[panda-users] About on_get_current_process in osi_winxpsp3x86
Hij Krix
hijkrix at gmail.com
Sun Apr 17 20:48:39 EDT 2016
Why not handle this situation specially?
Currently there are no errors with it because
*panda_virtual_memory_rw* in *get_next_proc
*return -1, as *eproc+EPROC_LINKS_OFF* points to a wrong address when
*eproc* is 0. But if any program construct memory at *null page*,*
get_next_proc* will success with a wrong return value, which will cause a
infinite loop.
May be we can do it in this way:
On Mon, Apr 18, 2016 at 5:43 AM, Brendan Dolan-Gavitt <brendandg at nyu.edu>
wrote:
> There are times when due to the current system state we can't figure
> out what the current process is (for example, when it's in the middle
> of switching between two processes). In that case we return NULL.
>
> As for the technique for getting the current process, it was derived
> from reverse engineering. However you can actually look at how the
> Windows kernel does it by looking at the source for
> KeGetCurrentThread() and PsGetCurrentProcess
>
>
> https://github.com/hacksysteam/WRK-1.2/blob/08ce546e1eff1f14bac093d2609428a93a48b645/base/ntos/ke/i386/i386pcr.asm#L51
>
> https://github.com/hacksysteam/WRK-1.2/blob/08ce546e1eff1f14bac093d2609428a93a48b645/base/ntos/inc/ps.h#L1132
>
> The way we do it is actually slightly different (using
> ETHREAD.ThreadsProcess rather than KTHREAD.ApcState.Process) and I
> should see if the method implemented in the Windows kernel source
> works better.
>
> -Brendan
>
> On Thu, Apr 14, 2016 at 7:09 AM, Hij Krix <hijkrix at gmail.com> wrote:
> > I noticed that the 'eproc' returned by get_current_proc may be 0
> > sometimes.What does it mean? Why not handle it specially?
> > By the way, where can I find the explanation of way to the find current
> > process which has been implemented in osi_winxpsp3x86?
> >
> > _______________________________________________
> > panda-users mailing list
> > panda-users at mit.edu
> > http://mailman.mit.edu/mailman/listinfo/panda-users
> >
>
>
>
> --
> Brendan Dolan-Gavitt
> Assistant Professor, Department of Computer Science and Engineering
> NYU Tandon School of Engineering
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/panda-users/attachments/20160417/3dbe4d4a/attachment.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Check-eproc-before-loop-in-osi_winxpsp3x86.patch
Type: text/x-patch
Size: 1048 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/panda-users/attachments/20160417/3dbe4d4a/attachment.bin
More information about the panda-users
mailing list