HyperDbg Debugger
Loading...
Searching...
No Matches
Classes | Typedefs | Functions | Variables
UserAccess.h File Reference

Access and parse user-mode components of binaries. More...

Go to the source code of this file.

Classes

struct  _PEB_LDR_DATA
 PEB LDR Data. More...
 
struct  _RTL_USER_PROCESS_PARAMETERS
 User process params. More...
 
struct  _PEB
 PEB 64-bit. More...
 
struct  _PEB32
 PEB 32-bit. More...
 
struct  _PEB_LDR_DATA32
 LDR Data 32-bit. More...
 
struct  _LDR_DATA_TABLE_ENTRY32
 LDR Data Table 32-bit. More...
 
struct  _LDR_DATA_TABLE_ENTRY
 LDR Data Table 64-bit. More...
 

Typedefs

typedef struct _PEB_LDR_DATA PEB_LDR_DATA
 PEB LDR Data.
 
typedef struct _PEB_LDR_DATAPPEB_LDR_DATA
 
typedef struct _RTL_USER_PROCESS_PARAMETERS RTL_USER_PROCESS_PARAMETERS
 User process params.
 
typedef struct _RTL_USER_PROCESS_PARAMETERSPRTL_USER_PROCESS_PARAMETERS
 
typedef void(__stdcall * PPS_POST_PROCESS_INIT_ROUTINE) (void)
 Random windows type.
 
typedef struct _PEB PEB
 PEB 64-bit.
 
typedef struct _PEBPPEB
 
typedef struct _PEB32 PEB32
 PEB 32-bit.
 
typedef struct _PEB32PPEB32
 
typedef struct _PEB_LDR_DATA32 PEB_LDR_DATA32
 LDR Data 32-bit.
 
typedef struct _PEB_LDR_DATA32PPEB_LDR_DATA32
 
typedef struct _LDR_DATA_TABLE_ENTRY32 LDR_DATA_TABLE_ENTRY32
 LDR Data Table 32-bit.
 
typedef struct _LDR_DATA_TABLE_ENTRY32PLDR_DATA_TABLE_ENTRY32
 
typedef struct _LDR_DATA_TABLE_ENTRY LDR_DATA_TABLE_ENTRY
 LDR Data Table 64-bit.
 
typedef struct _LDR_DATA_TABLE_ENTRYPLDR_DATA_TABLE_ENTRY
 
typedef NTSTATUS(* ZwQueryInformationProcess) (__in HANDLE ProcessHandle, __in PROCESSINFOCLASS ProcessInformationClass, __out_bcount(ProcessInformationLength) PVOID ProcessInformation, __in ULONG ProcessInformationLength, __out_opt PULONG ReturnLength)
 
typedef PPEB(NTAPI * PsGetProcessPeb) (PEPROCESS Process)
 
typedef PPEB32(NTAPI * PsGetProcessWow64Process) (PEPROCESS Process)
 

Functions

BOOLEAN UserAccessAllocateAndGetImagePathFromProcessId (HANDLE ProcessId, PUNICODE_STRING ProcessImageName, UINT32 SizeOfImageNameToBeAllocated)
 Get the image path from process Id.
 
BOOLEAN UserAccessGetLoadedModules (PUSERMODE_LOADED_MODULE_DETAILS ProcessLoadedModuleRequest, UINT32 BufferSize)
 Get details about loaded modules.
 
BOOLEAN UserAccessIsWow64Process (HANDLE ProcessId, PBOOLEAN Is32Bit)
 Detects whether process is 32-bit or 64-bit.
 
BOOLEAN UserAccessIsWow64ProcessByEprocess (PEPROCESS SourceProcess, PBOOLEAN Is32Bit)
 Detects whether process is 32-bit or 64-bit by using EPROCESS pointer.
 
BOOLEAN UserAccessCheckForLoadedModuleDetails (UINT32 CoreId)
 Checks whether the loaded module is available or not.
 
BOOLEAN UserAccessGetBaseAndEntrypointOfMainModuleIfLoadedInVmxRoot (PPEB PebAddress, BOOLEAN Is32Bit, PUINT64 BaseAddress, PUINT64 Entrypoint)
 If the target process's main module is loaded, it fills the Entrypoint and the BaseAddress.
 

