[panda-users] About on_get_current_process in osi_winxpsp3x86

Brendan Dolan-Gavitt brendandg at nyu.edu
Mon Apr 18 10:10:36 EDT 2016 

I think I see what you mean. Yes, we should be checking if
get_current_proc returns 0 before trying to call any other functions.
I also think that function has a bug – if the current process is not
valid, we should return NULL, rather than simply trying the next one
(since the next one won't necessarily be the current process).

I will try to take some time to fix this up.

-Brendan

On Sun, Apr 17, 2016 at 8:48 PM, Hij Krix <hijkrix at gmail.com> wrote:
> Why not handle this situation specially?
> Currently there are no errors with it because panda_virtual_memory_rw in
> get_next_proc return -1, as eproc+EPROC_LINKS_OFF points to a wrong address
> when eproc is 0. But if any program construct memory at null page,
> get_next_proc will success with a wrong return value, which will cause a
> infinite loop.
> May be we can do it in this way:
>
>
> On Mon, Apr 18, 2016 at 5:43 AM, Brendan Dolan-Gavitt <brendandg at nyu.edu>
> wrote:
>>
>> There are times when due to the current system state we can't figure
>> out what the current process is (for example, when it's in the middle
>> of switching between two processes). In that case we return NULL.
>>
>> As for the technique for getting the current process, it was derived
>> from reverse engineering. However you can actually look at how the
>> Windows kernel does it by looking at the source for
>> KeGetCurrentThread() and PsGetCurrentProcess
>>
>>
>> https://github.com/hacksysteam/WRK-1.2/blob/08ce546e1eff1f14bac093d2609428a93a48b645/base/ntos/ke/i386/i386pcr.asm#L51
>>
>> https://github.com/hacksysteam/WRK-1.2/blob/08ce546e1eff1f14bac093d2609428a93a48b645/base/ntos/inc/ps.h#L1132
>>
>> The way we do it is actually slightly different (using
>> ETHREAD.ThreadsProcess rather than KTHREAD.ApcState.Process) and I
>> should see if the method implemented in the Windows kernel source
>> works better.
>>
>> -Brendan
>>
>> On Thu, Apr 14, 2016 at 7:09 AM, Hij Krix <hijkrix at gmail.com> wrote:
>> > I noticed that the 'eproc' returned by get_current_proc may be 0
>> > sometimes.What does it mean? Why not handle it specially?
>> > By the way, where can I find the explanation of way to the find current
>> > process which has been implemented in osi_winxpsp3x86?
>> >
>> > _______________________________________________
>> > panda-users mailing list
>> > panda-users at mit.edu
>> > http://mailman.mit.edu/mailman/listinfo/panda-users
>> >
>>
>>
>>
>> --
>> Brendan Dolan-Gavitt
>> Assistant Professor, Department of Computer Science and Engineering
>> NYU Tandon School of Engineering
>
>



-- 
Brendan Dolan-Gavitt
Assistant Professor, Department of Computer Science and Engineering
NYU Tandon School of Engineering

More information about the panda-users mailing list