The five ways to get the Psactiveprocesshead variable address in the drive can also be obtained kdpdebuggerdatalisthead

Definition of Psactiveprocesshead:

in a Windows system, all active processes are linked together, forming a doubly linked list, and the header is a global variable Psactiveprocesshead, when a process is created, its activeprocesslist domain is added as a node to this list, and when the process is deleted, it is removed from this list, and if Windows needs to enumerate all the processes, manipulate the list directly.

Method One: Hard-coded search from Kdinitsystem function address
Method Two: Get from the peprocess address of the system process (pid=4)
Method Three: Derive from Ntoskrnl.exe's derived variable psinitialsystemprocess
Method Four: Get from the KPCR
Method Five: Call the Ntsystemdebugcontrol function to get

Note: Operating system Windows XP SP3

Method One:
The system kernel variable kddebuggerdatablock is a struct of the kddebugger_data64 type, and the struct member Psactiveprocesshead is exactly the address we are looking for. Can be \inc\api\wdbgexts in the WINDDK. h file to see the definition of this structure.

The Kddebuggerdatablock is referenced in the Kdinitsystem function, and Ntoskrnl.exe's export function Kdenabledebugger calls the Kdinitsystem function.



Code:

Ulong findpsactiveprocesshead1 () {  //1. Kdinitsystem address found from Kdenabledebugger address   //nt! kdenabledebugger   804f7810    //804f7837 6a00             push    0  //804f7839 6a00             push    0   //804f783b c605ecab558001  mov     byte ptr [nt! pohiberinprogress  (8055abec)],1  //804f7842 e8f7951600       call    nt! kdinitsystem  (80660e3e)   //804f7847 e8649a1600      call     nt! kdprestoreallbreakpoints  (806612b0)   ULONG i;  PCALL_CODE pCall;   puchar pkdinitsystem=null;  puchar p= (Puchar) GetexportfuncaDdress (L "Kdenabledebugger");   kdprint (("Kdenabledebugger address =%x\n", p));  if  (!p)    {    kdprint (("Get Kdenabledebugger address failed \ n"));    return 0;   }  for  (i=0;i<100;i++,p++)   {    if  ((*p== 0X6A) &&       (* (p+1) ==0x00) &&        (* (p+2) ==0x6a) &&       (* (p+3) ==0x00) &&        (* (p+4) ==0xc6) &&       (* (p+5) ==0x05) &&        (* (P+0XB) ==0xe8) &&       (* (p+0x10) ==0xe8)   )     {      pcall= (Pcall_code) (P+0XB);       pKdInitSystem=p+0xb+pCall->address+5;       Kdprint ("Kdinitsystem address =%x\n", PkdiNitsystem));      break;    }  }     if  (!pkdinitsystem)   {    kdprint (("Get Kdinitsystem address failed \ n"));  &NBSP;&NBSP;&NBSP;RETURN&NBSP;0;&NBSP;&NBSP;}&NBSP;&NBSP;//2. Kddebuggerdatablock address found from Kdinitsystem address    //nt! kdinitsystem 80660e3e  //80660e8e 6890020000      push     290h  //80660e93 68606b5480      push     offset nt! kddebuggerdatablock  (80546B60)   //80660e98 be74926780       mov     esi,offset nt! kdpdebuggerdatalisthead  (80679274)   p=pKdInitSystem;  for  (i=0;i<100;i++,p++)   {    if  ((*p==0x68) &&       (* (p+5) = =0x68) &AMP;&AMP;&NBSP;&NBSP;&NBSP;&NBsp;   (* (p+0xa) ==0xbe))     {      pcall= (PCALL_CODE ) (p+5);       kdprint (("Kddebuggerdatablock address =%x\n", pcall->address));       kdprint (("Psactiveprocesshead address =%x\n", ((PKDDEBUGGER_DATA64) pCall->address)- >psactiveprocesshead));      return  ((pkddebugger_data64) pCall-> Address)->psactiveprocesshead;    }  }  kdprint (" Get Kddebuggerdatablock address failed \ n "));   return 0;}

Method Two: Psactiveprocesshead is the active process chain header, which is theoretically the blink of the eprocess struct member activeprocesslinks of the second process, The last process of the eprocess struct member activeprocesslinks the Flink. The second process, the system process, has a process ID equal to 4.

