giangnguyen

Needing help with a NtQueryInformationProcess

10 posts in this topic

How can I use NtQueryInformationProcess? The return value is the status but how do I get the output in autoit? With DllCreateStruct? I am trying to get the PEB base address here.
 

 

Share this post


Link to post
Share on other sites



Hello. What have you done so far?

 

Saludos

Share this post


Link to post
Share on other sites
$hProcess = Run("testfile.exe")
$tag_PROCESS_BASIC_INFORMATION = "int ExitStatus;ptr PebBaseAddress;ptr AffinityMask;ptr BasePriority;ulong UniqueProcessId;ulong InheritedFromUniqueProcessId;"
    Local $SpecialStruct = DllStructCreate($tag_PROCESS_BASIC_INFORMATION)
    DllCall("ntdll.dll", "int", "NtQueryInformationProcess", "handle", $hProcess, "dword", 0, "ptr", DllStructGetPtr($SpecialStruct),  "dword", DllStructGetSize($SpecialStruct), "dword*", 0)
    $ProcessBasicInfo = DllStructGetData($SpecialStruct,2)
    $dw=DllStructCreate("ptr")
    DllCall("kernel32.dll", "int", "ReadProcessMemory", "hwnd", $ret1[0], _
                            "ptr", DllStructGetData($SpecialStruct,2)+0x10, _ ; PebBaseAddress+16 bytes <-- ptr _PROCESS_PARAMETERS
                            "ptr", DllStructGetPtr($dw), "int", 4, "ptr", 0)
    MsgBox(1,"",$ProcessBasicInfo)

But I always get 0x0000000 in the MsgBox and I don't really get how I can select which element to read

Share this post


Link to post
Share on other sites

Share this post


Link to post
Share on other sites

Googled it and found nothing.

@Dannyfirex thanks for the link, I read it before already. I think I figured out most of the stuff, but how do you select which element from the struct to read? Using the second parameter of DllStructGetData?
 

Share this post


Link to post
Share on other sites

$tag_PROCESS_BASIC_INFORMATION = "ptr Reserved1;" & _
                                     "ptr PebBaseAddress;" & _
                                     "ptr Reserved[2];" & _
                                     "ulong UniqueProcessId;" & _
                                     "ptr Reserved3;"
    Local $SpecialStruct = DllStructCreate($tag_PROCESS_BASIC_INFORMATION)
    DllCall("ntdll.dll", "int", "NtQueryInformationProcess", "handle", $hProcess, "dword", 0, "ptr", DllStructGetPtr($SpecialStruct),  "dword", DllStructGetSize($SpecialStruct), "dword*", 0)
    $ProcessBasicInfo = DllStructGetData($SpecialStruct, "PebBaseAddress")
    MsgBox(1,"",$ProcessBasicInfo)

 

 

My code atm, always getting 0x000000. I have full access to the process.

Share this post


Link to post
Share on other sites

Getting 0 for everything, even UniqueProcessID.

Share this post


Link to post
Share on other sites

I think you're not reading my answers...

 

#include <ProcessConstants.au3>
#include <WinAPIProc.au3>
#include <WinAPISys.au3>


Global Const $sTag_PROCESS_BASIC_INFORMATION = "int ExitStatus;ptr PebBaseAddress;ptr AffinityMask;ptr BasePriority;ulong UniqueProcessId;ulong InheritedFromUniqueProcessId;"


Local $iPID = Run("Danyfirex.exe") ;Get process PID
ConsoleWrite("PID: " & $iPID & @CRLF)

Local $hProcess = _WinAPI_OpenProcess($PROCESS_ALL_ACCESS, 0, $iPID) ;Open process
ConsoleWrite("hProcess: " & $hProcess & @CRLF)

Local $tPBI = DllStructCreate($sTag_PROCESS_BASIC_INFORMATION)
Local $aRet = DllCall('ntdll.dll', 'int', 'NtQueryInformationProcess', 'handle', $hProcess, 'dword', 0, 'ptr', DllStructGetPtr($tPBI), 'ulong', DllStructGetSize($tPBI), 'ulong*', 0)

ConsoleWrite($tPBI.UniqueProcessId & @CRLF)
ConsoleWrite($tPBI.PebBaseAddress & @CRLF)


_WinAPI_CloseHandle($hProcess)

Saludos

3 people like this

Share this post


Link to post
Share on other sites

#10 ·  Posted (edited)

I am using DllStructGetData which I think works as well. 

Anyway thanks for your help, I found where things went wrong. I forgot that using ShellExecute returns the PID and not the handle to the process and forgot to open the process. Thanks guys

Staff please lock this, problem solved. Thanks guys.

Edited by giangnguyen

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now