1

Topic: NtQueryInformationProcess

Once used this method, still when there was a paper book of Nebbeta on  to functions Windows NT. Years went, and I about this function forgot. And here, it sharply was necessary, directly suddenly as a diarrhea. Found out that it does not work correctly in we wash the code, thought there was a code at me a curve, got on , found there article with  and a demo. Launched a demo, and it does not work. Here it is necessary to mark that it works is not worse nearly than my code, i.e. do not work also the code from article on the code  and mine approximately is identical. But! At all thus ProcessExplorer the mark of our Russinovicha perfectly works, and after all it too uses this NAPI. In what a rake? https://www.codeproject.com/Articles/19 … ionProcess

2

Re: NtQueryInformationProcess

B> that it does not work is not worse nearly than my code, i.e. do not work also the code from article on the code  and mine approximately is identical. B> but! At all thus ProcessExplorer the mark of our Russinovicha perfectly works, and after all it too uses this NAPI. B> https://www.codeproject.com/Articles/19 … ionProcess That is to the reader  to download and launch the code to look how it does not work? Laziness. But  on buttons not laziness so I can assumes that the used structure is defined incorrectly. Why it is incorrectly defined - too it is possible  hypotheses. For example we try  32 structure in 64 , or we try  some structures which determination changed from the version to the Windows version therefore it is necessary to define the version of Windows and to substitute the necessary structure. Where to take the correct structure? In Google certainly. B> in what a rake? In a shed.

3

Re: NtQueryInformationProcess

Hello, Burbulis1978, you wrote: B> But! At all thus ProcessExplorer the mark of our Russinovicha perfectly works, and after all it too uses this NAPI. It is possible to look here: http://processhacker.sourceforge.net/ Like as, the same PE, but with source codes

4

Re: NtQueryInformationProcess

Hello, ononim, you wrote: B>> that it does not work is not worse nearly than my code, i.e. do not work also the code from article on the code  and mine approximately is identical. B>> but! At all thus ProcessExplorer the mark of our Russinovicha perfectly works, and after all it too uses this NAPI. B>> https://www.codeproject.com/Articles/19 … ionProcess O> That is to the reader  to download and launch the code to look how it does not work? Laziness. O> but  on buttons not laziness so I can assumes that the used structure is defined incorrectly. Why it is incorrectly defined - too it is possible  hypotheses. For example we try  32 structure in 64 , or we try  some structures which determination changed from the version to the Windows version therefore it is necessary to define the version of Windows and to substitute the necessary structure. Where to take the correct structure? In Google certainly. B>> in what a rake? O> in a shed. It is supposed that the reader which really answers worked with specified napi, i.e. Has practice was specific under win10. Also knows what to do. Anyway thanks that did not stand aside. All as usual: Knowing do not speak, speaking do not know. () any uncle.

5

Re: NtQueryInformationProcess

Hello, CEMb, you wrote: CEM> Hello, Burbulis1978, you wrote: B>> But! At all thus ProcessExplorer the mark of our Russinovicha perfectly works, and after all it too uses this NAPI. CEM> It is possible to look here: http://processhacker.sourceforge.net/ Like as, the same PE, but with source codes very much many thanks, really very-very interesting . It is simple

6

Re: NtQueryInformationProcess

Hello, CEMb, you wrote: CEM> Hello, Burbulis1978, you wrote: B>> But! At all thus ProcessExplorer the mark of our Russinovicha perfectly works, and after all it too uses this NAPI. CEM> It is possible to look here: http://processhacker.sourceforge.net/ Like as, the same PE, but with source codes of Thanks the hugest!  simply magic, simply wonderfully Mass of examples of the wonderful code is a pity just the driver legacy, and as a whole

