shield_knight
asked on
Setting PROCESS_DEVICEMAP_INFORMATION using ZwSetInformationProcess.
Hi
I am using undocument API in ntdll.dll. and I've a problem.
--- Header file ---
namespace NT {
extern "C" {
NTSYSAPI
NTSTATUS
NTAPI
ZwQueryInformationProcess(
IN HANDLE ProcessHandle,
IN PROCESSINFOCLASS ProcessInformationClass,
OUT PVOID ProcessInformation,
IN ULONG ProcessInformationLength,
OUT PULONG ReturnLength OPTIONAL
);
NTSYSAPI
NTSTATUS
NTAPI
ZwSetInformationProcess(
IN HANDLE ProcessHandle,
IN PROCESSINFOCLASS ProcessInformationClass,
IN PVOID ProcessInformation,
IN ULONG ProcessInformationLength
);
...
--- Source file ---
STARTUPINFO si;
PROCESS_INFORMATION pi;
memset (&si, '\0', sizeof(si));
si.cb = sizeof(si);
int pid = CreateProcess(NULL, "\\windows\\notepad.exe", NULL, NULL, false, 0, NULL, NULL, &si, &pi);
NT::PROCESS_DEVICEMAP_INFO RMATION pdi;
ULONG size=0;
NTSTATUS stat = NT::ZwQueryInformationProc ess(pi.hPr ocess, NT::ProcessDeviceMap, &pdi, sizeof(pdi), &size);
NTSTATUS stat2 = NT::ZwSetInformationProces s(pi.hProc ess, NT::ProcessDeviceMap, &pdi, sizeof(pdi));
-------------------
I can get process devicemap information correctly.
BUT, I can't get size of device map and can't set by ZwSetInformationProcess.
The error code(stat2) is 0xC0000004L, which means STATUS_INFO_LENGTH_MISMATC H.
For Reference, I write a successful code using ZwQueryInformationProcess and ZwSetInformationProcess.
--- Source file ---
ULONG size=0;
NT::QUOTA_LIMITS ql;
NTSTATUS stat = NT::ZwQueryInformationProc ess(pi.hPr ocess, NT::ProcessQuotaLimits, &ql, sizeof(ql), &size);
NTSTATUS stat2 = NT::ZwSetInformationProces s(pi.hProc ess, NT::ProcessQuotaLimits, &ql, sizeof(ql));
-------------------
In this case, I can get quota limits and can set it.
Do you have any solution to this?
Any help appreciated.
Thanks.
I am using undocument API in ntdll.dll. and I've a problem.
--- Header file ---
namespace NT {
extern "C" {
NTSYSAPI
NTSTATUS
NTAPI
ZwQueryInformationProcess(
IN HANDLE ProcessHandle,
IN PROCESSINFOCLASS ProcessInformationClass,
OUT PVOID ProcessInformation,
IN ULONG ProcessInformationLength,
OUT PULONG ReturnLength OPTIONAL
);
NTSYSAPI
NTSTATUS
NTAPI
ZwSetInformationProcess(
IN HANDLE ProcessHandle,
IN PROCESSINFOCLASS ProcessInformationClass,
IN PVOID ProcessInformation,
IN ULONG ProcessInformationLength
);
...
--- Source file ---
STARTUPINFO si;
PROCESS_INFORMATION pi;
memset (&si, '\0', sizeof(si));
si.cb = sizeof(si);
int pid = CreateProcess(NULL, "\\windows\\notepad.exe", NULL, NULL, false, 0, NULL, NULL, &si, &pi);
NT::PROCESS_DEVICEMAP_INFO
ULONG size=0;
NTSTATUS stat = NT::ZwQueryInformationProc
NTSTATUS stat2 = NT::ZwSetInformationProces
-------------------
I can get process devicemap information correctly.
BUT, I can't get size of device map and can't set by ZwSetInformationProcess.
The error code(stat2) is 0xC0000004L, which means STATUS_INFO_LENGTH_MISMATC
For Reference, I write a successful code using ZwQueryInformationProcess and ZwSetInformationProcess.
--- Source file ---
ULONG size=0;
NT::QUOTA_LIMITS ql;
NTSTATUS stat = NT::ZwQueryInformationProc
NTSTATUS stat2 = NT::ZwSetInformationProces
-------------------
In this case, I can get quota limits and can set it.
Do you have any solution to this?
Any help appreciated.
Thanks.
ASKER
Thank you for your help.
This is definitions of PROCESS_DEVICEMAP_INFORMAT ION.
It is based on "Windows NT/2000 Native API Reference" by Gary Nebbett.
---
typedef struct _PROCESS_DEVICEMAP_INFORMA TION {
union {
struct {
HANDLE DirecotyrHandle;
} Set;
struct {
ULONG DriveMap;
UCHAR DriveType[32];
} Query;
};
} PROCESS_DEVICEMAP_INFORMAT ION;
---
And this is definition of NT::ProcessDeviceMap.
It's come from ntddk.h.
---
typedef enum _PROCESSINFOCLASS {
...
ProcessAffinityMask,
ProcessPriorityBoost,
ProcessDeviceMap, // 23
ProcessSessionInformation,
ProcessForegroundInformati on,
ProcessWow64Information,
...
} PROCESSINFOCLASS;
---
Is there any mistake?
thanks.
This is definitions of PROCESS_DEVICEMAP_INFORMAT
It is based on "Windows NT/2000 Native API Reference" by Gary Nebbett.
---
typedef struct _PROCESS_DEVICEMAP_INFORMA
union {
struct {
HANDLE DirecotyrHandle;
} Set;
struct {
ULONG DriveMap;
UCHAR DriveType[32];
} Query;
};
} PROCESS_DEVICEMAP_INFORMAT
---
And this is definition of NT::ProcessDeviceMap.
It's come from ntddk.h.
---
typedef enum _PROCESSINFOCLASS {
...
ProcessAffinityMask,
ProcessPriorityBoost,
ProcessDeviceMap, // 23
ProcessSessionInformation,
ProcessForegroundInformati
ProcessWow64Information,
...
} PROCESSINFOCLASS;
---
Is there any mistake?
thanks.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you Dan.
I can set ProcessDeviceMap like this.
----
ULONG h = (ULONG)pdi.Set.DirectoryHa ndle;
...
ULONG stat2 = NT::ZwSetInformationProces s(op,NT::P rocessDevi ceMap, &h, 4);
-----
I can set ProcessDeviceMap like this.
----
ULONG h = (ULONG)pdi.Set.DirectoryHa
...
ULONG stat2 = NT::ZwSetInformationProces
-----
Perhaps your definition of
NT::PROCESS_DEVICEMAP_INFO
in the header is incorrect. Or perhaps you need to pass in the size that was obtained in the previous call.
-- Dan