Routines for common tasks in debugger. More...

Classes
struct	_NT_KPROCESS
	KPROCESS Brief structure. More...

Macros
#define	KGDT64_NULL (0 * 16)

#define	KGDT64_R0_CODE (1 * 16)

#define	KGDT64_R0_DATA (1 * 16) + 8

#define	KGDT64_R3_CMCODE (2 * 16)

#define	KGDT64_R3_DATA (2 * 16) + 8

#define	KGDT64_R3_CODE (3 * 16)

#define	KGDT64_SYS_TSS (4 * 16)

#define	KGDT64_R3_CMTEB (5 * 16)

#define	KGDT64_R0_CMCODE (6 * 16)

#define	KGDT64_LAST (7 * 16)

Typedefs
typedef struct _NT_KPROCESS	NT_KPROCESS
	KPROCESS Brief structure.

typedef struct _NT_KPROCESS *	PNT_KPROCESS

typedef enum _PROCESS_KILL_METHODS	PROCESS_KILL_METHODS
	Different methods of killing a process.

Enumerations
enum	_PROCESS_KILL_METHODS { PROCESS_KILL_METHOD_1 = 0 , PROCESS_KILL_METHOD_2 , PROCESS_KILL_METHOD_3 }
	Different methods of killing a process. More...

Functions
UCHAR *	PsGetProcessImageFileName (IN PEPROCESS Process)

PVOID	PsGetProcessSectionBaseAddress (PEPROCESS Process)

NTKERNELAPI NTSTATUS NTAPI	SeCreateAccessState (PACCESS_STATE AccessState, PVOID AuxData, ACCESS_MASK DesiredAccess, PGENERIC_MAPPING Mapping)

NTKERNELAPI VOID NTAPI	SeDeleteAccessState (PACCESS_STATE AccessState)

NTSTATUS	MmUnmapViewOfSection (PEPROCESS Process, PVOID BaseAddress)

BOOLEAN	CommonIsProcessExist (UINT32 ProcId)
	Checks whether the process with ProcId exists or not.

PCHAR	CommonGetProcessNameFromProcessControlBlock (PEPROCESS Eprocess)
	Get process name by eprocess.

BOOLEAN	CommonKillProcess (UINT32 ProcessId, PROCESS_KILL_METHODS KillingMethod)
	Kill a user-mode process with different methods.

BOOLEAN	CommonValidateCoreNumber (UINT32 CoreNumber)
	Validate core number.

Detailed Description

Routines for common tasks in debugger.

Author: Sina Karvandi (sina@.nosp@m.hype.nosp@m.rdbg..nosp@m.org)

Version: 0.2

Date: 2023-01-22

Copyright: This project is released under the GNU Public License v3.

Macro Definition Documentation

◆ KGDT64_LAST

#define KGDT64_LAST (7 * 16)

◆ KGDT64_NULL

#define KGDT64_NULL (0 * 16)

◆ KGDT64_R0_CMCODE

#define KGDT64_R0_CMCODE (6 * 16)

◆ KGDT64_R0_CODE

#define KGDT64_R0_CODE (1 * 16)

◆ KGDT64_R0_DATA

#define KGDT64_R0_DATA (1 * 16) + 8

◆ KGDT64_R3_CMCODE

#define KGDT64_R3_CMCODE (2 * 16)

◆ KGDT64_R3_CMTEB

#define KGDT64_R3_CMTEB (5 * 16)

◆ KGDT64_R3_CODE

#define KGDT64_R3_CODE (3 * 16)

◆ KGDT64_R3_DATA

#define KGDT64_R3_DATA (2 * 16) + 8

◆ KGDT64_SYS_TSS

#define KGDT64_SYS_TSS (4 * 16)

Typedef Documentation

◆ NT_KPROCESS

typedef struct _NT_KPROCESS NT_KPROCESS

KPROCESS Brief structure.

◆ PNT_KPROCESS

typedef struct _NT_KPROCESS * PNT_KPROCESS

◆ PROCESS_KILL_METHODS

typedef enum _PROCESS_KILL_METHODS PROCESS_KILL_METHODS

Different methods of killing a process.

Enumeration Type Documentation

◆ _PROCESS_KILL_METHODS

enum _PROCESS_KILL_METHODS

Different methods of killing a process.

Enumerator
PROCESS_KILL_METHOD_1
PROCESS_KILL_METHOD_2
PROCESS_KILL_METHOD_3

{
    PROCESS_KILL_METHOD_1 = 0,
    PROCESS_KILL_METHOD_2,
    PROCESS_KILL_METHOD_3,
 
} PROCESS_KILL_METHODS;

Function Documentation

◆ CommonGetProcessNameFromProcessControlBlock()

PCHAR CommonGetProcessNameFromProcessControlBlock ( PEPROCESS Eprocess )

Get process name by eprocess.

