Collectives™ on Stack Overflow

Find centralized, trusted content and collaborate around the technologies you use most.

Teams

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

I have this peace of code as part of driver. This driver is for Windows 7 x64, so it executes on the same system.

PVOID GetProcessInformation(ULONG PID)
    NTSTATUS ntStatus = STATUS_UNSUCCESSFUL;
    HANDLE hProcess;
    PEPROCESS pProcess = NULL;
    PVOID pProcInfo = NULL;
    ULONG ulRet = 0;
    if ((pProcInfo = ExAllocatePoolWithTag(NonPagedPool, sizeof(PROCESS_BASIC_INFORMATION), 'QPI')) == NULL)
        DbgPrint("ExAllocatePoolWithTag failed");
        return NULL;
    ntStatus = PsLookupProcessByProcessId(PID, &pProcess);
    if (!NT_SUCCESS(ntStatus))
        DbgPrint("PsLookupProcessByProcessId Returned: 0x%08x\n", ntStatus);
        ExFreePool(pProcInfo);
        return NULL;
    ntStatus = ObOpenObjectByPointer(pProcess, 0, NULL, 0, 0, KernelMode, &hProcess);
    if (!NT_SUCCESS(ntStatus))
        DbgPrint("ObOpenObjectByPointer sReturned: 0x%08x\n", ntStatus);
        ExFreePool(pProcInfo);
        return NULL;
    ObDereferenceObject(pProcess);
    ntStatus = ZwQueryInformationProcess(hProcess, ProcessBasicInformation, pProcInfo, sizeof(PROCESS_BASIC_INFORMATION), &ulRet);
    if (!NT_SUCCESS(ntStatus))
        DbgPrint("ZwQueryInformationProcess Returned: 0x%08x\n", ntStatus);
        ExFreePool(pProcInfo);
        return NULL;
    if (ulRet != sizeof(PROCESS_BASIC_INFORMATION))
        DbgPrint("Warning : ZwQueryInformationProcess Returned Length is different than ProcessInformationLength");
    return pProcInfo;
PROCESS_BASIC_INFORMATION defined in ntddk. PID value is correct. But result of ZwQueryInformationProcess is odd. I get only lower part of PEB address (PPEB part in PROCESS_BASIC_INFORMATION structure). For example, another tool says PPEB is equal to 0x000007FFFFFDC000. My drivers knows only  0xFFFDC000.
Also i try PsGetprocessPeb(...) function, with the same result. ZwQueryInformationProcess function is successed.
Corrected:

To address the I get only lower part of PEB address part of your question,

because pProcess is a pointer, use the pointer format specifier: %p.
ntStatus = PsLookupProcessByProcessId(PID, &pProcess);
// your error handling code
printf("PsLookupProcessByProcessId: 0x%p\n", pProcess);
The "%p" pointer format specifier displays the argument as a hexadecimal address.
                Thank you for an answer and for solution. I need to use long long type variable to store address on a application side?
– Thomas Andersen
                Apr 24, 2019 at 17:16
                PEPROCESS is a pointer type (a pointer to an EPROCESS structure). To print a pointer type, use the p format specifier. long long (as well as %llx) is wrong for 2 reasons: long long is signed (a pointer isn't), and it has the wrong size on a 32-bit build.
– IInspectable
                Apr 25, 2019 at 10:03
                @IInspectable - I should have had my coffee before answering yesterday!  Thank you for pointing out my error.  It has been corrected.
– ryyker
                Apr 25, 2019 at 13:47
                @ThomasAndersen - Please note the correction to this answer.  %llx is not the right way to print an address pointer variable.  Sorry for that mistake.
– ryyker
                Apr 25, 2019 at 13:57
        
Thanks for contributing an answer to Stack Overflow!
Please be sure to answer the question. Provide details and share your research!
But avoid …
Asking for help, clarification, or responding to other answers.
Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.