Code:

NTSTATUS Findpsactiveprocesshead (ULONG *ppsactiveprocesshead) {peprocess process;  Plist_entry Plist=null;  NTSTATUS Status=pslookupprocessbyprocessid ((HANDLE) 4,&process); if (!    Nt_success (status) {Kdprint ("get process failed \ n"));  return status;  }//xp _eprocess +0x088 activeprocesslinks: _list_entry plist= (Plist_entry) ((Puchar) process+0x88);  Kdprint (("Psactiveprocesshead address =%x\n", plist->blink));  *ppsactiveprocesshead= (ULONG) plist->blink;  Obdereferenceobject (process); return status;}

Method Three: Ntoskrnl.exe exports a variable psinitialsystemprocess of type peprocess structure, which points to the eprocess of the system process (pid=4). This method is similar to the previous method. There are link ntoskrnl.lib when compiling in WINDDK using Psinitialsystemprocess.


Code:

ULONG FindPsActiveProcessHead3 () {ulong addr=* (pulong) psinitialsystemprocess;  XP _eprocess +0x088 activeprocesslinks: _list_entry plist_entry plist= (plist_entry) (addr+0x88);  Kdprint (("Psactiveprocesshead address =%x\n", plist->blink)); Return (ULONG) Plist->blink;

Method Four: Each CPU has a KPCR structure, the address of the first KPCR structure is a fixed 0xffdff000. The structure member kdversionblock of the KPCR structure that offsets the 0x034 position is a pointer to a Dbgkd_get_version64 type. This structure is also defined in WDBGEXTS.H. Dbgkd_get_version64 struct member Debuggerdatalist is actually kdpdebuggerdatalisthead. and Kdpdebuggerdatalisthead.flink=kdpdebuggerdatalisthead.blink=kddebuggerdatablock.




Code:

ULONG FindPsActiveProcessHead4 () {plist_entry PLIST;  Pkddebugger_data64 Pkddebuggerdata;  Pdbgkd_get_version64 pkdversionblock= (Pdbgkd_get_version64) (* (Pulong) (0xffdff000+0x34));  Kdprint ("Get to Debuggerdatalist address =%x\n", pkdversionblock->debuggerdatalist));  Plist= (plist_entry) pkdversionblock->debuggerdatalist;  Kdprint (("Plist->flink=%x,plist->blink address =%x\n", plist->flink,plist->blink));  Pkddebuggerdata= (PKDDEBUGGER_DATA64) plist->flink;  Kdprint (("Psactiveprocesshead address =%x\n", pkddebuggerdata->psactiveprocesshead)); return pkddebuggerdata->psactiveprocesshead;}

Method Five: Call the Ntsystemdebugcontrol function in the SSDT table.


Code:

 Ulong findpsactiveprocesshead5 () {  plist_entry plist;  dbgkd_get_version64  kdversionblock;  pkddebugger_data64 pkddebuggerdata;  zwsystemdebugcontrol  ntsystemdebugcontrol;    ntsystemdebugcontrol= (Zwsystemdebugcontrol) Getssdtaddrfromindex (255);   kdprint (("Ntsystemdebugcontrol function Address =%x\n", Ntsystemdebugcontrol));     ntsystemdebugcontrol (Sysdbgsysgetversion,null,0,&kdversionblock,sizeof (DBGKD_GET_ VERSION64), NULL);   kdprint (("debuggerdatalist=%x\n", kdversionblock.debuggerdatalist));     plist= (plist_entry) kdversionblock.debuggerdatalist;  kdprint ("get to kddebuggerdatablock address = %x\n ", Plist->flink)),   pkddebuggerdata= (pkddebugger_data64) Plist->flink;  kdprint (" Psactiveprocesshead address =%x\n ", pkddebuggerdata->psactiveprocesshead));   return pkddebuggerdata- >psactiveprocesshead;} 

JPG change rar

The five ways to get the Psactiveprocesshead variable address in the drive can also be obtained kdpdebuggerdatalisthead