to process structures in
kernel mode ?

Thanx for your time.
krishnaa

The EPROCESS structure should be considered opaque and should not be
directly manipulated by your driver. You also cannot safely walk the
process list because you cannot acquire the locks needed to protect
against any changes being made to it. There is no “safe” way to access
or modify these structures directly.

There are DDIs for accessing the list of process objects and the
properties of those objects. If you tell us what you are really trying
to do we might be able to help.

-p

-----Original Message-----
From: krishnaa [mailto:xxxxx@rediffmail.com]
Sent: Tuesday, February 11, 2003 2:49 AM
To: NT Developers Interest List

Hello All ,
I want to enumrate the EPROCESS struct information for all running
process and want to manipulate it.

I have PsActiveProcessHead pointer,I saw it in debug symbols… I want to
trverse the Process list using AcriveProcessHead pointer , can anybody
explain me , what type of PsAciveProcessHead is , and How can I
read/write the EPROCESS struct obtained by next/prev links of
ActiveProcesshead or PsGetCurruntProcess.

One more …
When a driver is called because of ReadFile , can I see memory (Actually
I mean EPROCESS structures) of all running processes , can I modify it
??
What rules I have to follow for safe read/write to process structures in
kernel mode ?

Thanx for your time.
krishnaa

You are currently subscribed to ntdev as: xxxxx@microsoft.com To
unsubscribe send a blank email to xxxxx@lists.osr.com

Hi Peter,
thanx for reply.I am doing a kind of kernel mode scanner for specific
virus activity , for that I have to scan all the running processes and
monitor process and thread creation.I need to modify the process such that
it wont allow the virus to get attached to it.I need to modify the any
process memory , to do this I need to suspend the process for 1-1.5
seconds time.
How can I do this ?? What API’s can I use ??.
One more , can a driver see the memory of process which calls IOCTL in
this driver.(PsGetCurrentProcessId shows what process called this
DeviceIoControl). How can I read PE format of any process EXE , I know if
that process calls the driver for any reason then I can do it easily .

I found that we need to acquire the mutex(0x00181540 in ntoskrnl) , cant
we call ExAcquireFastMutex on this mutex to read the list of EPROCESS
struct’s ?

You specifically asked if there was a way to do this safely. The answer
is no. Even if you happen to find the mutex which protects the process
list there’s NO guarantee that the mutex won’t move to a different
location in a service pack or the next release of the OS. We might even
remove the mutex and use some different synchronization mechanism. So
if you grab that mutex you’ll have a product which no-one in their right
mind would want to buy since any system update could cause their machine
to start crashing uncontrollably.

You can open processes using the Win32 APIs and can manipulate its
entire address space and all of its threads from user-mode if you have
the right permissions. You would be unable to modify the EPROCESS
structure but since no other user-mode virus could get at it either that
doesn’t seem like it should matter.

A driver can see the address space of the calling process IF it’s a
top-level driver. However intermediate drivers could push work off to
DPCs or worker threads in which case you’re no longer sure what address
space you are in.

-p

-----Original Message-----
From: krishnaa [mailto:xxxxx@rediffmail.com]
Sent: Tuesday, February 11, 2003 11:03 PM
To: NT Developers Interest List

Hi Peter,
thanx for reply.I am doing a kind of kernel mode scanner for specific
virus activity , for that I have to scan all the running processes and
monitor process and thread creation.I need to modify the process such
that it wont allow the virus to get attached to it.I need to modify the
any process memory , to do this I need to suspend the process for 1-1.5
seconds time.
How can I do this ?? What API’s can I use ??.
One more , can a driver see the memory of process which calls IOCTL in
this driver.(PsGetCurrentProcessId shows what process called this
DeviceIoControl). How can I read PE format of any process EXE , I know
if that process calls the driver for any reason then I can do it easily
.

I found that we need to acquire the mutex(0x00181540 in ntoskrnl) , cant
we call ExAcquireFastMutex on this mutex to read the list of EPROCESS
struct’s ?

