ZwQueryInformationProcess problem.

Amit_Kulkarni-2 · June 5, 2007, 3:31am

Hi All,

I have writen following code

ntStatus = ZwQueryInformationProcess(
hProcess,
ProcessBasicInformation,
&ulRetLen,
0,
&ulRetLen
);
if (!NT_SUCCESS(ntStatus))
{
TEMPIOCTL_KDPRINT((“ZwQueryInformationProcess() failed for(%d) Error(%u) Req length (%u)”, iCount, ntStatus, ulRetLen));
}

Documents tell that it should return required buffer length in ulRetLen, but I am getting 0 in it.

anton_bassov · June 5, 2007, 6:11am

According to the above code, you have specified a buffer of length zero is your call. This is why
ZwQueryInformationProcess() cannot be bothered even to return the number of bytes needed.
You should specify buffer length greater than zero. Actually, in your particular case (i.e. ProcessBasicInformation infoclass) output buffer lenth is known in advance - the last parameter is meant to be used when ZwQueryInformationProcess() returns a structure of variable length for some particular infoclass…

Anton Bassov

Amit_Kulkarni-2 · June 5, 2007, 6:23am

Thanks,

Now I am getting the result but not expected one,

ProcBasicInfo.PebBaseAddress this field is null for some processes and

pPEB->ProcessParameters->ImagePathName is allways giving me the same exe path for all processes.

OSR_Community_User · June 5, 2007, 6:46am

Are the processes in question system and idle? The system and idle
processes do not have a PEB.

>> xxxxx@yahoo.com 2007-06-05 06:23 >>>
Thanks,

Now I am getting the result but not expected one,

ProcBasicInfo.PebBaseAddress this field is null for some processes and

pPEB->ProcessParameters->ImagePathName is allways giving me the same
exe path for all processes.

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Amit_Kulkarni-2 · June 5, 2007, 6:52am

Thanks,

System and idle process do not have PEB.

But for other processes ProcessParameters->ImagePathName field in PEB showing same EXE name. Do you know why?

OSR_Community_User · June 5, 2007, 7:02am

No problem.

>> xxxxx@yahoo.com 2007-06-05 06:52 >>>
Thanks,

System and idle process do not have PEB.

But for other processes ProcessParameters->ImagePathName field in PEB
showing same EXE name. Do you know why?

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

anton_bassov · June 5, 2007, 7:26am

> ProcBasicInfo.PebBaseAddress this field is null for some processes

System and Idle processes do not have their representation in the user mode, and, hence, have no PEBs…

pPEB->ProcessParameters->ImagePathName is allways giving me the same exe
path for all processes.

PEB is user-mode structure, and hence, its address is valid only in the address space of its owner process. If you want to access another process’s PEB, you have to do with ReadProcessMemory()
( or call KeStackAttachProcess() if you do it in the kernel mode)…

Anton Bassov