?
Solved

Setting PROCESS_DEVICEMAP_INFORMATION using ZwSetInformationProcess.

Posted on 2003-03-26
4
Medium Priority
?
2,203 Views
Last Modified: 2013-12-03
Hi

I am using undocument API in ntdll.dll. and I've a problem.

--- Header file ---
namespace NT {
    extern "C" {

NTSYSAPI
NTSTATUS
NTAPI
ZwQueryInformationProcess(
    IN HANDLE ProcessHandle,
    IN PROCESSINFOCLASS ProcessInformationClass,
    OUT PVOID ProcessInformation,
    IN ULONG ProcessInformationLength,
    OUT PULONG ReturnLength OPTIONAL
    );

NTSYSAPI
NTSTATUS
NTAPI
ZwSetInformationProcess(
    IN HANDLE ProcessHandle,
    IN PROCESSINFOCLASS ProcessInformationClass,
    IN PVOID ProcessInformation,
    IN ULONG ProcessInformationLength
    );
...
--- Source file ---
STARTUPINFO si;
PROCESS_INFORMATION pi;
memset (&si, '\0', sizeof(si));
si.cb = sizeof(si);

int pid = CreateProcess(NULL, "\\windows\\notepad.exe", NULL, NULL, false, 0, NULL, NULL, &si, &pi);

NT::PROCESS_DEVICEMAP_INFORMATION pdi;
ULONG size=0;

NTSTATUS stat = NT::ZwQueryInformationProcess(pi.hProcess, NT::ProcessDeviceMap,  &pdi, sizeof(pdi), &size);
NTSTATUS stat2 = NT::ZwSetInformationProcess(pi.hProcess, NT::ProcessDeviceMap, &pdi, sizeof(pdi));
-------------------

I can get process devicemap information correctly.
BUT, I can't get size of device map and can't set by ZwSetInformationProcess.
The error code(stat2) is 0xC0000004L, which means STATUS_INFO_LENGTH_MISMATCH.


For Reference, I write a successful code using ZwQueryInformationProcess and ZwSetInformationProcess.

--- Source file ---
ULONG size=0;
NT::QUOTA_LIMITS ql;

NTSTATUS stat = NT::ZwQueryInformationProcess(pi.hProcess, NT::ProcessQuotaLimits,  &ql, sizeof(ql), &size);
NTSTATUS stat2 = NT::ZwSetInformationProcess(pi.hProcess, NT::ProcessQuotaLimits, &ql, sizeof(ql));
-------------------
In this case, I can get quota limits and can set it.

Do you have any solution to this?
Any help appreciated.

Thanks.
0
Comment
Question by:shield_knight
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 49

Expert Comment

by:DanRollins
ID: 8216096
Are you certain you are using the correct parameters?  After alol these are undocumented functions!  Do you have a liinke to a website that provides a complete reference so I chan check it out?

Perhaps your definition of
    NT::PROCESS_DEVICEMAP_INFORMATION
in the header is incorrect.  Or perhaps you need to pass in the size that was obtained in the previous call.

-- Dan
0
 

Author Comment

by:shield_knight
ID: 8216385
Thank you for your help.

This is definitions of PROCESS_DEVICEMAP_INFORMATION.
It is based on "Windows NT/2000 Native API Reference" by Gary Nebbett.

---
typedef struct _PROCESS_DEVICEMAP_INFORMATION {
     union {
          struct {
               HANDLE DirecotyrHandle;
          } Set;
          struct {
               ULONG DriveMap;
               UCHAR DriveType[32];
          } Query;
     };
} PROCESS_DEVICEMAP_INFORMATION;
---

And this is definition of NT::ProcessDeviceMap.
It's come from ntddk.h.

---
typedef enum _PROCESSINFOCLASS {
...
    ProcessAffinityMask,
    ProcessPriorityBoost,
    ProcessDeviceMap,  // 23
    ProcessSessionInformation,
    ProcessForegroundInformation,
    ProcessWow64Information,
...
    } PROCESSINFOCLASS;
---

Is there any mistake?

thanks.
0
 
LVL 49

Accepted Solution

by:
DanRollins earned 200 total points
ID: 8220663
I can't find the documentation for ProcessDeviceMap.

I did reproduce the problem and I found this:  If you send in 4 (rather than 24) as the size parm, then you will get back a different error 0xc0000008) which is
     STATUS_INVALID_HANDLE
This could indicate that the
    ZwSetInformationProcess(h, ProcessDeviceMap, &pdi, 4)
*might* allow you to set the DirectoryHandle if you happended to have a valid one.
    pdi.Set.DirectoryHandle= hDir;

(note that I tried using the HANDLE obtained via CreateFile for a directory, and got back STATUS_OBJECT_TYPE_MISMATCH).

Knowing that the Query function can return two kinds of info -- the
    directory handle
for the process and a
    drivemap bitmap + DriveType list
and judging from the names of the union in the PROCESS_DEVICEMAP_INFORMATION record (Set and Query) I think it is now pretty obvious:

When calling Query, you can get back a drive map, but when calling Set, you can only set the DirectoryHandle for the process (whatever that is).

So there is the answer.

-- Dan
0
 

Author Comment

by:shield_knight
ID: 8222897
Thank you Dan.

I can set ProcessDeviceMap like this.

----
ULONG h = (ULONG)pdi.Set.DirectoryHandle;
...
ULONG stat2 = NT::ZwSetInformationProcess(op,NT::ProcessDeviceMap, &h, 4);
-----
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, I will show how to use the Ribbon IDs Tool Window to assign the built-in Office icons to a ribbon button.  This tool will help us to find the OfficeImageId that corresponds to our desired built-in Office icon. The tool is part of…
A theme is a collection of property settings that allow you to define the look of pages and controls, and then apply the look consistently across pages in an application. Themes can be made up of a set of elements: skins, style sheets, images, and o…
This is Part 3 in a 3-part series on Experts Exchange to discuss error handling in VBA code written for Excel. Part 1 of this series discussed basic error handling code using VBA. http://www.experts-exchange.com/videos/1478/Excel-Error-Handlin…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …

766 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question