Variables

ZwQueryInformationProcess g_ZwQueryInformationProcess
 Address of ZwQueryInformationProcess.
 
PsGetProcessPeb g_PsGetProcessPeb
 Address of PsGetProcessPeb.
 
PsGetProcessWow64Process g_PsGetProcessWow64Process
 Address of PsGetProcessWow64Process.
 

Detailed Description

Access and parse user-mode components of binaries.

Author
Sina Karvandi (sina@.nosp@m.hype.nosp@m.rdbg..nosp@m.org)

Access to Portable Executables

Version
0.1
Date
2021-12-24
Copyright
This project is released under the GNU Public License v3.

Typedef Documentation

◆ LDR_DATA_TABLE_ENTRY

typedef struct _LDR_DATA_TABLE_ENTRY LDR_DATA_TABLE_ENTRY

LDR Data Table 64-bit.

◆ LDR_DATA_TABLE_ENTRY32

typedef struct _LDR_DATA_TABLE_ENTRY32 LDR_DATA_TABLE_ENTRY32

LDR Data Table 32-bit.

◆ PEB

typedef struct _PEB PEB

PEB 64-bit.

◆ PEB32

typedef struct _PEB32 PEB32

PEB 32-bit.

◆ PEB_LDR_DATA

typedef struct _PEB_LDR_DATA PEB_LDR_DATA

PEB LDR Data.

◆ PEB_LDR_DATA32

typedef struct _PEB_LDR_DATA32 PEB_LDR_DATA32

LDR Data 32-bit.

◆ PLDR_DATA_TABLE_ENTRY

typedef struct _LDR_DATA_TABLE_ENTRY * PLDR_DATA_TABLE_ENTRY

◆ PLDR_DATA_TABLE_ENTRY32

typedef struct _LDR_DATA_TABLE_ENTRY32 * PLDR_DATA_TABLE_ENTRY32

◆ PPEB

typedef struct _PEB * PPEB

◆ PPEB32

typedef struct _PEB32 * PPEB32

◆ PPEB_LDR_DATA

typedef struct _PEB_LDR_DATA * PPEB_LDR_DATA

◆ PPEB_LDR_DATA32

typedef struct _PEB_LDR_DATA32 * PPEB_LDR_DATA32

◆ PPS_POST_PROCESS_INIT_ROUTINE

typedef void(__stdcall * PPS_POST_PROCESS_INIT_ROUTINE) (void)

Random windows type.

◆ PRTL_USER_PROCESS_PARAMETERS

typedef struct _RTL_USER_PROCESS_PARAMETERS * PRTL_USER_PROCESS_PARAMETERS

◆ PsGetProcessPeb

typedef PPEB(NTAPI * PsGetProcessPeb) (PEPROCESS Process)

◆ PsGetProcessWow64Process

typedef PPEB32(NTAPI * PsGetProcessWow64Process) (PEPROCESS Process)

◆ RTL_USER_PROCESS_PARAMETERS

typedef struct _RTL_USER_PROCESS_PARAMETERS RTL_USER_PROCESS_PARAMETERS

User process params.

◆ ZwQueryInformationProcess

typedef NTSTATUS(* ZwQueryInformationProcess) (__in HANDLE ProcessHandle, __in PROCESSINFOCLASS ProcessInformationClass, __out_bcount(ProcessInformationLength) PVOID ProcessInformation, __in ULONG ProcessInformationLength, __out_opt PULONG ReturnLength)

Function Documentation

◆ UserAccessAllocateAndGetImagePathFromProcessId()

BOOLEAN UserAccessAllocateAndGetImagePathFromProcessId ( HANDLE ProcessId,
PUNICODE_STRING ProcessImageName,
UINT32 SizeOfImageNameToBeAllocated )

Get the image path from process Id.