You are currently subscribed to ntdev as: xxxxx@microsoft.com To
unsubscribe send a blank email to xxxxx@lists.osr.com

Ah, you’re describing Diskeeper! And everyone knows what a commercial
failure that was … Thankfully, MS put in the required interface so
that they didn’t have to do it “dirty” anymore. My point here, is that
99.99999% of the customer base don’t give two hoots for whether an
application/driver is doing something “unfair” or “naughty” if it gives them
something they desperately want. And companies don’t mind giving it to them
anyway they can, if it means even a slight commercial edge on the
competition. History on just Windows platforms alone is replete with
examples-- see Matrox and interrupt handling for one good illustration. I
personally agree with you, and share your sentiment, but we are in the
minority (even if that included everyone on this list).

Just my $0.02

-----Original Message-----
From: Peter Wieland [mailto:xxxxx@windows.microsoft.com]
Sent: Wednesday, February 12, 2003 10:50 AM
To: NT Developers Interest List
Subject: [ntdev] RE: PsGetCurrentProcess and PsActiveProcessHead

<<right mind would want to buy since any system update could cause their
machine to start crashing uncontrollably.>>>

I know the customer base doesn’t care how the software they bought works

• I’m under no illusion to the contrary. However when their system
  starts to crash because we added code to the kernel and the linker moved
  the address of a private list-head or mutex that that software has
  decided to poke at then customers are very very unhappy.

I also know the development base needs to build and sell software and
hardware products/solutions/what-have-you and that it’s not always
apparent how to do what you want with the supported methods provided by
the kernel. However I have to believe that there are better solutions
then prodding private data structures in order to do this. I doubt many
developers here would be happy if I reverse engineered one of their
driver, poked values into their internal data strucutures and thus
caused their customers to think their code had crashed their machine.

In the end, one of my goals is to try and keep both customer bases happy
(developers and consumers). Part of this includes trying to keep people
from building software which will inevitably cause system crashes.

-p

-----Original Message-----
From: Paul Bunn [mailto:xxxxx@UltraBac.com]
Sent: Wednesday, February 12, 2003 11:26 AM
To: NT Developers Interest List

Ah, you’re describing Diskeeper! And everyone knows what a commercial
failure that was … Thankfully, MS put in the required interface
so that they didn’t have to do it “dirty” anymore. My point here, is
that 99.99999% of the customer base don’t give two hoots for whether an
application/driver is doing something “unfair” or “naughty” if it gives
them something they desperately want. And companies don’t mind giving
it to them anyway they can, if it means even a slight commercial edge on
the competition. History on just Windows platforms alone is replete
with
examples-- see Matrox and interrupt handling for one good illustration.
I
personally agree with you, and share your sentiment, but we are in
the minority (even if that included everyone on this list).

Just my $0.02

-----Original Message-----
From: Peter Wieland [mailto:xxxxx@windows.microsoft.com]
Sent: Wednesday, February 12, 2003 10:50 AM
To: NT Developers Interest List
Subject: [ntdev] RE: PsGetCurrentProcess and PsActiveProcessHead

<<right mind would want to buy since any system update could cause their
machine to start crashing uncontrollably.>>>

—
You are currently subscribed to ntdev as: xxxxx@microsoft.com To
unsubscribe send a blank email to xxxxx@lists.osr.com

Well, we do all that and much more, and our software isn’t any more unstable
than anybody else’s. If you do it right, even a very bold poke won’t
decrease the system stability.

Alberto.

-----Original Message-----
From: Peter Wieland [mailto:xxxxx@windows.microsoft.com]
Sent: Wednesday, February 12, 2003 3:04 PM
To: NT Developers Interest List
Subject: [ntdev] RE: PsGetCurrentProcess and PsActiveProcessHead

I know the customer base doesn’t care how the software they bought works

• I’m under no illusion to the contrary. However when their system
  starts to crash because we added code to the kernel and the linker moved
  the address of a private list-head or mutex that that software has
  decided to poke at then customers are very very unhappy.

I also know the development base needs to build and sell software and
hardware products/solutions/what-have-you and that it’s not always
apparent how to do what you want with the supported methods provided by
the kernel. However I have to believe that there are better solutions
then prodding private data structures in order to do this. I doubt many
developers here would be happy if I reverse engineered one of their
driver, poked values into their internal data strucutures and thus
caused their customers to think their code had crashed their machine.

In the end, one of my goals is to try and keep both customer bases happy
(developers and consumers). Part of this includes trying to keep people
from building software which will inevitably cause system crashes.

