[ General Problem ] EPROCESS-ImageFileName + NtOpenProcessHook

Ok well a few of my pieces of code here rely upon the ImageFileName element within the EPROCESS structure (which you can find in the ntifs_6001.h) header I’ve uploaded. Again, in 7600 it seems to be missing. Weird.
Anyway, the problem was that ImageFileName was returning nothing. Blank. So evidently the offset has changed. I wrote a peice of code to enumerate the base addresses of each EPROCESS structure and then looked at them in Win Dbg, have a look:
null

That image should pretty much give you an idea of what to do. Count the bytes. Find the new offset.
Previously the offset for ImageFileName was +0x154 now all of a sudden its +0x174. To implement search for this offset programmatically, search the memory from each EPROCESS base for the string “system”. As it will ALWAYS be there, makes for an easy way to determine the correct offset.


Original NtOpenProcess Screenshot

I have attached an updated version of my NtOpenProcessHook below with the fix.
The hack (this is too crude to be a fix!) lies in the RetrievePID() function. So have a look there for comparison.

A revised list of both sys calls and EPROCESS offsets are included below too.

[ Link ] My Old NtOpenProcessHook post
[ C – Source ] New NtOpenProcessHook Driver
[ C – Source ] Old NtOpenProcessHook Driver
[ C – Header ] ntifs_6001.h
[ Link ] New EPROCESS offsets for windows 7
[ Link ] List of current windows syscalls

Advertisements

~ by Rhys Mossom on November 21, 2009.

2 Responses to “[ General Problem ] EPROCESS-ImageFileName + NtOpenProcessHook”

  1. […] [ General Problem ] EPROCESS-ImageFileName + NtOpenProcessHook « said this on November 21, 2009 at 10:01 pm […]

  2. what about protecting a process from being suspend by process hacker or process explorer?

    Thanks

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: