ZwQueryInformationProcess Access violation - code c0000005

sachin_sachin · July 21, 2009, 9:47am

Hi ,

I am using ZwQueryInformationProcess() for getting process path/name.
I got access violation.
OS: XP SP2

Check the following code:

PVOID pvProcessPath = ExAllocatePoolWithTag(
NonPagedPool,
ulSizeOfProcessPath,
‘aaa’
);
if (NULL == pvProcessPath)
{
return STATUS_INSUFFICIENT_RESOURCES;
}

ntStatus = ZwQueryInformationProcess(
hProcess,
(PROCESSINFOCLASS)27,
pvProcessPath,
ulSizeOfProcessPath,
&ulRetLen
);
if (!NT_SUCCESS(ntStatus))
{
ExFreePool(pvProcessPath);
return ntStatus;
}

pwszTempFilePath = (WCHAR *)ExAllocatePoolWithTag(
NonPagedPool,
500 * sizeof(WCHAR),
‘aaa’
);
if (NULL == pwszTempFilePath)
{
ExFreePool(pvProcessPath);
return STATUS_INSUFFICIENT_RESOURCES;
}

pwszFilePath = ((PUNICODE_STRING)pvProcessPath)->Buffer;

Any help will be appreciated.

Regards,
Sachin.

OSR_Community_User · July 21, 2009, 12:18pm

Well, you’re leaking memory here:

pwszTempFilePath = (WCHAR *)ExAllocatePoolWithTag(
NonPagedPool,
500 * sizeof(WCHAR),
‘aaa’
);
if (NULL == pwszTempFilePath)
{
ExFreePool(pvProcessPath);
return STATUS_INSUFFICIENT_RESOURCES;
}

pwszFilePath = ((PUNICODE_STRING)pvProcessPath)->Buffer;

though I don’t imagine that that’s your problem.

How about you post an !analyze -v.

mm

Sergei_Vorobiev · July 23, 2009, 4:42pm

where’s the handle coming from? Try passing ZwCurrnetProcess() instead, and if that works, that is you do get your own process name in third parameter, there is an issue with the handle. There are some extra hoops to jump through for System process.