-p

-----Original Message-----
From: Paul Bunn [mailto:xxxxx@UltraBac.com]
Sent: Wednesday, February 12, 2003 11:26 AM
To: NT Developers Interest List

Ah, you’re describing Diskeeper! And everyone knows what a commercial
failure that was … Thankfully, MS put in the required interface
so that they didn’t have to do it “dirty” anymore. My point here, is
that 99.99999% of the customer base don’t give two hoots for whether an
application/driver is doing something “unfair” or “naughty” if it gives
them something they desperately want. And companies don’t mind giving
it to them anyway they can, if it means even a slight commercial edge on
the competition. History on just Windows platforms alone is replete
with
examples-- see Matrox and interrupt handling for one good illustration.
I
personally agree with you, and share your sentiment, but we are in
the minority (even if that included everyone on this list).

Just my $0.02

-----Original Message-----
From: Peter Wieland [mailto:xxxxx@windows.microsoft.com]
Sent: Wednesday, February 12, 2003 10:50 AM
To: NT Developers Interest List
Subject: [ntdev] RE: PsGetCurrentProcess and PsActiveProcessHead

<<right mind would want to buy since any system update could cause their
machine to start crashing uncontrollably.>>>

—
You are currently subscribed to ntdev as: xxxxx@microsoft.com To
unsubscribe send a blank email to xxxxx@lists.osr.com

—
You are currently subscribed to ntdev as: xxxxx@compuware.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

The contents of this e-mail are intended for the named addressee only. It
contains information that may be confidential. Unless you are the named
addressee or an authorized designee, you may not copy or use it, or disclose
it to anyone else. If you received it in error please notify us immediately
and then destroy it.

Alberto I agree with you , but I lack the detailed knowledge which Numega
peoples have … I know there are ways to do everything from ring0
itself , but M$ says these are not faithful ways.

I have got to do this anyhow , I dont have option of win32 , because
basically the project is a security system/firewall for the servers who
keep precious data and softwares.Win32 Programs can never do a total
commanding on runnning processes.In previous month I was totaly thinking
on how should I implement it , and I found no safe place with Win32.

Can you suggest me some books to get insight into this subject…
Thanx for your help.
One more thing … can anybody tell me how SoftICE displays himself on
screen and stops everything in windows , I know it uses kind of Video
memory manip and Keyboard filtering.( Sorry but I am almost beginer in
this field. )

> I have got to do this anyhow , I dont have option of win32 , because

basically the project is a security system/firewall for the servers who
keep precious data and softwares.

When you talk about precious data, you better search/follow the documented
method.
Its always safer for you and your customers.

In previous mail, you have mentioned you want to monitor creation of
process/threads to
monitor virel activity. If this is the only question, then they are better
ways to achive this.
No need to scan all the EPROCESS structure. If you go through EPROCESS
method also
how fast you can scan/identify the thread creation of Process/Threads? At
any given time you
cannot access all Physical memory of all process, many are Paged-out, what
you will do in this
situation ? If you try to do all these to analyse all process memory , you
are going to take all the
time by killing other applications on the server. Overall server will
*Sleep*

Even now, when AV drivers scan for each virus in an each opened file, they
might scan 1 EXE
file with more then 40,000 virus ?? ( this number will increase ). Though
they good algorithms,
still it takes time. ( To identify this easily, you can copy a set of files
in network by
Enabling online scanner/Disabling online scanner. You can easily see the
slow/fast )

Basically, if you try to explian you problem further detial, people might
suggest you here some other ideas.

Regards,
Satish K.S

Hi Satish ,
I am not using EPROCESS to see new processes and threads , I have
callbacks for process creation ,here the callback function gets called in
the context of newly created process , so I have visibility over this
process , now I have to obtain full information about this process , such
as loaded modules , the function names exported my these modules initial
memory allocated etc… I agree I can do it better using win32 and
everybody suggests me that , but I have some more things also , like I
have to filter file system IRP’s , I have to filter network calls , and
all the things have relation with each other … I cant explain my req.
here in small place and I am not allowed to talk detailed.
Think that I have to anyhow use ring0 for the scanning , this scanning is
not only file scanning for viruses (which almost every antivirus does.)
but more in memory check and watch on process IPC too.
I know everything is possible with known interfaces only…lets see.
Satish , can you suggest me some books ?

If you are using PsSetCreateProcessNotifyRoutine you should look
at the DDK documentation again, as you are not guaranteed to be
called in the context of the new process.

