[ General Problem ] EPROCESS-ImageFileName + NtOpenProcessHook
Ok well a few of my pieces of code here rely upon the ImageFileName element within the EPROCESS structure (which you can find in the ntifs_6001.h) header I’ve uploaded. Again, in 7600 it seems to be missing. Weird.
Anyway, the problem was that ImageFileName was returning nothing. Blank. So evidently the offset has changed. I wrote a peice of code to enumerate the base addresses of each EPROCESS structure and then looked at them in Win Dbg, have a look:
That image should pretty much give you an idea of what to do. Count the bytes. Find the new offset.
Previously the offset for ImageFileName was +0x154 now all of a sudden its +0x174. To implement search for this offset programmatically, search the memory from each EPROCESS base for the string “system”. As it will ALWAYS be there, makes for an easy way to determine the correct offset.
Original NtOpenProcess Screenshot
I have attached an updated version of my NtOpenProcessHook below with the fix.
The hack (this is too crude to be a fix!) lies in the RetrievePID() function. So have a look there for comparison.
A revised list of both sys calls and EPROCESS offsets are included below too.
[ Link ] My Old NtOpenProcessHook post
[ C – Source ] New NtOpenProcessHook Driver
[ C – Source ] Old NtOpenProcessHook Driver
[ C – Header ] ntifs_6001.h
[ Link ] New EPROCESS offsets for windows 7
[ Link ] List of current windows syscalls