This function should be called in vmx non-root for size 512 is enough, if the size is not enough it returns FALSE it's up to the user to deallocate ProcessImageName.Buffer

Parameters
ProcessId
ProcessImageName
SizeOfImageNameToBeAllocated
Returns
BOOLEAN
31{
32 NTSTATUS Status;
33 ULONG ReturnedLength;
34 ULONG BufferLength;
35 HANDLE ProcessHandle;
36 PVOID Buffer;
37 PEPROCESS EProcess;
38 PUNICODE_STRING ImageName;
39
40 //
41 // This eliminates the possibility of the IDLE Thread/Process
42 //
43 PAGED_CODE();
44
45 Status = PsLookupProcessByProcessId(ProcessId, &EProcess);
46
47 if (NT_SUCCESS(Status))
48 {
49 Status = ObOpenObjectByPointer(EProcess, 0, NULL, 0, 0, KernelMode, &ProcessHandle);
50
51 if (!NT_SUCCESS(Status))
52 {
53 LogError("Err, cannot get the process object (%08x)", Status);
54 return FALSE;
55 }
56
57 ObDereferenceObject(EProcess);
58 }
59 else
60 {
61 //
62 // Probably, the process id is wrong!
63 //
64 return FALSE;
65 }
66
67 if (g_ZwQueryInformationProcess == NULL)
68 {
69 return FALSE;
70 }
71
72 //
73 // Query the actual size of the process path
74 //
75 Status = g_ZwQueryInformationProcess(ProcessHandle,
76 ProcessImageFileName,
77 NULL, // Buffer
78 0, // Buffer size
79 &ReturnedLength);
80
81 if (Status != STATUS_INFO_LENGTH_MISMATCH)
82 {
83 //
84 // ZwQueryInformationProcess failed
85 //
86 return FALSE;
87 }
88
89 //
90 // Check there is enough space to store the actual process path when it is found
91 // If not return FALSE
92 //
93 BufferLength = ReturnedLength - sizeof(UNICODE_STRING);
94
95 if (SizeOfImageNameToBeAllocated < BufferLength)
96 {
97 return FALSE;
98 }
99
100 //
101 // Allocate a temporary buffer to store the path name
102 //
103 Buffer = PlatformMemAllocateZeroedNonPagedPool(ReturnedLength);
104
105 if (Buffer == NULL)
106 {
107 return FALSE;
108 }
109
110 //
111 // Retrieve the process path from the handle to the process
112 //
113 Status = g_ZwQueryInformationProcess(ProcessHandle,
114 ProcessImageFileName,
115 Buffer,
116 ReturnedLength,
117 &ReturnedLength);
118
119 if (NT_SUCCESS(Status))
120 {
121 //
122 // Copy the path name
123 //
124 ImageName = (PUNICODE_STRING)Buffer;
125
126 //
127 // Allocate UNICODE_STRING
128 //
129 ProcessImageName->Length = 0;
130 ProcessImageName->MaximumLength = (USHORT)SizeOfImageNameToBeAllocated;
131 ProcessImageName->Buffer = (PWSTR)PlatformMemAllocateZeroedNonPagedPool(SizeOfImageNameToBeAllocated);
132
133 if (ProcessImageName->Buffer == NULL)
134 {
135 return FALSE;
136 }
137
138 RtlZeroMemory(ProcessImageName->Buffer, SizeOfImageNameToBeAllocated);
139
140 //
141 // Copy path to the buffer
142 //
143 RtlCopyUnicodeString(ProcessImageName, ImageName);
144
145 //
146 // Free the temp buffer which stored the path
147 //
148 PlatformMemFreePool(Buffer);
149
150 return TRUE;
151 }
152 else
153 {
154 //
155 // There was an error in ZwQueryInformationProcess
156 // Free the temp buffer which stored the path
157 //
158 PlatformMemFreePool(Buffer);
159 return FALSE;
160 }
161}
USHORT
unsigned short USHORT
Definition BasicTypes.h:36
TRUE
#define TRUE
Definition BasicTypes.h:55
FALSE
#define FALSE
Definition BasicTypes.h:54
ULONG
unsigned long ULONG
Definition BasicTypes.h:37
LogError
#define LogError(format,...)
Log in the case of error.
Definition HyperDbgHyperLogIntrinsics.h:113
PlatformMemFreePool
VOID PlatformMemFreePool(PVOID BufferAddress)
Free (dellocate) a non-paged buffer.
Definition Mem.c:86
PlatformMemAllocateZeroedNonPagedPool
PVOID PlatformMemAllocateZeroedNonPagedPool(SIZE_T NumberOfBytes)
Allocate a non-paged buffer (zeroed)
Definition Mem.c:69
g_ZwQueryInformationProcess
ZwQueryInformationProcess g_ZwQueryInformationProcess
Address of ZwQueryInformationProcess.
Definition UserAccess.h:187
PUNICODE_STRING
struct _UNICODE_STRING * PUNICODE_STRING
UNICODE_STRING
struct _UNICODE_STRING UNICODE_STRING
_UNICODE_STRING
Definition casting.cpp:25
_UNICODE_STRING::Length
USHORT Length
Definition casting.cpp:26
_UNICODE_STRING::MaximumLength
USHORT MaximumLength
Definition casting.cpp:27
_UNICODE_STRING::Buffer
PWSTR Buffer
Definition casting.cpp:28