“When it is called, the driver’s process-creation notify routine
runs at IRQL PASSIVE_LEVEL, either in the context of the initial
thread within a newly created process or in the context of a
system thread.”

Actually looking over the ddk I’m not entirely sure if they are
talking about when the process is starting or stopping that it
can be in a system thread. Anyone?

-Jeff

-----Original Message-----
From: krishnaa [mailto:xxxxx@nothing.com]
Sent: Thursday, February 13, 2003 11:51 PM
To: NT Developers Interest List
Subject: [ntdev] RE: PsGetCurrentProcess and PsActiveProcessHead

Hi Satish ,
I am not using EPROCESS to see new processes and threads , I have
callbacks for process creation ,here the callback function gets called in
the context of newly created process , so I have visibility over this
process , now I have to obtain full information about this process , such
as loaded modules , the function names exported my these modules initial
memory allocated etc… I agree I can do it better using win32 and
everybody suggests me that , but I have some more things also , like I
have to filter file system IRP’s , I have to filter network calls , and
all the things have relation with each other … I cant explain my req.
here in small place and I am not allowed to talk detailed.
Think that I have to anyhow use ring0 for the scanning , this scanning is
not only file scanning for viruses (which almost every antivirus does.)
but more in memory check and watch on process IPC too.
I know everything is possible with known interfaces only…lets see.
Satish , can you suggest me some books ?

You are currently subscribed to ntdev as: xxxxx@concord.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote also confirms that this email message has been swept by
the latest virus scan software available for the presence of computer
viruses.
**********************************************************************

I have used this function and the callback has always been in the context of
the parent process. This is in W2K. It appears to be the same way with XP
but I have not confirmed this.

Bill Wandel

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Curless, Jeffrey
Sent: Friday, February 14, 2003 8:49 AM
To: NT Developers Interest List
Subject: [ntdev] RE: PsGetCurrentProcess and PsActiveProcessHead

If you are using PsSetCreateProcessNotifyRoutine you should look
at the DDK documentation again, as you are not guaranteed to be
called in the context of the new process.

“When it is called, the driver’s process-creation notify routine
runs at IRQL PASSIVE_LEVEL, either in the context of the initial
thread within a newly created process or in the context of a
system thread.”

Actually looking over the ddk I’m not entirely sure if they are
talking about when the process is starting or stopping that it
can be in a system thread. Anyone?

-Jeff

-----Original Message-----
From: krishnaa [mailto:xxxxx@nothing.com]
Sent: Thursday, February 13, 2003 11:51 PM
To: NT Developers Interest List
Subject: [ntdev] RE: PsGetCurrentProcess and PsActiveProcessHead

Hi Satish ,
I am not using EPROCESS to see new processes and threads , I have
callbacks for process creation ,here the callback function gets called in
the context of newly created process , so I have visibility over this
process , now I have to obtain full information about this process , such
as loaded modules , the function names exported my these modules initial
memory allocated etc… I agree I can do it better using win32 and
everybody suggests me that , but I have some more things also , like I
have to filter file system IRP’s , I have to filter network calls , and
all the things have relation with each other … I cant explain my req.
here in small place and I am not allowed to talk detailed.
Think that I have to anyhow use ring0 for the scanning , this scanning is
not only file scanning for viruses (which almost every antivirus does.)
but more in memory check and watch on process IPC too.
I know everything is possible with known interfaces only…lets see.
Satish , can you suggest me some books ?

You are currently subscribed to ntdev as: xxxxx@concord.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote also confirms that this email message has been swept by
the latest virus scan software available for the presence of computer
viruses.
**********************************************************************

You are currently subscribed to ntdev as: xxxxx@bwandel.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

I must say sorry , the callback is called in parent process’s context…
I was thinking wrong , anyway thats not what I have implemented till now.

Suggest me books on this topic …please.

> I am not using EPROCESS to see new processes and threads , I have

callbacks for process creation ,here the callback function gets called in
the context of newly created process , so I have visibility over this
process , now I have to obtain full information about this process , such
as loaded modules , the function names exported my these modules initial
memory allocated etc… I agree I can do it better using win32 and
everybody suggests me that ,

These information is displayed in “TaskMgr.exe”, you can obtain all
information
either from registry/or using API’s in user mode itself.

but I have some more things also , like I
have to filter file system IRP’s , I have to filter network calls , and
all the things have relation with each other … I cant explain my req.
here in small place and I am not allowed to talk detailed.
Think that I have to anyhow use ring0 for the scanning , this scanning is
not only file scanning for viruses (which almost every antivirus does.)
but more in memory check and watch on process IPC too.
I know everything is possible with known interfaces only…lets see.
Satish , can you suggest me some books ?

