0

I'm trying to find a process id by its image name name from kernel mode (Windows). My code is working, but newly created processes sometimes show up delayed/can't be found (up to 60 seconds after their creation). My code looks as follows:

void WaitForProcess()
{
    LARGE_INTEGER delay;
    HANDLE value = 0;

    delay.QuadPart = -20000000;

    while (!value)
    {
        fpDbgPrintEx(0, 0, "Search\n");

        fpKeDelayExecutionThread(KernelMode, FALSE, &delay); //Sleep for 2 seconds, then retry
        value = HkGetProcessId(675793765); //notepad.exe
    }
}

HANDLE GetProcessId(DWORD processHash)
{
    HANDLE retVal = 0;
    ULONG retLen = 0;
    PSYSTEM_PROCESS_INFORMATION processInfo;
    PVOID infoBuf = NULL;
    WCHAR processName[256];

    fpZwQuerySystemInformation(SystemProcessInformation, 0, 0, &retLen);

    if (!retLen)
        goto Done;

    if (!(infoBuf = fpExAllocatePool(NonPagedPool, retLen)))
        goto Done;

    processInfo = infoBuf;

    if (!NT_SUCCESS(fpZwQuerySystemInformation(SystemProcessInformation, processInfo, retLen, &retLen)))
        goto Done;

    while (processInfo->NextEntryOffset)
    {
        if (processInfo->ImageName.Buffer && (processInfo->ImageName.Length / sizeof(WCHAR)) < 256)
        {
            RtlZeroMemory(processName, 256 * sizeof(WCHAR));
            memcpy(processName, processInfo->ImageName.Buffer, processInfo->ImageName.Length);
            processName[(processInfo->ImageName.Length) / sizeof(WCHAR)] = '\0';

            fpDbgPrintEx(0, 0, "Process: %wZ\n", &processInfo->ImageName);

            if (HashString(processName) == processHash)
            {
                retVal = processInfo->UniqueProcessId;
                break;
            }
        }

        processInfo = (PSYSTEM_PROCESS_INFORMATION)((DWORD_PTR)processInfo + processInfo->NextEntryOffset);
    }

Done:

    if (infoBuf)
        fpExFreePool(infoBuf);

    return retVal;
}

Why does this delay exist? And is there a way to enumerate all processes in real time? Any help is appreciated!

Louis Bernard
  • 229
  • 4
  • 20
  • 3
    `while (processInfo->NextEntryOffset)` this is your error. loop must be `do {.. } while (processInfo->NextEntryOffset)`. with current loop you lost last entry - this is exactly just new created process. and you not got it until it became not last in system – RbMm Aug 20 '22 at 12:56
  • Yes, you're right. What a simple mistake. – Louis Bernard Aug 20 '22 at 13:12
  • exist and another mistakes in your code, but exactly this produce your error – RbMm Aug 20 '22 at 13:18
  • What other mistakes are in my code if I may ask? – Louis Bernard Aug 20 '22 at 13:23
  • 1
    you called `ZwQuerySystemInformation` 2 time (in src code) - what will be if between 2 calls - even single new thread created in system ? `retLen` will be already not big enouth and second call also fail. also - you not check return code of first call to `ZwQuerySystemInformation`. really all code is wrong. you need call `ZwQuerySystemInformation` only once but **in loop**. you always need check return status. if you have previous mode kernel - need use Nt instead Zw and so on – RbMm Aug 20 '22 at 13:27
  • 1
    correct code must look like - https://pastebin.com/ZiR32TNt note only single call to `NtQuerySystemInformation` but in loop. Nt but not Zw, how is loop handled. etc – RbMm Aug 20 '22 at 13:41

0 Answers0