◆ UserAccessCheckForLoadedModuleDetails()

BOOLEAN UserAccessCheckForLoadedModuleDetails ( UINT32 CoreId)

Checks whether the loaded module is available or not.

Parameters
CoreId
Returns
BOOLEAN
855{
856 PUSERMODE_DEBUGGING_PROCESS_DETAILS ProcessDebuggingDetail;
857 UINT64 BaseAddress = (UINT64)NULL;
858 UINT64 Entrypoint = (UINT64)NULL;
859 PROCESSOR_DEBUGGING_STATE * DbgState = &g_DbgState[CoreId];
860
861 //
862 // Check if the callback needs to be handled or not
863 //
864 if (!g_IsWaitingForUserModeProcessEntryToBeCalled)
865 {
866 return FALSE;
867 }
868
869 //
870 // Find the thread debugging detail structure
871 //
872 ProcessDebuggingDetail =
873 AttachingFindProcessDebuggingDetailsByProcessId(HANDLE_TO_UINT32(PsGetCurrentProcessId()));
874
875 //
876 // Check if we find the debugging detail of the thread or not
877 //
878 if (ProcessDebuggingDetail == NULL)
879 {
880 return FALSE;
881 }
882
883 if (ProcessDebuggingDetail->EntrypointOfMainModule == (UINT64)NULL &&
884 ProcessDebuggingDetail->PebAddressToMonitor != (PVOID)NULL &&
885 CheckAccessValidityAndSafety((UINT64)ProcessDebuggingDetail->PebAddressToMonitor, sizeof(CHAR)) &&
886 UserAccessGetBaseAndEntrypointOfMainModuleIfLoadedInVmxRoot(ProcessDebuggingDetail->PebAddressToMonitor,
887 ProcessDebuggingDetail->Is32Bit,
888 &BaseAddress,
889 &Entrypoint))
890 {
891 if (Entrypoint != (UINT64)NULL)
892 {
893 ProcessDebuggingDetail->BaseAddressOfMainModule = BaseAddress;
894 ProcessDebuggingDetail->EntrypointOfMainModule = Entrypoint;
895
896 // LogInfo("Base: %016llx \t EntryPoint: %016llx", BaseAddress, Entrypoint);
897
898 //
899 // Handle entrypoint interception
900 //
901 AttachingHandleEntrypointInterception(DbgState);
902
903 return TRUE;
904 }
905 }
906
907 //
908 // Not available
909 //
910 return FALSE;
911}
CheckAccessValidityAndSafety
BOOLEAN CheckAccessValidityAndSafety(UINT64 TargetAddress, UINT32 Size)
Check the safety to access the memory.
Definition AddressCheck.c:156
AttachingFindProcessDebuggingDetailsByProcessId
PUSERMODE_DEBUGGING_PROCESS_DETAILS AttachingFindProcessDebuggingDetailsByProcessId(UINT32 ProcessId)
Find user-mode debugging details for threads by process Id.
Definition Attaching.c:187
AttachingHandleEntrypointInterception
VOID AttachingHandleEntrypointInterception(PROCESSOR_DEBUGGING_STATE *DbgState)
Handle the interception of finding the entrypoint on attaching to user-mode process.
Definition Attaching.c:436
UINT64
unsigned __int64 UINT64
Definition BasicTypes.h:21
CHAR
char CHAR
Definition BasicTypes.h:31
HANDLE_TO_UINT32
#define HANDLE_TO_UINT32(_var)
Definition MetaMacros.h:39
UserAccessGetBaseAndEntrypointOfMainModuleIfLoadedInVmxRoot
BOOLEAN UserAccessGetBaseAndEntrypointOfMainModuleIfLoadedInVmxRoot(PPEB PebAddress, BOOLEAN Is32Bit, PUINT64 BaseAddress, PUINT64 Entrypoint)
If the target process's main module is loaded, it fills the Entrypoint and the BaseAddress.
Definition UserAccess.c:245
g_DbgState
PROCESSOR_DEBUGGING_STATE * g_DbgState
Save the state and variables related to debugging on each to logical core.
Definition Global.h:17
g_IsWaitingForUserModeProcessEntryToBeCalled
BOOLEAN g_IsWaitingForUserModeProcessEntryToBeCalled
Whether the thread attaching mechanism is waiting for #DB or not.
Definition Global.h:158
_PROCESSOR_DEBUGGING_STATE
Saves the debugger state.
Definition State.h:165
_USERMODE_DEBUGGING_PROCESS_DETAILS
Description of each active thread in user-mode attaching mechanism.
Definition Attaching.h:49
_USERMODE_DEBUGGING_PROCESS_DETAILS::BaseAddressOfMainModule
UINT64 BaseAddressOfMainModule
Definition Attaching.h:59
_USERMODE_DEBUGGING_PROCESS_DETAILS::Is32Bit
BOOLEAN Is32Bit
Definition Attaching.h:62
_USERMODE_DEBUGGING_PROCESS_DETAILS::EntrypointOfMainModule
UINT64 EntrypointOfMainModule
Definition Attaching.h:58
_USERMODE_DEBUGGING_PROCESS_DETAILS::PebAddressToMonitor
PVOID PebAddressToMonitor
Definition Attaching.h:52

