PsGetProcessPeb and PsGetProcessWow64Process internals

转：https://malwaretips.com/threads/psgetprocesspeb-and-psgetprocesswow64process-internals.86482/

 

PsGetProcessPeb and PsGetProcessWow64Process internals



Disclaimer
​

This content is presented solely for educational and entertainment purposes only. While the author has done their best to ensure that any information is correct and up-to-date at the time of writing and publishing, the author makes no representations or warranties of any kind and assume no liabilities of any kind with respect to the accuracy or completeness of the contents and specifically disclaim any implied warranties of merchantability or fitness of use for a particular purpose. The author may not be held liable or responsible to any person or entity with respect to any loss of incidental or consequential damages caused, or alleged to have been caused, directly or indirectly, by the information or programs contained herein.


 

Introduction​

PsGetProcessPeb is a routine exported by the Windows kernel, however it is not documented by Microsoft. The routine is stable to use in the sense that it has been around since at-least Windows 2000.

PsGetProcessWow64Process is a routine exported by the Windows kernel, however it is also not documented by Microsoft. The routine is stable to use in the sense that it has been around since at-least the 64-bit version of the Windows XP kernel – and the routine becoming obsolete any-time soon is extremely unlikely, the same applying to PsGetProcessPeb.

The purpose of the PsGetProcessPeb and PsGetProcessWow64Process routines is to retrieve a pointer to the Process Environment Block (PEB) belonging to the process being targeted, however the latter routine will only work if the targeted process is a WOW64 process.


 

PsGetProcessPeb internals
​

The PsGetProcessPeb routine will accept a pointer to the _EPROCESS structure of the targeted process and will simply return the pointer address stored under the Peb field of the _EPROCESS structure.

 

 
The above figure shows the disassembly of the PsGetProcessPeb routine belonging to a Windows 10 64-bit kernel. The disassembly is from IDA 64-bit.
​

In the above figure, we can see the RAX register receiving the pointer to the _PEB structure of the process because the RCX register will be storing the address of the _EPROCESS for the targeted process, and 3F8h is the offset to the Peb field of the _EPROCESS structure for this environment.

If we move to pseudo-code automatically generated by IDA – and after cleaning it up to set the proper data-types and change the name of the only parameter):

 

 
The above figure shows cleaned-up pseudo-code generated based on the disassembly for the PsGetProcessPeb routine belonging to a Windows 10 64-bit kernel. The pseudo-code is from IDA 64-bit.

​

The syntax for the PsGetProcessPeb routine:

Code:

PEB
PsGetProcessPeb(
       PEPROCESS Process
);

 

PsGetProcessWow64Process internals
​

 

1. The routine obtains a pointer to the _EWOW64PROCESS structure for the targeted process via the _EPROCESS structure by using the WoW64Process field of the _EPROCESS structure.
2. The routine performs conditional checks to ensure the targeted is a WOW64 process (through the data present in the _EWOW64PROCESS structure) and returns NULL if the outcome is that the targeted process is not a WOW64 one.
3. The routine returns the pointer to the PEB of the targeted process if it determined to be a WOW64 process by using the Peb field of the _EWOW64PROCESS structure.

 

 

The above figure shows cleaned-up pseudo-code generated based on the disassembly for the PsGetProcessWow64Process routine belonging to a Windows 10 64-bit kernel. The pseudo-code is from IDA 64-bit.

​

The syntax for the PsGetProcessWow64Process routine:

Code:

PVOID
PsGetProcessWow64Process(
       PEPROCESS Process
);

 

Remarks​

You can use the PsGetProcessWow64Process routine to determine whether a process is WOW64 or not using the pointer to the _EPROCESS structure. If the routine returns a NULL pointer, then it means the process is x64 and thus is not being emulated through WOW64 on the environment. You could determine whether the process is WOW64 with the ZwQueryInformationProcess routine using the ProcessWow64Information class as well, however this will require a handle to the process instead of a pointer to the _EPROCESS structure.

When using the PsGetProcessWow64Process routine, remember that the returned pointer address is for a 32-bit version of the _PEBstructure, despite being on a 64-bit environment. This will need to be handled manually.

As well as this, the _EPROCESS and _EWOW64PROCESS structures are officially undocumented and opaque. In kernel-mode, the _PEBstructure is also opaque unless manually re-defined.

You can find the address to PsGetProcessPeb and PsGetProcessWow64Process through MmGetSystemRoutineAddress, and a declspec import will do just fine for static-linking.


 

Revision History

The revision history will allow readers to know about edits made to the content after it has been posted.

​

05-Sept-2018 - Added a new remark and the Revision History section, made a change to the formatting and fixed a typo with the _EWOW64PROCESS structure naming.