Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2285
  • Last Modified:

Setting PROCESS_DEVICEMAP_INFORMATION using ZwSetInformationProcess.

Hi

I am using undocument API in ntdll.dll. and I've a problem.

--- Header file ---
namespace NT {
    extern "C" {

NTSYSAPI
NTSTATUS
NTAPI
ZwQueryInformationProcess(
    IN HANDLE ProcessHandle,
    IN PROCESSINFOCLASS ProcessInformationClass,
    OUT PVOID ProcessInformation,
    IN ULONG ProcessInformationLength,
    OUT PULONG ReturnLength OPTIONAL
    );

NTSYSAPI
NTSTATUS
NTAPI
ZwSetInformationProcess(
    IN HANDLE ProcessHandle,
    IN PROCESSINFOCLASS ProcessInformationClass,
    IN PVOID ProcessInformation,
    IN ULONG ProcessInformationLength
    );
...
--- Source file ---
STARTUPINFO si;
PROCESS_INFORMATION pi;
memset (&si, '\0', sizeof(si));
si.cb = sizeof(si);

int pid = CreateProcess(NULL, "\\windows\\notepad.exe", NULL, NULL, false, 0, NULL, NULL, &si, &pi);

NT::PROCESS_DEVICEMAP_INFORMATION pdi;
ULONG size=0;

NTSTATUS stat = NT::ZwQueryInformationProcess(pi.hProcess, NT::ProcessDeviceMap,  &pdi, sizeof(pdi), &size);
NTSTATUS stat2 = NT::ZwSetInformationProcess(pi.hProcess, NT::ProcessDeviceMap, &pdi, sizeof(pdi));
-------------------

I can get process devicemap information correctly.
BUT, I can't get size of device map and can't set by ZwSetInformationProcess.
The error code(stat2) is 0xC0000004L, which means STATUS_INFO_LENGTH_MISMATCH.


For Reference, I write a successful code using ZwQueryInformationProcess and ZwSetInformationProcess.

--- Source file ---
ULONG size=0;
NT::QUOTA_LIMITS ql;

NTSTATUS stat = NT::ZwQueryInformationProcess(pi.hProcess, NT::ProcessQuotaLimits,  &ql, sizeof(ql), &size);
NTSTATUS stat2 = NT::ZwSetInformationProcess(pi.hProcess, NT::ProcessQuotaLimits, &ql, sizeof(ql));
-------------------
In this case, I can get quota limits and can set it.

Do you have any solution to this?
Any help appreciated.

Thanks.
0
shield_knight
Asked:
shield_knight
  • 2
  • 2
1 Solution
 
DanRollinsCommented:
Are you certain you are using the correct parameters?  After alol these are undocumented functions!  Do you have a liinke to a website that provides a complete reference so I chan check it out?

Perhaps your definition of
    NT::PROCESS_DEVICEMAP_INFORMATION
in the header is incorrect.  Or perhaps you need to pass in the size that was obtained in the previous call.

-- Dan
0
 
shield_knightAuthor Commented:
Thank you for your help.

This is definitions of PROCESS_DEVICEMAP_INFORMATION.
It is based on "Windows NT/2000 Native API Reference" by Gary Nebbett.

---
typedef struct _PROCESS_DEVICEMAP_INFORMATION {
     union {
          struct {
               HANDLE DirecotyrHandle;
          } Set;
          struct {
               ULONG DriveMap;
               UCHAR DriveType[32];
          } Query;
     };
} PROCESS_DEVICEMAP_INFORMATION;
---

And this is definition of NT::ProcessDeviceMap.
It's come from ntddk.h.

---
typedef enum _PROCESSINFOCLASS {
...
    ProcessAffinityMask,
    ProcessPriorityBoost,
    ProcessDeviceMap,  // 23
    ProcessSessionInformation,
    ProcessForegroundInformation,
    ProcessWow64Information,
...
    } PROCESSINFOCLASS;
---

Is there any mistake?

thanks.
0
 
DanRollinsCommented:
I can't find the documentation for ProcessDeviceMap.

I did reproduce the problem and I found this:  If you send in 4 (rather than 24) as the size parm, then you will get back a different error 0xc0000008) which is
     STATUS_INVALID_HANDLE
This could indicate that the
    ZwSetInformationProcess(h, ProcessDeviceMap, &pdi, 4)
*might* allow you to set the DirectoryHandle if you happended to have a valid one.
    pdi.Set.DirectoryHandle= hDir;

(note that I tried using the HANDLE obtained via CreateFile for a directory, and got back STATUS_OBJECT_TYPE_MISMATCH).

Knowing that the Query function can return two kinds of info -- the
    directory handle
for the process and a
    drivemap bitmap + DriveType list
and judging from the names of the union in the PROCESS_DEVICEMAP_INFORMATION record (Set and Query) I think it is now pretty obvious:

When calling Query, you can get back a drive map, but when calling Set, you can only set the DirectoryHandle for the process (whatever that is).

So there is the answer.

-- Dan
0
 
shield_knightAuthor Commented:
Thank you Dan.

I can set ProcessDeviceMap like this.

----
ULONG h = (ULONG)pdi.Set.DirectoryHandle;
...
ULONG stat2 = NT::ZwSetInformationProcess(op,NT::ProcessDeviceMap, &h, 4);
-----
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now