<div dir="ltr"><div><div>Why not handle this situation specially?<br></div>Currently there are no errors with it because <i>panda_virtual_memory_rw</i> in <i>get_next_proc </i>return -1, as <i>eproc+EPROC_LINKS_OFF</i> points to a wrong address when <i>eproc</i> is 0. But if any program <span class="">construct memory at <em>null page</em>,<em> get_next_proc</em> will success with a wrong return value, which will cause a infinite loop.<em><br></em></span></div><span class="">May be we can do it in this way:<em><br><br></em></span></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Apr 18, 2016 at 5:43 AM, Brendan Dolan-Gavitt <span dir="ltr"><<a href="mailto:brendandg@nyu.edu" target="_blank">brendandg@nyu.edu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">There are times when due to the current system state we can't figure<br>
out what the current process is (for example, when it's in the middle<br>
of switching between two processes). In that case we return NULL.<br>
<br>
As for the technique for getting the current process, it was derived<br>
from reverse engineering. However you can actually look at how the<br>
Windows kernel does it by looking at the source for<br>
KeGetCurrentThread() and PsGetCurrentProcess<br>
<br>
<a href="https://github.com/hacksysteam/WRK-1.2/blob/08ce546e1eff1f14bac093d2609428a93a48b645/base/ntos/ke/i386/i386pcr.asm#L51" rel="noreferrer" target="_blank">https://github.com/hacksysteam/WRK-1.2/blob/08ce546e1eff1f14bac093d2609428a93a48b645/base/ntos/ke/i386/i386pcr.asm#L51</a><br>
<a href="https://github.com/hacksysteam/WRK-1.2/blob/08ce546e1eff1f14bac093d2609428a93a48b645/base/ntos/inc/ps.h#L1132" rel="noreferrer" target="_blank">https://github.com/hacksysteam/WRK-1.2/blob/08ce546e1eff1f14bac093d2609428a93a48b645/base/ntos/inc/ps.h#L1132</a><br>
<br>
The way we do it is actually slightly different (using<br>
ETHREAD.ThreadsProcess rather than KTHREAD.ApcState.Process) and I<br>
should see if the method implemented in the Windows kernel source<br>
works better.<br>
<br>
-Brendan<br>
<div><div class="h5"><br>
On Thu, Apr 14, 2016 at 7:09 AM, Hij Krix <<a href="mailto:hijkrix@gmail.com">hijkrix@gmail.com</a>> wrote:<br>
> I noticed that the 'eproc' returned by get_current_proc may be 0<br>
> sometimes.What does it mean? Why not handle it specially?<br>
> By the way, where can I find the explanation of way to the find current<br>
> process which has been implemented in osi_winxpsp3x86?<br>
><br>
</div></div>> _______________________________________________<br>
> panda-users mailing list<br>
> <a href="mailto:panda-users@mit.edu">panda-users@mit.edu</a><br>
> <a href="http://mailman.mit.edu/mailman/listinfo/panda-users" rel="noreferrer" target="_blank">http://mailman.mit.edu/mailman/listinfo/panda-users</a><br>
><br>
<span class="HOEnZb"><font color="#888888"><br>
<br>
<br>
--<br>
Brendan Dolan-Gavitt<br>
Assistant Professor, Department of Computer Science and Engineering<br>
NYU Tandon School of Engineering<br>
</font></span></blockquote></div><br></div>