I dont know what exactly you are searching for to suggest books, seems
you are searching everything at once

Regards,
Satish K.S

Hi ,

Satish I want to know each possible thing about Windows Kernel components.
I want more information on process/thread/objects management on windows NT
based systems.I know everything is possible , see there are lot many
products in market such as SoftICE who know almost every detail about
windows kernel components.Right now I doing research(I should say study)
in safe and follproof ways of having protection around windows process
objects.I am sorry ,I cant describe in details.
I have to find few ways like.
1]Drawing/modifying graphics from kernel mode.
2]Restricting safly “process/thread manipulations(of some kind)in user
mode”.
3]The logic should be portable across all NT based platforms.

Now can you suggest me some books.I am new to this area of development
,but I am sure I will grasp fast if I get books.
Thanx.

> 2]Restricting safly "process/thread manipulations(of some kind)in user

mode".

From whom you want to restrict these objects ?

You can use Access control(ACL) ?

Now can you suggest me some books.I am new to this area of development
,but I am sure I will grasp fast if I get books.

http://www.amazon.com/exec/obidos/tg/sim-explorer/explore-items/-/1578700582
/0/101/1/none/session/ref=pd_sim_d_b/103-1455471-2563859

Regards,
Satish K.S

It’s not so simple , because I want to restrict the things like
Read/WriteProcessMemory ,VirtualAllocEx etc.
I think ACL cant serve the purpose completly , isnt it ?

> It’s not so simple , because I want to restrict the things like

Read/WriteProcessMemory ,VirtualAllocEx etc.
I think ACL cant serve the purpose completly , isnt it ?

Can you give us some more detials, from whom you planning to restrict above
API’s?

Regards,
Satish K.S

Why don’t you just look into setting proper security levels.
NT already supports everything you need, there is no need to
invent anything new.

-Jeff

-----Original Message-----
From: krishnaa [mailto:xxxxx@nothing.com]
Sent: Wednesday, February 19, 2003 3:51 AM
To: NT Developers Interest List
Subject: [ntdev] RE: PsGetCurrentProcess and PsActiveProcessHead

Hi ,

Satish I want to know each possible thing about Windows Kernel components.
I want more information on process/thread/objects management on windows NT
based systems.I know everything is possible , see there are lot many
products in market such as SoftICE who know almost every detail about
windows kernel components.Right now I doing research(I should say study)
in safe and follproof ways of having protection around windows process
objects.I am sorry ,I cant describe in details.
I have to find few ways like.
1]Drawing/modifying graphics from kernel mode.
2]Restricting safly “process/thread manipulations(of some kind)in user
mode”.
3]The logic should be portable across all NT based platforms.

Now can you suggest me some books.I am new to this area of development
,but I am sure I will grasp fast if I get books.
Thanx.

You are currently subscribed to ntdev as: xxxxx@concord.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote also confirms that this email message has been swept by
the latest virus scan software available for the presence of computer
viruses.
**********************************************************************

I guess you should better understand how NT works at first and maybe you’ll
reconsider your project then. I would strongly recommend following book:
http://www.sysinternals.com/insidew2k.shtml. If you read the first or the
2nd edition, you still need to read the 3rd.

Best regards,

Michal Vodicka
STMicroelectronics Design and Application s.r.o.
[michal.vodicka@st.com, http:://www.st.com]

---

From: xxxxx@nothing.com[SMTP:xxxxx@nothing.com]
Reply To: xxxxx@lists.osr.com
Sent: Wednesday, February 19, 2003 2:14 PM
To: xxxxx@lists.osr.com
Subject: [ntdev] RE: PsGetCurrentProcess and PsActiveProcessHead

It’s not so simple , because I want to restrict the things like
Read/WriteProcessMemory ,VirtualAllocEx etc.
I think ACL cant serve the purpose completly , isnt it ?

---

You are currently subscribed to ntdev as: michal.vodicka@st.com
To unsubscribe send a blank email to xxxxx@lists.osr.com