7

Re: NtQueryInformationProcess

Hello, Burbulis1978, you wrote: B> It is supposed that the reader which really answers worked with specified napi, i.e. has practice was specific under win10. That is, had experience  a specific example from CodeProject on Win10 and remembers, what exactly with it was not so? So that function works, Windows still uses it for internal needs. And in a specific example it can not work on tens different reasons if more detailed information is not present. That the skilled reader could assume, what not so, it is extremely desirable to result, how it does not work, for example: 1. Which ProcessInformationClass it returns? 2. Whether it returns NTSTATUS (which?) 3. If successful NTSTATUS, but output structure does not fill, or fills in the unexpected image in what there is no correspondence to waitings? 4. If reset from it does not reach, why? Exception there happens, whether BSOD, or simply it is impossible to receive its address? At all this null information, the most probable assumption has been stated: the wrong structure, can pour out in unexpected filling or shortage of the buffer. Where exactly what exactly is wrong also - without details not clearly. But on the side asking these details are accessible, with them it can quite go to Google for  structure determination. Still it is quite good to formulate more high-level task. That from it in the end-ends it is necessary. A name "" process, how in an example? Hundred years as is GetProcessImageFileName and QueryFullProcessImageName everyones. Generally everything, what she can tell? Then yes to cause it. B> also knows what to do. Anyway thanks that did not stand aside. B> All as usual: Knowing do not speak, speaking do not know. (Any uncle. In the given specific case a problem exceptional directed by a question. So the knowing can tell. Here recently was: a call of the 64-bit version of this yours NtQueryInformationProcess from 32-bit process the Author: ononim Date: 09.08 02:52. So to explain about normal  a call normal often used NT API functions readers, most likely, in a state.

8

Re: NtQueryInformationProcess

Hello, Burbulis1978, you wrote: B> It is supposed that the reader which really answers worked with specified napi, i.e. has practice was specific under win10. B> Also knows what to do. Anyway thanks that did not stand aside. B> All as usual: Knowing do not speak, speaking do not know. (Any uncle. The person more than knowing answered you just! You is better minimum would collect an example playing back a problem if it is finite still did not understand - at once would receive the answer.

