PsLookupProcessByProcessId leads to page fault

brianbranch · March 7, 2024, 2:44pm

It happens randomly. Do I have to lock something before using PsLookupProcessByProcessId? I know for linux there is rcu_read_lock() - Does Windows have something similar?

Code:

PEPROCESS process = NULL;
if (pid) {
    NTSTATUS status = PsLookupProcessByProcessId((HANDLE)pid, &process);
		// ..
}

Debugger says:

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: ffffb80c9b631a40, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000000, bitfield :
	bit 0 : value 0 = read operation, 1 = write operation
	bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: fffff803401426c0, address which referenced memory

[..]

STACK_TEXT:  
ffffed03`8b3de698 fffff803`3ff666b2     : ffffed03`8b3de800 fffff803`3fd1b030 ffffa080`eabce180 ffffb80c`9b631a01 : nt!DbgBreakPointWithStatus
ffffed03`8b3de6a0 fffff803`3ff65d73     : ffffa080`00000003 ffffed03`8b3de800 fffff803`3fe30300 ffffed03`8b3dedb0 : nt!KiBugCheckDebugBreak+0x12
ffffed03`8b3de700 fffff803`3fe16d37     : ffffed03`8b3def10 fffff803`3fec5b0f ffff8006`bf2c6300 00000000`00000003 : nt!KeBugCheck2+0xba3
ffffed03`8b3dee70 fffff803`3fe2c5e9     : 00000000`0000000a ffffb80c`9b631a40 00000000`00000002 00000000`00000000 : nt!KeBugCheckEx+0x107
ffffed03`8b3deeb0 fffff803`3fe27b34     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiBugCheckDispatch+0x69
ffffed03`8b3deff0 fffff803`401426c0     : fffff803`400e62d5 ffffed03`8b3df490 ffff8006`beab5cc0 ffffed03`8b3df311 : nt!KiPageFault+0x474
ffffed03`8b3df188 fffff803`400e62d5     : ffffed03`8b3df490 ffff8006`beab5cc0 ffffed03`8b3df311 00000000`00000006 : nt!ExpLookupHandleTableEntry
ffffed03`8b3df190 fffff803`40175ad0     : ffff8006`bf2c6300 ffffed03`8b3df4d0 00000000`000000fe ffffed03`8b3dfba0 : nt!PspReferenceCidTableEntry+0x35
ffffed03`8b3df1e0 fffff803`4a0044cf     : ffff8006`bf2c6300 00000000`000000fe 00000000`00000000 fffff803`3fc80b97 : nt!PsLookupProcessByProcessId+0x30

Dejan_Maksimovic · March 7, 2024, 2:52pm

Are you sure the PID is of a still active process?

Scott_Noone_OSR · March 7, 2024, 2:55pm

Looks to me like you’re calling PsLookupProcessByProcessId at DISPATCH_LEVEL but it can only be called at IRQL <= APC_LEVEL:

https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-pslookupprocessbyprocessid

system · April 6, 2024, 2:55pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.