Parameters

Eprocess Process eprocess

Returns: PCHAR Returns a pointer to the process name

{
    PCHAR Result = 0;
 
    //
    // We can't use PsLookupProcessByProcessId as in pageable and not
    // work on vmx-root
    //
    Result = (CHAR *)PsGetProcessImageFileName(Eprocess);
 
    return Result;
}

◆ CommonIsProcessExist()

BOOLEAN CommonIsProcessExist ( UINT32 ProcId )

Checks whether the process with ProcId exists or not.

this function should NOT be called from vmx-root mode

Parameters

UINT32 ProcId

Returns: BOOLEAN Returns true if the process exists and false if it the process doesn't exist

{
    PEPROCESS TargetEprocess;
 
    if (PsLookupProcessByProcessId((HANDLE)ProcId, &TargetEprocess) != STATUS_SUCCESS)
    {
        //
        // There was an error, probably the process id was not found
        //
        return FALSE;
    }
    else
    {
        ObDereferenceObject(TargetEprocess);
 
        return TRUE;
    }
}

◆ CommonKillProcess()

BOOLEAN CommonKillProcess	(	UINT32	ProcessId,
		PROCESS_KILL_METHODS	KillingMethod )

Kill a user-mode process with different methods.

Parameters

ProcessId
KillingMethod

Returns: BOOLEAN

{
    NTSTATUS  Status        = STATUS_SUCCESS;
    HANDLE    ProcessHandle = NULL;
    PEPROCESS Process       = NULL;
 
    if (ProcessId == NULL_ZERO)
    {
        return FALSE;
    }
 
    switch (KillingMethod)
    {
    case PROCESS_KILL_METHOD_1:
 
        Status = CommonGetHandleFromProcess(ProcessId, &ProcessHandle);
 
        if (!NT_SUCCESS(Status) || ProcessHandle == NULL)
        {
            return FALSE;
        }
 
        //
        // Call ZwTerminateProcess with NULL handle
        //
        Status = ZwTerminateProcess(ProcessHandle, 0);
 
        if (!NT_SUCCESS(Status))
        {
            return FALSE;
        }
 
        break;
 
    case PROCESS_KILL_METHOD_2:
 
        CommonUndocumentedNtOpenProcess(
            &ProcessHandle,
            PROCESS_ALL_ACCESS,
            (HANDLE)ProcessId,
            KernelMode);
 
        if (ProcessHandle == NULL)
        {
            return FALSE;
        }
 
        //
        // Call ZwTerminateProcess with NULL handle
        //
        Status = ZwTerminateProcess(ProcessHandle, 0);
 
        if (!NT_SUCCESS(Status))
        {
            return FALSE;
        }
 
        break;
 
    case PROCESS_KILL_METHOD_3:
 
        //
        // Get the base address of process's executable image and unmap it
        //
        Status = MmUnmapViewOfSection(Process, PsGetProcessSectionBaseAddress(Process));
 
        //
        // Dereference the target process
        //
        ObDereferenceObject(Process);
 
        break;
 
    default:
 
        //
        // Unknown killing method
        //
        return FALSE;
        break;
    }
 
    //
    // If we reached here, it means the functionality of
    // the above codes was successful
    //
    return TRUE;
}

◆ CommonValidateCoreNumber()

BOOLEAN CommonValidateCoreNumber ( UINT32 CoreNumber )

Validate core number.

Parameters

CoreNumber

Returns: BOOLEAN

{
    ULONG ProcessorsCount;
 
    ProcessorsCount = KeQueryActiveProcessorCount(0);
 
    if (CoreNumber >= ProcessorsCount)
    {
        return FALSE;
    }
    else
    {
        return TRUE;
    }
}

◆ MmUnmapViewOfSection()

NTSTATUS MmUnmapViewOfSection	(	PEPROCESS	Process,
		PVOID	BaseAddress )

◆ PsGetProcessImageFileName()

UCHAR * PsGetProcessImageFileName ( IN PEPROCESS Process )

◆ PsGetProcessSectionBaseAddress()

PVOID PsGetProcessSectionBaseAddress ( PEPROCESS Process )

◆ SeCreateAccessState()

NTKERNELAPI NTSTATUS NTAPI SeCreateAccessState	(	PACCESS_STATE	AccessState,
		PVOID	AuxData,
		ACCESS_MASK	DesiredAccess,
		PGENERIC_MAPPING	Mapping )

◆ SeDeleteAccessState()

NTKERNELAPI VOID NTAPI SeDeleteAccessState ( PACCESS_STATE AccessState )

Classes

Macros

Typedefs

Enumerations

Functions

Detailed Description

Macro Definition Documentation

◆ KGDT64_LAST

◆ KGDT64_NULL

◆ KGDT64_R0_CMCODE

◆ KGDT64_R0_CODE

◆ KGDT64_R0_DATA

◆ KGDT64_R3_CMCODE

◆ KGDT64_R3_CMTEB

◆ KGDT64_R3_CODE

◆ KGDT64_R3_DATA

◆ KGDT64_SYS_TSS

Typedef Documentation

◆ NT_KPROCESS

◆ PNT_KPROCESS

◆ PROCESS_KILL_METHODS

Enumeration Type Documentation

◆ _PROCESS_KILL_METHODS

Function Documentation

◆ CommonGetProcessNameFromProcessControlBlock()

◆ CommonIsProcessExist()

◆ CommonKillProcess()

◆ CommonValidateCoreNumber()

◆ MmUnmapViewOfSection()

◆ PsGetProcessImageFileName()

◆ PsGetProcessSectionBaseAddress()

◆ SeCreateAccessState()

◆ SeDeleteAccessState()