◆ UserAccessGetBaseAndEntrypointOfMainModuleIfLoadedInVmxRoot()

BOOLEAN UserAccessGetBaseAndEntrypointOfMainModuleIfLoadedInVmxRoot ( PPEB PebAddress,
BOOLEAN Is32Bit,
PUINT64 BaseAddress,
PUINT64 Entrypoint )

If the target process's main module is loaded, it fills the Entrypoint and the BaseAddress.

This function is safe to be called in vmx non-root

Parameters
PebAddress
Is32Bit
BaseAddress
Entrypoint
Returns
BOOLEAN
249{
250 if (Is32Bit)
251 {
252 PEB_LDR_DATA32 Ldr32 = {0};
253 PEB32 Peb32 = {0};
254 PPEB_LDR_DATA32 LdrAddress32 = NULL;
255
256 MemoryMapperReadMemorySafeOnTargetProcess((UINT64)PebAddress, &Peb32, sizeof(PEB32));
257
258 LdrAddress32 = (PPEB_LDR_DATA32)Peb32.Ldr;
259
260 if (!LdrAddress32)
261 {
262 return FALSE;
263 }
264
265 MemoryMapperReadMemorySafeOnTargetProcess((UINT64)LdrAddress32, &Ldr32, sizeof(PEB_LDR_DATA32));
266
267 PLIST_ENTRY32 List = (PLIST_ENTRY32)Ldr32.InLoadOrderModuleList.Flink;
268
269 PLDR_DATA_TABLE_ENTRY32 EntryAddress = CONTAINING_RECORD(List, LDR_DATA_TABLE_ENTRY32, InLoadOrderLinks);
270 LDR_DATA_TABLE_ENTRY32 Entry = {0};
271
272 MemoryMapperReadMemorySafeOnTargetProcess((UINT64)EntryAddress, &Entry, sizeof(LDR_DATA_TABLE_ENTRY32));
273
274 if (Entry.DllBase == NULL_ZERO || Entry.EntryPoint == NULL_ZERO)
275 {
276 return FALSE;
277 }
278 else
279 {
280 *BaseAddress = Entry.DllBase;
281 *Entrypoint = Entry.EntryPoint;
282
283 return TRUE;
284 }
285 }
286 else
287 {
288 PPEB_LDR_DATA LdrAddress = NULL;
289 PEB_LDR_DATA Ldr = {0};
290
291 PEB Peb = {0};
292
293 MemoryMapperReadMemorySafeOnTargetProcess((UINT64)PebAddress, &Peb, sizeof(PEB));
294
295 LdrAddress = (PPEB_LDR_DATA)Peb.Ldr;
296
297 if (!LdrAddress)
298 {
299 return FALSE;
300 }
301
302 MemoryMapperReadMemorySafeOnTargetProcess((UINT64)LdrAddress, &Ldr, sizeof(PEB_LDR_DATA));
303
304 PLIST_ENTRY List = (PLIST_ENTRY)Ldr.ModuleListLoadOrder.Flink;
305
306 PLDR_DATA_TABLE_ENTRY EntryAddress = CONTAINING_RECORD(List, LDR_DATA_TABLE_ENTRY, InLoadOrderModuleList);
307 LDR_DATA_TABLE_ENTRY Entry = {0};
308
