Why PPEB is always NULL???

OSR_Community_User · December 3, 2001, 6:39pm

Hi,

I’m trying to get pointer to PEB (need to get access to some members of
it). Io(Ps)GetCurrentProcess() returns pointer to EPROCESS just fine. But
the PPEB member or EPROCESS structure is always NULL. Why? I’ve tried to
use PsLookupProcessByProcessId() passing valid process IDs but with the
same result. I’m in context of UserMode thread (calling Io(Ps)Xxx from
IRP_MJ_DEVICE_CONTROL dispatch entry). Any ideas how to get pointer to
PEB?

Thanks for help!

Anton

You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

Andrey_Shedel · December 4, 2001, 12:56am

> IRP_MJ_DEVICE_CONTROL dispatch entry). Any ideas how to get pointer to

PEB?

ZwQueryInformationProcess using ProcessBasicInfo: PebBaseAddress.

btw, you could also note it always uses the same UM address.

You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

OSR_Community_User · December 4, 2001, 6:16pm

Hi,

Thanks for pointing! At this time I’ve did everything in different way.
Thru the KeGetCurrentThread() and parsing returned KTHREAD.

Anton

On 12/04/01, ““Andrey Shedel” ” wrote:
> > IRP_MJ_DEVICE_CONTROL dispatch entry). Any ideas how to get pointer to
> > PEB?
> >
>
> ZwQueryInformationProcess using ProcessBasicInfo: PebBaseAddress.
>
> btw, you could also note it always uses the same UM address.
>
>
>
>
> —
> You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
> To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

—
You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

Peter_Viscarola_OSR · December 4, 2001, 6:21pm

wrote in message news:xxxxx@ntdev…
>
> I’m trying to get pointer to PEB (need to get access to some members of
> it). Io(Ps)GetCurrentProcess() returns pointer to EPROCESS just fine. But
> the PPEB member or EPROCESS structure is always NULL. Why?
>

Well, just so that I’ve done my “due diligence” let me note that groveling
through the EPROCESS datastructure, using hardcoded offsets, is a sure way
to create a driver that’s unreliable. You DO realize that the layout of
these structures changes, sometimes a lot, between O/S versions right? OK,
I’m done lecturing now.

The PPEB member of the EPROCESS structure is NULL? Sorry, it’s not when I
look at it, like in the debugger. !process will tell you that, right in the
first line.

Let me see, I’ll be you’re looking at the wrong offset

Peter
OSR

—
You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com