Is it possible (and how) to access Thread Information Block of a thread of some another process?
It is possible.
The first step is to get the adress of the Thread Information Block by using the NtQueryInformationThread function with ThreadInformationClass set to ThreadBasicInformation. The THREAD_BASIC_INFORMATION structure contains a pointer to the TEB of the thread. Then you can use ReadProcessMemory and WriteProcessMemory in order to read or modify the content of the TEB.
Related
Depending on the number of processes currently running, by using for_each_process macro call and one simple counter, I have used kmalloc to allocate memory for those processes to store process pid and its parent pid in structure. And use copy_to_user to copy it into the user space segment like below,
copy_to_user(buffer, &data, sizeof(Data) * process_counter);
But the problem is I am not able to figure out how should I suppose to display it on the user space application using read system call.
Is it possible in one read call Or do i need to use while loop for it ?
Thanks in advance.
I would like to be able to change the STARTUPINFO values, right after CreateProcess has been called (suspended).
So the new remote/child process can get custom GetStartupInfo values as soon as it starts.
How could I achieve this?
More Info:
I would like to pass arbitary data to the child process.
Regarding to this article: http://www.catch22.net/tuts/undocumented-createprocess it is possible to do so with the reserved2 members from the STARTUPINFO structure. This method works but has a limit of 65536 bytes. A theoretical solution in order to pass more than 65536 bytes would be if you:
Create the process (suspended)
Alloc space with VirtualAllocEx in the child process
Write data > 65536 bytes to the child process with WriteProcessMemory
Change the reserved2 members with the address from Step 2
Resume the process
The child process calls GetStartupInfo and gets the data
I'm not aware of any supported way for you to do what you ask. However, I suggest an alternative solution to the root problem.
You should not be using lpReserved2 anyway since the documentation tells you to set it to NULL.
Have the parent process create a named memory mapped file.
Pass the name of this file mapping to the child process as a command line argument.
Indeed, there are many variants on this approach, but command line arguments are the way to pass information to a new process.
I'm working on a function to extract information about a thread and would like to know more specifically when calling the CreateThread function, the created thread insert "dwCreationFlags" parameter somewhere in ETHREAD structure
Since these flags only affect thread creation, there is no need to keep them once the thread exists. So no, they are not kept in the ETHREAD.
Hello I am writing a minifilter driver for intercepting all the irp packets from a certain process say a.exe .
So , in the driver code it can be done by applying a check on the command line arguments that started the process.
Does anyone know how can i retrieve the command line argument ??
Thanks in advance .
There's no supported way to do this from within kernel-mode. In fact, trying to access user-mode process information from the kernel is a pain in general. I would suggest firing up a request to a user-mode service, which can then find that information and pass it back down to your kernel component.
However, there an undocumented method to do it. If you can get a handle to an EPROCESS struct for the target process, you can get at a pointer to the PEB (process environment block) struct within it, which then has a pointer to an RTL_USER_PROCESS_PARAMETERS structure, which has a member called CommandLine.
Example:
UNICODE_STRING* commandLine = epProcess->Peb->ProcessParameters->CommandLine;
The downside to this is that EPROCESS is almost entirely opaque and PEB is semi-opaque too, meaning that it may change in future versions of Windows. I certainly wouldn't advocate trying this in production code.
Try using the NtQueryInformationProcess or ZwQueryInformationProcess function with the PROCESSINFOCLASS parameter as ProcessBasicInformation. The output parameter, ProcessInformation, will be a struct of type PROCESS_BASIC_INFORMATION. As Polynomial mentioned, this struct has a pointer to the process's PEB struct, which contains the information you are looking for in its ProcessParameters field.
What is the difference between a thread ID and a thread handle? Why both are needed? Is there a difference between Windows and Linux?
Linux's pthread library does not, as far as I know, have a concept of a thread handle. pthread_create and other pthreads functions, return a thread ID.
Under Windows, the thread handle is different from the thread ID, in the same way that a file handle is different from a file name.
The thread handle is a token which allows you to do something with the thread (typically wait for it or kill it). Win32 has these tokens for lots of objects, and calls them HANDLE in general.
The token is essentially a pointer at the running (or stopped) thread and has a set of abilities associated with it, for example, you can have a handle which permits you to wait for, but not kill, a thread. In the same way, we can have a file handle which is read-only.
This level of indirection may or may not be useful, but it's the way Win32 does it, and it's broadly consistent with how it handles some other types of objects.
The ID is the unique numeric identifier of the thread running in the system. A thread handle, like any kernel object handle, can be seen as a special type of reference counted pointer to the kernel object.
So in kernel space there is an object of type THREAD with ID = 12345
And because you want to do something with the thread you have a pointer in your address space called a threadID with value 44.
Please note that different handles to the same kernel object have different values (two pointers to one object) and that kernel objects can have handles in more than one process.
Thread IDs are progressive (ie, one after another), which you can traverse.
Thread handles, like most handles in Windows, are actually pointers.
You might, for example, set thread property bits by using the thread handle - but not thread id.