309 MemoryMapperReadMemorySafeOnTargetProcess((UINT64)EntryAddress, &Entry, sizeof(LDR_DATA_TABLE_ENTRY));
310
311 // LogInfo("base: %llx | entry: %llx", Entry.DllBase, Entry.EntryPoint);
312
313 if (Entry.DllBase == NULL || Entry.EntryPoint == NULL)
314 {
315 return FALSE;
316 }
317 else
318 {
319 *BaseAddress = (UINT64)Entry.DllBase;
320 *Entrypoint = (UINT64)Entry.EntryPoint;
321
322 return TRUE;
323 }
324 }
325}
NULL_ZERO
#define NULL_ZERO
Definition BasicTypes.h:51
MemoryMapperReadMemorySafeOnTargetProcess
_Use_decl_annotations_ BOOLEAN MemoryMapperReadMemorySafeOnTargetProcess(UINT64 VaAddressToRead, PVOID BufferToSaveMemory, SIZE_T SizeToRead)
Read memory safely by mapping the buffer on the target process memory (It's a wrapper)
Definition MemoryMapper.c:1120
PPEB_LDR_DATA32
struct _PEB_LDR_DATA32 * PPEB_LDR_DATA32
PPEB_LDR_DATA
struct _PEB_LDR_DATA * PPEB_LDR_DATA
test-case-generator.NULL
NULL()
Definition test-case-generator.py:530
_LDR_DATA_TABLE_ENTRY32
LDR Data Table 32-bit.
Definition UserAccess.h:122
_LDR_DATA_TABLE_ENTRY32::DllBase
ULONG DllBase
Definition UserAccess.h:126
_LDR_DATA_TABLE_ENTRY32::EntryPoint
ULONG EntryPoint
Definition UserAccess.h:127
_LDR_DATA_TABLE_ENTRY
LDR Data Table 64-bit.
Definition UserAccess.h:143
_LDR_DATA_TABLE_ENTRY::EntryPoint
PVOID EntryPoint
Definition UserAccess.h:148
_LDR_DATA_TABLE_ENTRY::DllBase
PVOID DllBase
Definition UserAccess.h:147
_PEB32
PEB 32-bit.
Definition UserAccess.h:82
_PEB32::Ldr
ULONG Ldr
Definition UserAccess.h:89
_PEB_LDR_DATA32
LDR Data 32-bit.
Definition UserAccess.h:108
_PEB_LDR_DATA32::InLoadOrderModuleList
LIST_ENTRY32 InLoadOrderModuleList
Definition UserAccess.h:112
_PEB_LDR_DATA
PEB LDR Data.
Definition UserAccess.h:23
_PEB_LDR_DATA::ModuleListLoadOrder
LIST_ENTRY ModuleListLoadOrder
Definition UserAccess.h:27
_PEB
PEB 64-bit.
Definition UserAccess.h:55
_PEB::Ldr
PPEB_LDR_DATA Ldr
Definition UserAccess.h:60

◆ UserAccessGetLoadedModules()

BOOLEAN UserAccessGetLoadedModules ( PUSERMODE_LOADED_MODULE_DETAILS ProcessLoadedModuleRequest,
UINT32 BufferSize )

Get details about loaded modules.

