Skip to content

Commit

Permalink
Dereference PsActiveProcessHead before extracting processes
Browse files Browse the repository at this point in the history
  • Loading branch information
@rageagainsthepc
Dorian Eikenberg authored and rageagainsthepc committed Sep 11, 2023
1 parent 27eacce commit 296cca3
Show file tree
Hide file tree
Showing 2 changed files with 15 additions and 11 deletions.
10 changes: 6 additions & 4 deletions vmicore/src/lib/os/windows/ActiveProcessesSupervisor.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,15 +28,17 @@ namespace VmiCore::Windows
logger->info("--- Initialization ---");
kernelAccess->initWindowsOffsets();
auto psActiveProcessListHeadVA = vmiInterface->translateKernelSymbolToVA("PsActiveProcessHead");
auto currentListEntry = psActiveProcessListHeadVA;
logger->debug("Got VA of PsActiveProcessHead",
{{"PsActiveProcessHeadVA", fmt::format("{:#x}", currentListEntry)}});
{{"PsActiveProcessHeadVA", fmt::format("{:#x}", psActiveProcessListHeadVA)}});

do
auto currentListEntry =
vmiInterface->read64VA(psActiveProcessListHeadVA, vmiInterface->convertPidToDtb(SYSTEM_PID));
while (currentListEntry != psActiveProcessListHeadVA)
{
addNewProcess(kernelAccess->getCurrentProcessEprocessBase(currentListEntry));
currentListEntry = vmiInterface->read64VA(currentListEntry, vmiInterface->convertPidToDtb(SYSTEM_PID));
} while (currentListEntry != psActiveProcessListHeadVA);
}

logger->info("--- End of Initialization ---");
}

Expand Down
16 changes: 9 additions & 7 deletions vmicore/test/lib/vmi/ProcessesMemoryState.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -125,7 +125,7 @@ namespace VmiCore
std::string emptyFileName{};
std::string emptyFullName{};

const processValues process0 = processValues{psActiveProcessHeadVA - _EPROCESS_OFFSETS::ActiveProcessLinks,
const processValues process0 = processValues{0xffffe00170130400,
0,
0,
0x32323232,
Expand Down Expand Up @@ -264,13 +264,13 @@ namespace VmiCore
.WillByDefault(testing::Return(4));
}

void setupProcessWithLink(const processValues& process, uint64_t linkEprocessBase)
void setupProcessWithLink(const processValues& process, uint64_t link)
{
ON_CALL(*mockVmiInterface, read32VA(process.eprocessBase + _EPROCESS_OFFSETS::ExitStatus, systemCR3))
.WillByDefault(testing::Return(process.exitStatus));
ON_CALL(*mockVmiInterface,
read64VA(process.eprocessBase + _EPROCESS_OFFSETS::ActiveProcessLinks, systemCR3))
.WillByDefault(testing::Return(linkEprocessBase + _EPROCESS_OFFSETS::ActiveProcessLinks));
.WillByDefault(testing::Return(link));
ON_CALL(*mockVmiInterface,
extractStringAtVA(process.eprocessBase + _EPROCESS_OFFSETS::ImageFileName, systemCR3))
.WillByDefault([process = process](uint64_t, uint64_t)
Expand All @@ -284,15 +284,17 @@ namespace VmiCore

void setupActiveProcessList(const std::vector<processValues>& processes)
{
uint64_t psActiveProcessHeadVAReturn = processes[0].eprocessBase + _EPROCESS_OFFSETS::ActiveProcessLinks;
ON_CALL(*mockVmiInterface, translateKernelSymbolToVA("PsActiveProcessHead"))
.WillByDefault(testing::Return(psActiveProcessHeadVAReturn));
.WillByDefault(testing::Return(psActiveProcessHeadVA));
ON_CALL(*mockVmiInterface, read64VA(psActiveProcessHeadVA, systemCR3))
.WillByDefault(testing::Return(processes[0].eprocessBase + _EPROCESS_OFFSETS::ActiveProcessLinks));

for (auto process = processes.cbegin(); process != processes.cend()--; process++)
{
setupProcessWithLink(*process, std::next(process)->eprocessBase);
setupProcessWithLink(*process,
std::next(process)->eprocessBase + _EPROCESS_OFFSETS::ActiveProcessLinks);
}
setupProcessWithLink(processes.back(), processes.begin()->eprocessBase);
setupProcessWithLink(processes.back(), psActiveProcessHeadVA);
}

void setupExtractProcessPathReturns(const processValues& process)
Expand Down

0 comments on commit 296cca3

Please sign in to comment.