9

Re: NtQueryInformationProcess

Hello, Alexander G, you wrote: AG> Hello, Burbulis1978, you wrote: B>> It is supposed that the reader which really answers worked with specified napi, i.e. has practice was specific under win10. AG> That is, had experience  a specific example from CodeProject on Win10 and remembers, what exactly with it was not so? AG> So that function works, Windows still uses it for internal needs. AG> and in a specific example it can not work on tens different reasons if more detailed information is not present. AG> That the skilled reader could assume, what not so, it is extremely desirable to result, how it does not work, for example: AG> 1. Which ProcessInformationClass it returns? I expect that returns it actually and I request: ProcessBasicInformation AG> 2. Whether it returns NTSTATUS (which?) AG> 3. If successful NTSTATUS, but output structure does not fill, or fills in the unexpected image in what there is no correspondence to waitings? AG> 4. If reset from it does not reach, why? Exception there happens, whether BSOD, or simply it is impossible to receive its address? Here outlined test code: typedef struct _PROCESS_BASIC_INFORMATION {PVOID Reserved1; PPEB PebBaseAddress;//Interests naturally PEB PVOID Reserved2 [2]; ULONG_PTR UniqueProcessId; PVOID Reserved3;} PROCESS_BASIC_INFORMATION; PROCESS_BASIC_INFORMATION *ProcessInfo; HMODULE hinst_ntdll = LoadLibraryW (L "ntdll.dll"); if (! hinst_ntdll) return (ReturnValue); NtQueryInformationProcess = reinterpret_cast<PNTQUERYINFORMATIONPROCESS> (GetProcAddress (hinst_ntdll, "ZwQueryInformationProcess")); if (! NtQueryInformationProcess) return (ReturnValue); HANDLE hProcs = OpenProcess (PROCESS_QUERY_INFORMATION | PROCESS_VM_READ | READ_CONTROL, FALSE, dwPid); if ((! hProcs) && (ERROR_ACCESS_DENIED == ret)) {return ("ERROR");} HANDLE hHeap = GetProcessHeap (); unsigned int dwSize = sizeof (PROCESS_BASIC_INFORMATION); ProcessInfo =reinterpret_cast<PROCESS_BASIC_INFORMATION *> (HeapAlloc (hHeap, HEAP_ZERO_MEMORY, dwSize)); NtStatus = NtQueryInformationProcess (hProcs, ProcessBasicInformation, reinterpret_cast <PVOID> (ProcessInfo), dwSize, &RLength); if (NtStatus! = STATUS_SUCCESS) || (dwSize! = RLength) return ("ERROR_SZ_MISMACH"); printf ("ProcessInfo-> PebBaseAddress = %x", ProcessInfo-> PebBaseAddress); In  the call looks so. 00007ff8 ` e4c656b0 4c8bd1 mov r10, rcx 00007ff8 ` e4c656b3 b819000000 mov eax, 19h 00007ff8 ` e4c656b8 f604250803fe7f01 test byte ptr [SharedUserData+0x308 (00000000 ` 7ffe0308)], 1 00007ff8 ` e4c656c0 7503 jne ntdll! ZwQueryInformationProcess+0x15 (00007ff8 ` e4c656c5) 00007ff8 ` e4c656c2 0f05 syscall 00007ff8 ` e4c656c4 c3 ret As I trace in  further me nobody .SoftICe under Win10 do not work, and windbg is forced   in , VMWARE was not present traveling, and the second computer superfluous too is not present. After an output from NtQueryInformationProcess Vozrashchaetsja NTSTATUS == STATUS_SUCCESS, dwSize == RLength. Function is fulfilled. Without falling and dark blue screens. And here with processinfo an ambush ProcessInfo-> PebBaseAddress == NULL. By means of Google even before reversal  found  the medicines connected to offset of this field depending on version OS. But they did not help. At all thus SystemProcessesInformation - NtQueryInformationProcess, fulfills on hurrah. Without questions. AG> Still it is quite good to formulate more high-level task. That from it in the end-ends it is necessary. Eventually, it will would be desirable to receive which service to make cutoffs about a fortune of processes, kol-va flows, performance counters, CPU time, storage, WorkingSet etc. and to save all it in a database that other service all this disgrace analyzed, within the limits of different time intervals and  decisions according to the rules set by the user. Somehow so. AG> a name "" process, how in an example? Hundred years as is GetProcessImageFileName and QueryFullProcessImageName everyones. AG> generally everything, what she can tell? Then yes to cause it. All is necessary almost that can do NtQuerySystemInfo. AG> In the given specific case a problem exceptional directed by a question. So the knowing can tell. AG> here recently was: a call of the 64-bit version of this yours NtQueryInformationProcess from 32-bit process the Author: ononim Date: 09.08 02:52. AG> So to explain about normal  a call normal often used NT API functions readers, most likely, in a state. For it too many thanks

10

Re: NtQueryInformationProcess

11

Re: NtQueryInformationProcess

Hello, ononim, you wrote: O>... At them still is and on two PEB loader list'. And they different. One contains 64  (there normally only ntdll wow64 and other guts wow64 subsystems), and the second - 32. However both contain  on  . Whether there is a need to receive a name  therefrom? The first  in InLoadOrderModuleList like as always on , but through ImagePathName in RTL_USER_PROCESS_PARAMETERS from PEB somehow looks more purely.

12

Re: NtQueryInformationProcess

O>>... At them still is and on two PEB loader list'. And they different. One contains 64  (there normally only ntdll wow64 and other guts wow64 subsystems), and the second - 32. However both contain  on  . Whether AG> There is a need to receive a name  therefrom? AG> the First  in InLoadOrderModuleList like as always on , but through ImagePathName in RTL_USER_PROCESS_PARAMETERS from PEB somehow looks more purely. But RTL_USER_PROCESS_PARAMETERS too differ - too one 32, and the second - 64. And theoretically can  the different information And image path still it is possible to receive NtQueryInformationProcess (ProcessImageFileName). Or GetMappedFileName on PEB:: ImageBaseAddress. The amusing fact consists that if process uses any loadery/protectors all these methods can yield different results

13

Re: NtQueryInformationProcess

14

Re: NtQueryInformationProcess

B> Here and hopes fall. On an easy output from a difficult situation. That it was easier to find a way out - it is necessary to look for an input. What for to you PEB?

