ZwOpenProcess and PROCESS_QUERY_INFORMATION

alec_lee · November 26, 2015, 9:09am

newbie question,
This line:

status=ZwOpenProcess(&targetProcessHandle, PROCESS_QUERY_INFORMATION , &ObjectAttributes, &targetProcessId);

yields compilation error saying PROCESS_QUERY_INFORMATION is undeclared.

I found that in wdm.h only PROCESS_ALL_ACCESS and PROCESS_DUP_HANDLE are defined. While in winnt.h these are defined as well :

PROCESS_TERMINATE
PROCESS_CREATE_THREAD
PROCESS_SET_SESSIONID
PROCESS_VM_OPERATION
PROCESS_VM_READ
PROCESS_VM_WRITE
PROCESS_DUP_HANDLE
PROCESS_CREATE_PROCESS
PROCESS_SET_QUOTA
PROCESS_SET_INFORMATION
PROCESS_QUERY_INFORMATION
PROCESS_SUSPEND_RESUME
PROCESS_QUERY_LIMITED_INFORMATION

Does it mean we can only use PROCESS_ALL_ACCESS now?

Aleh_Kazakevich · November 27, 2015, 1:16am

Process access flags are equal for both kernel mode and user mode.
So you can copy definition of PROCESS_QUERY_INFORMATION from winnt.h.

Normally, access checks are skipped for “Zw” function calls in the kernel.
It is possible to use PROCESS_ALL_ACCESS or even 0 with exactly same results.
One exception of this rule is using of OBJ_FORCE_ACCESS_CHECK flag
and when your code is running in the context of the user-mode caller.

Read the following article if you need more details about Nt/Zw API:

Nt vs. Zw - Clearing Confusion On The Native API
http://www.osronline.com/article.cfm?id=257