'NtQueryInformationProcess and PROCESS_BASIC_INFORMATION result empty
I'm trying to enumerate process and get their SessionID back. I wrote a function that consists of NtQueryInformationProcess (invoked dynamically) and I'm having some trouble with getting results from the PROCESS_BASIC_INFORMATION structure that im passing in(seems to be empty)
snapshot of from the debug:
The code from my function
enum_results enum_proc() {
typedef NTSTATUS(WINAPI* PNtQueryInformationProcess)(IN HANDLE, IN PROCESSINFOCLASS, OUT PVOID, IN ULONG, OUT PULONG);
PNtQueryInformationProcess pNtQueryInformationProcess = (PNtQueryInformationProcess)GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "NtQueryInformationProcess");
int pid;
static int i;
DWORD procs[1024], cbNeeded;
if (!EnumProcesses(procs, sizeof(procs), &cbNeeded))
{
std::cout << "Couldnt retrive PS list";
exit(-1);
}
int cProcesses = cbNeeded / sizeof(DWORD);
for (i = 0;i <= cProcesses; i++)
{
int pid = (int)procs[i];
if (pid > 0) {
HANDLE current_proc = OpenProcess(PROCESS_QUERY_INFORMATION, TRUE, procs[i]);
PROCESSINFOCLASS info = {};
auto pBasicInfo = new PROCESS_BASIC_INFORMATION();
DWORD ret_length = 0;
NTSTATUS stat = pNtQueryInformationProcess(current_proc, info, pBasicInfo, sizeof(pBasicInfo), (PULONG)ret_length);
if (!stat)
{
cout << "couldnt invoke NtQueryInformationProcess..";
exit(-1);
};
std::cout << procs[i];
ULONG session = pBasicInfo->PebBaseAddress->SessionId;
{
enum_results ret_struct;
ret_struct.pid = pid;
ret_struct.process = current_proc;
return ret_struct;
}
}
}
}
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|