Up pose Series--csrss process ID in kernel environment

This is to look at other people's code to see, so called the rise pose series. The author wrote a function to get the PID of the CSRSS process, and I looked at it for a long time before I understood it was such a function. Put the code first.

1 HANDLE getcsrpid ()2 {3 HANDLE Process, hobject;4HANDLE Csrid = (HANDLE)0;5 object_attributes obj;6 client_id CID;7UCHAR buff[0x100];8Pobject_name_information objname = (PVOID) &Buff;9 psystem_handle_information_ex Handles;Ten ULONG R; One  AHandles =getinfotable (systemhandleinformation); -  -     if(! Handles)returnCsrid; the  -      for(R =0; R < handles->numberofhandles; r++) -     { -         if(Handles->information[r]. Objecttypenumber = = +)//Port Object +         { -Initializeobjectattributes (&obj, NULL, obj_kernel_handle, NULL, or null); +  ACid. Uniqueprocess = (HANDLE) handles->Information[r]. ProcessId; atCid. Uniquethread =0; -  -             if(Nt_success (Ntopenprocess (&process, Process_dup_handle, &obj, &CID ))) -             { -                 if(Nt_success (Zwduplicateobject (Process, (HANDLE) handles->information[r]. Handle,ntcurrentprocess (), &hobject,0,0, duplicate_same_access ))) -                 { in                     if(Nt_success (Zwqueryobject (Hobject, objectnameinformation, objname,0x100, NULL) )) -                     { to                         if(Objname->name.buffer &&!wcsncmp (L"\\Windows\\ApiPort", Objname->name.buffer, -)) +                         { -Csrid = (HANDLE) handles->Information[r]. ProcessId; the                         }  *                     } $ Panax Notoginseng Zwclose (hobject); -                 } the  + Zwclose (Process); A             } the         } +     } -  $ Exfreepool (Handles); $     returnCsrid; -}

The author did the following: Perform the function 16th of the Zwquerysysteminfo function, the 16th function is systemhandleinformation, the function is to get the handle table. This function number has not been used before, the page on MSDN can not be found, the page could not be found because this function is not supported now (WIN8). Searched for half a day to find the structure of this function

struct _system_handle_information_ex {ULONG numberofhandles; System_handle_information information[1*psystem_handle_information_ex;

struct*psystem_handle_information;

Which means that each handle item is interpreted as

• PID of the process to which the handle belongs
• The type of the handle corresponding to the object
• Handle value (number)
• The object pointer corresponding to the handle

This function matches the handle of all the port objects after the handle is found. Then dump these handles to the process (because only then you can manipulate the handle), query the name of the port object with Zwqueryobject, match the \\Windows\\ApiPort, and this port object is created by the CSRSS process, It is also said that only the handle table of the CSRSS process will have this handler, so that the purpose of finding the CSRSS process is realized.

In fact I do not need to copy the handle to their own process, because there is already a pointer to the object, you can directly get the object name. This is quite new to me, which is to use a handle to find the process.

Up pose Series--csrss process ID in kernel environment