PsLookupProcessByProcessId with DWORD pid? Parameter 1 requires HANDLE?

Question

How do I go about using the function PsLookupProcessByProcessId() with a process id (DWORD pid) that I obtained from user-space?

I coded a user-space c++ application that gets the process id of another application (calc.exe for example) and using DeviceIoControl I can successfully send to the driver the pid through a struct I created.

DbgPrint("PID received : %i", pInp->pid);

Prints out the correct pid for the process. But when doing:

 PsLookupProcessByProcessId(pInp->pid, eProcess);

I receive the warning:

C4022: 'PsLookupProcessByProcessId': pointer mismatch for actual parameter 1

The warning gets treated as an error and vs wont let me compile. I looked up the documentation for 'PsLookupProcessByProcessId' and it says it requires a 'handle' for the first parameter. So, in that case, how would I go about getting the handle with a DWORD pid sent from the user-space application?

You need to declare `pInp->pid` to be of type `HANDLE`. The second parameter looks to be wrong too. You need to pass the address of your `PEPROCESS` variable surely. — David Heffernan, Feb 21 '15 at 08:51
@ThePara that's a user mode function. This is a kernel mode question. — David Heffernan, Feb 21 '15 at 08:53

score 1 · Answer 1 · answered Feb 27 '15 at 18:27

1

PEPROCESS eProcess = NULL; 
PsLookupProcessByProcessId((HANDLE)pInp->pid, &eProcess);

"Specifies the process ID of the process." -> HANDLE could sound confusing, in this case it's not a true "HANDLE" object.

answered Feb 27 '15 at 18:27

julio uniqum

58
6

PsLookupProcessByProcessId with DWORD pid? Parameter 1 requires HANDLE?

1 Answers1