[panda-users] About on_get_current_process in osi_winxpsp3x86
Brendan Dolan-Gavitt
brendandg at nyu.edu
Sun Apr 17 17:43:03 EDT 2016
There are times when due to the current system state we can't figure
out what the current process is (for example, when it's in the middle
of switching between two processes). In that case we return NULL.
As for the technique for getting the current process, it was derived
from reverse engineering. However you can actually look at how the
Windows kernel does it by looking at the source for
KeGetCurrentThread() and PsGetCurrentProcess
https://github.com/hacksysteam/WRK-1.2/blob/08ce546e1eff1f14bac093d2609428a93a48b645/base/ntos/ke/i386/i386pcr.asm#L51
https://github.com/hacksysteam/WRK-1.2/blob/08ce546e1eff1f14bac093d2609428a93a48b645/base/ntos/inc/ps.h#L1132
The way we do it is actually slightly different (using
ETHREAD.ThreadsProcess rather than KTHREAD.ApcState.Process) and I
should see if the method implemented in the Windows kernel source
works better.
-Brendan
On Thu, Apr 14, 2016 at 7:09 AM, Hij Krix <hijkrix at gmail.com> wrote:
> I noticed that the 'eproc' returned by get_current_proc may be 0
> sometimes.What does it mean? Why not handle it specially?
> By the way, where can I find the explanation of way to the find current
> process which has been implemented in osi_winxpsp3x86?
>
> _______________________________________________
> panda-users mailing list
> panda-users at mit.edu
> http://mailman.mit.edu/mailman/listinfo/panda-users
>
--
Brendan Dolan-Gavitt
Assistant Professor, Department of Computer Science and Engineering
NYU Tandon School of Engineering
More information about the panda-users
mailing list