This function should be called in vmx non-root

Parameters
ProcessLoadedModuleRequest
BufferSize
Returns
BOOLEAN
780{
781 PEPROCESS SourceProcess;
782 BOOLEAN Is32Bit;
783
784 if (PsLookupProcessByProcessId((HANDLE)ProcessLoadedModuleRequest->ProcessId, &SourceProcess) != STATUS_SUCCESS)
785 {
786 //
787 // if the process not found
788 //
789 ProcessLoadedModuleRequest->Result = DEBUGGER_ERROR_INVALID_PROCESS_ID;
790 return FALSE;
791 }
792
793 ObDereferenceObject(SourceProcess);
794
795 //
796 // check whether the target process is 32-bit or 64-bit
797 //
798 if (!UserAccessIsWow64Process((HANDLE)ProcessLoadedModuleRequest->ProcessId, &Is32Bit))
799 {
800 //
801 // Unable to detect whether it's 32-bit or 64-bit
802 //
803 ProcessLoadedModuleRequest->Result = DEBUGGER_ERROR_UNABLE_TO_GET_MODULES_OF_THE_PROCESS;
804 return FALSE;
805 }
806
807 //
808 // Indicate that the process is x86
809 //
810 ProcessLoadedModuleRequest->Is32Bit = Is32Bit;
811
812 if (Is32Bit)
813 {
814 //
815 // x86 process, walk x86 module list
816 //
817 if (UserAccessPrintLoadedModulesX86(SourceProcess,
818 ProcessLoadedModuleRequest->OnlyCountModules,
819 &ProcessLoadedModuleRequest->ModulesCount,
820 (USERMODE_LOADED_MODULE_SYMBOLS *)((UINT64)ProcessLoadedModuleRequest + sizeof(USERMODE_LOADED_MODULE_DETAILS)),
821 BufferSize - sizeof(USERMODE_LOADED_MODULE_DETAILS)))
822 {
823 ProcessLoadedModuleRequest->Result = DEBUGGER_OPERATION_WAS_SUCCESSFUL;
824 return TRUE;
825 }
826 }
827 else
828 {
829 //
830 // x64 process, walk x64 module list
831 //
832 if (UserAccessPrintLoadedModulesX64(SourceProcess,
833 ProcessLoadedModuleRequest->OnlyCountModules,
834 &ProcessLoadedModuleRequest->ModulesCount,
835 (USERMODE_LOADED_MODULE_SYMBOLS *)((UINT64)ProcessLoadedModuleRequest + sizeof(USERMODE_LOADED_MODULE_DETAILS)),
836 BufferSize - sizeof(USERMODE_LOADED_MODULE_DETAILS)))
837 {
838 ProcessLoadedModuleRequest->Result = DEBUGGER_OPERATION_WAS_SUCCESSFUL;
839 return TRUE;
840 }
841 }
842
843 ProcessLoadedModuleRequest->Result = DEBUGGER_ERROR_UNABLE_TO_GET_MODULES_OF_THE_PROCESS;
844 return FALSE;
845}
BOOLEAN
UCHAR BOOLEAN
Definition BasicTypes.h:39
DEBUGGER_ERROR_UNABLE_TO_GET_MODULES_OF_THE_PROCESS
#define DEBUGGER_ERROR_UNABLE_TO_GET_MODULES_OF_THE_PROCESS
error, unable to get modules
Definition ErrorCodes.h:374
DEBUGGER_ERROR_INVALID_PROCESS_ID
#define DEBUGGER_ERROR_INVALID_PROCESS_ID
error, the process id is invalid
Definition ErrorCodes.h:220
DEBUGGER_OPERATION_WAS_SUCCESSFUL
#define DEBUGGER_OPERATION_WAS_SUCCESSFUL
General value to indicate that the operation or request was successful.
Definition ErrorCodes.h:23
UserAccessPrintLoadedModulesX86
BOOLEAN UserAccessPrintLoadedModulesX86(PEPROCESS Proc, BOOLEAN OnlyCountModules, PUINT32 ModulesCount, PUSERMODE_LOADED_MODULE_SYMBOLS ModulesList, UINT32 SizeOfBufferForModulesList)
Gets the loaded modules details from PEB (x86)
Definition UserAccess.c:488
UserAccessPrintLoadedModulesX64
BOOLEAN UserAccessPrintLoadedModulesX64(PEPROCESS Proc, BOOLEAN OnlyCountModules, PUINT32 ModulesCount, PUSERMODE_LOADED_MODULE_SYMBOLS ModulesList, UINT32 SizeOfBufferForModulesList)
Gets the loaded modules details from PEB.
Definition UserAccess.c:339
UserAccessIsWow64Process
BOOLEAN UserAccessIsWow64Process(HANDLE ProcessId, PBOOLEAN Is32Bit)
Detects whether process is 32-bit or 64-bit.
Definition UserAccess.c:753
_USERMODE_LOADED_MODULE_DETAILS
Definition Symbols.h:47
_USERMODE_LOADED_MODULE_DETAILS::Result
UINT32 Result
Definition Symbols.h:52
_USERMODE_LOADED_MODULE_DETAILS::ModulesCount
UINT32 ModulesCount
Definition Symbols.h:51
_USERMODE_LOADED_MODULE_DETAILS::ProcessId
UINT32 ProcessId
Definition Symbols.h:48
_USERMODE_LOADED_MODULE_DETAILS::Is32Bit
BOOLEAN Is32Bit
Definition Symbols.h:50
_USERMODE_LOADED_MODULE_DETAILS::OnlyCountModules
BOOLEAN OnlyCountModules
Definition Symbols.h:49
_USERMODE_LOADED_MODULE_SYMBOLS
Definition Symbols.h:39