15

Re: NtQueryInformationProcess

Hello, Burbulis1978, you wrote: B> I had a shy hope that inside NtQueryInformationProces will be as earlier, on  it to turn out PEPROCESS and therefrom already  in structure B> PROCESS_BASIC_INFORMATION. Most likely, the event in a kernel especially essentially did not exchange. (The resulted code - it is visible, the code of kernel Windows or Reactos). But on 64-digit systems a kernel too 64-digit! Immediately with a kernel in such systems interacts always 64-digit ntdll. For operation of 32-bit applications in such systems exists Wow64 level, and applications work with 32-bit ntdll, remaining system dll too the 32-bit. Since x86-64 the processor in itself supports x86 a mode for Wow64 not so it is a lot of level of tasks, but it explicitly does it: 1. Carries out translation between 32 and 64 structures for system calls.  there to interrupt on 64-digit, SIZE_T, etc. 2. Palms off 32-bit System32 a folder (File System Redirection) 3. Palms off 32-bit registry keys (Registry Redirection) Switching in a 64-bit mode becomes before the above-stated translations. About TEB / PEB. These are the auxiliary structures used, in the core, in User Mode for various contexts. For rapid access to TEB, its address is written down in the segment register that this rapid access to TEB was convenient for making high-level, in one of fields TEB the pointer on itself. In places TEB it is used in implementation of the auxiliary functions (there there is a field for GetLastError), places of reversal to it implicitly are interposed by the compiler (it Structured Exception Handling and (static) Thread Local Storage). In everyone TEB there is a pointer on PEB. PEB too stores all auxiliary contexts, already for process. In the field Ldr lists of the loaded units are stored. As TEB and PEB such basic things that will be necessary and  it is immediate (SEH, TLS), and to 32-bit system units used in it, and 64-bit ntdll together with Wow64 a layer, and thus they are structures with pointers, in Wow64 process are necessary separately 32-bit and 64-bit TEB/TEB. And they different. Some fields can be only in 64-bit or only in 32-bit TEB/PEB. Well and because of specificity Wow64, some auxiliary fields in these steam rooms TEB/TEB can have not that sense that in "pure 32-bit" or "pure 64-bit". The Important point of difference 32-bit and 64-bit PEB: in 32-bit PEB:: Ldr the list of the loaded 32-bit units, in 64-bit - the list 64-bit, which very small (64-bit ntdll, three-four dll Wow64 a layer, well and itself  contains both in 64-bit, and in the 32-bit list) is stored. As clients NtQueryInformationProcess will expect such PEB, what digit capacity request, well that is what digit capacity clients, they cannot be satisfied, if the 32-bit client asks for 64-bit process. Therefore 32-bit NtQueryInformationProcess does not return TEB for 64-digit process. With the registration of all of it: 1. Looking that with PEB to do, for Wow64 process it can be necessary either 32-bit, or 64-bit PEB, or it is indifferent. If it is necessary specific, normally it is 32-bit. 2. With PEB with all these  in it it is convenient to work in a process context which this PEB concerns. To implement dll-ku and to work through NtCurrentTeb ()-> Peb. Then for 64 systems are necessary two dll, 32-bit for 32-bit processes, 64-digit for 64-digit processes. In case of a hard work with Ldr a unique normal variant (Loader Lock you will not capture ). 3. In case of absence of need to climb in loader giblets, but thus presence of a hard work with various NT API, it is necessary to use 64-digit process on 64-digit systems. If as a result it is necessary, that the main application was one 32-bitnyoe, it is necessary to get auxiliary 64-bit, and to use IPC. 4. Basically "any PEB other process" it is possible to receive from process of any digit capacity without DLL injection and without NtQueryInformationProcess. The Main point - that further.