◆ UserAccessIsWow64Process()

BOOLEAN UserAccessIsWow64Process ( HANDLE ProcessId,
PBOOLEAN Is32Bit )

Detects whether process is 32-bit or 64-bit.

This function should be called in vmx non-root

Parameters
ProcessId
Is32Bit
Returns
BOOLEAN
754{
755 PEPROCESS SourceProcess;
756
757 if (PsLookupProcessByProcessId(ProcessId, &SourceProcess) != STATUS_SUCCESS)
758 {
759 //
760 // if the process not found
761 //
762 return FALSE;
763 }
764
765 ObDereferenceObject(SourceProcess);
766
767 return UserAccessIsWow64ProcessByEprocess(SourceProcess, Is32Bit);
768}
UserAccessIsWow64ProcessByEprocess
BOOLEAN UserAccessIsWow64ProcessByEprocess(PEPROCESS SourceProcess, PBOOLEAN Is32Bit)
Detects whether process is 32-bit or 64-bit by using EPROCESS pointer.
Definition UserAccess.c:711

◆ UserAccessIsWow64ProcessByEprocess()

BOOLEAN UserAccessIsWow64ProcessByEprocess ( PEPROCESS SourceProcess,
PBOOLEAN Is32Bit )

Detects whether process is 32-bit or 64-bit by using EPROCESS pointer.

This function should be called in vmx non-root

Parameters
SourceProcess
Is32Bit
Returns
BOOLEAN
712{
713 if (g_PsGetProcessWow64Process == NULL || g_PsGetProcessPeb == NULL)
714 {
715 return FALSE;
716 }
717
718 if (g_PsGetProcessWow64Process(SourceProcess))
719 {
720 //
721 // x86 process, walk x86 module list
722 //
723
724 *Is32Bit = TRUE;
725
726 return TRUE;
727 }
728 else if (g_PsGetProcessPeb(SourceProcess))
729 {
730 //
731 // x64 process, walk x64 module list
732 //
733 *Is32Bit = FALSE;
734
735 return TRUE;
736 }
737 else
738 {
739 return FALSE;
740 }
741}
g_PsGetProcessPeb
PsGetProcessPeb g_PsGetProcessPeb
Address of PsGetProcessPeb.
Definition UserAccess.h:193
g_PsGetProcessWow64Process
PsGetProcessWow64Process g_PsGetProcessWow64Process
Address of PsGetProcessWow64Process.
Definition UserAccess.h:199

Variable Documentation

◆ g_PsGetProcessPeb

PsGetProcessPeb g_PsGetProcessPeb

Address of PsGetProcessPeb.

◆ g_PsGetProcessWow64Process

PsGetProcessWow64Process g_PsGetProcessWow64Process

Address of PsGetProcessWow64Process.

◆ g_ZwQueryInformationProcess

ZwQueryInformationProcess g_ZwQueryInformationProcess

Address of ZwQueryInformationProcess.