Why does psgetcurrentprocess locate the active process chain?

 

I used to see someArticleYou can use the "active process chain" to hide or detect processes. I have not been clear about how to locate the active process chain. In the book "rootkit", I said that eprocess can be obtained through the psgetcurrentprocess function, but the explanation in the book is vague and I have never understood it.

Today, I used windbg to view the various structures and finally figured out the questions.

After the psgetcurrentprocess function is decompiled, it is as follows:

Lkd> u nt! Psgetcurrentprocess

NT! Psgetcurrentprocess:

8052b52c 64a124010000 mov eax, dword ptr fs: [00000124 H]

8052b532 8b4044 mov eax, dword ptr [eax + 44 h]

8052b535 C3 RET

In user mode, FS points to the Teb structure, while in kernel mode, FS points to kpcr (kernel's processor control
Region) structure. Then we can see that FS: [0x120] Is kprcb (kernel's processor cotrol
Block) structure (highlighted in red)

Lkd> DT nt! _ Kpcr

NT! _ Kpcr

+ 0x000 nttib: _ nt_tib

+ 0x01c selfpcr: ptr32 _ kpcr

+ 0x020 prcb: ptr32 _ kprcb

+ 0x024 IRQL: uchar

+ 0x028 IRR: uint4b

+ 0x02c irractive: uint4b

+ 0x030 IDR: uint4b

+ 0x034 kdversionblock: ptr32 void

+ 0x038 IDT: ptr32 _ kidtentry

+ 0x03c gdt: ptr32 _ kgdtentry

+ 0x040 TSS: ptr32 _ ktss

+ 0x044 majorversion: uint2b

+ 0x046 minorversion: uint2b

+ 0x048 setmember: uint4b

+ 0x04c stallscalefactor: uint4b

+ 0x050 debugactive: uchar

+ 0x051 number: uchar

+ 0x052 spare0: uchar

+ 0x053 secondlevelcacheassociativity: uchar

+ 0x054 vdmalert: uint4b

+ 0x058 kernelreserved: [14] uint4b

+ 0x090 secondlevelcachesize: uint4b

+ 0x094 halreserved: [16] uint4b

+ 0x0d4 interruptmode: uint4b

+ 0x0d8 spare1: uchar

+ 0x0dc kernelreserved2: [17] uint4b

+ 0x120 prcbdata: _ kprcb

Expand the kprcb structure. Continue to observe. We can see that FS: [0x124] points to the kthread structure.

Lkd> DT nt! _ Kprcb

NT! _ Kprcb

+ 0x000 minorversion: uint2b

+ 0x002 majorversion: uint2b

+ 0x004 currentthread: ptr32 _ kthread

+ 0x008 nextthread: ptr32 _ kthread

+ 0x00c idlethread: ptr32 _ kthread

More members in this structure are omitted.

Continue to view the kthread structure. We can see that the kthread + 0x44 member is the kprocess pointer.

Lkd> DT nt! _ Kthread-v-R

Matched nt! _ Kthread

NT! _ Kthread

Struct _ kthread, 73 elements, 0x1c0 bytes

+ 0x000 header: struct _ dispatcher_header, 6 elements, 0x10 bytes

+ 0x000 type: uchar

+ 0x001 absolute: uchar

+ 0x002 size: uchar

+ 0x003 inserted: uchar

+ 0x004 signalstate: int4b

+ 0x008 waitlisthead: struct _ list_entry, 2 elements, 0x8 bytes

+ 0x000 flink: ptr32 to struct _ list_entry, 2 elements, 0x8 bytes

+ 0x004 Blink: ptr32 to struct _ list_entry, 2 elements, 0x8 bytes

+ 0x010 mutantlisthead: struct _ list_entry, 2 elements, 0x8 bytes

+ 0x000 flink: ptr32 to struct _ list_entry, 2 elements, 0x8 bytes

+ 0x000 flink: ptr32 to struct _ list_entry, 2 elements, 0x8 bytes

+ 0x004 Blink: ptr32 to struct _ list_entry, 2 elements, 0x8 bytes

+ 0x004 Blink: ptr32 to struct _ list_entry, 2 elements, 0x8 bytes

+ 0x000 flink: ptr32 to struct _ list_entry, 2 elements, 0x8 bytes

+ 0x004 Blink: ptr32 to struct _ list_entry, 2 elements, 0x8 bytes

+ 0x018 initialstack: ptr32 to void

+ 0x01c stacklimit: ptr32 to void

+ 0x020 Teb: ptr32 to void

+ 0x024 tlsarray: ptr32 to void

+ 0x028 kernelstack: ptr32 to void

+ 0x02c debugactive: uchar

+ 0x02d state: uchar

+ 0x02e alerted: [2] uchar

+ 0x030 iopl: uchar

+ 0x031 npxstate: uchar

+ 0x032 saturation: Char

+ 0x033 priority: Char
+ 0x034 apcstate: struct _ kapc_state, 5 elements, 0x18 bytes

+ 0x000 apclisthead: [2] struct _ list_entry, 2 elements, 0x8 bytes

+ 0x000 flink: ptr32 to struct _ list_entry, 2 elements, 0x8 bytes

+ 0x004 Blink: ptr32 to struct _ list_entry, 2 elements, 0x8 bytes

+ 0x010 process: ptr32 to struct _ kprocess, 29 elements, 0x6c bytes

So far, we have figured out the psgetcurrentprocess process.

By checking the DDK doc, we can find that Ms describes the psgetcurrentprocess function as follows:

Psgetcurrentprocess returns a pointer to the process of the current thread.

Peprocess

Psgetcurrentprocess (

);

The returned value of this function is the eprocess pointer. However, the result of our analysis is that the return value of the function is a kprocess pointer.

In this case, is the return value of the psgetcurrentprocess function both the eprocess pointer and the kprocess pointer?

With questions, let's continue:

Lkd> DT nt! _ Eprocess

NT! _ Eprocess
+ 0x000 PCB: _ kprocess

+ 0x06c processlock: _ ex_push_lock

+ 0x070 createtime: _ large_integer

+ 0x078 exittime: _ large_integer

+ 0x080 rundownprotect: _ ex_rundown_ref

+ 0x084 uniqueprocessid: ptr32 void

+ 0x088 activeprocesslinks: _ list_entry

We can see that the first member of eprocess is kprocess, so that we can understand why psgetcurrentprocess
The Return Value of the function is both the eprocess address and the kprocess address. The eprocess offset 0x84 is the process PID, And the offset is 0x88 (my system is XP
SP2) is the active process chain we are looking.

The above are some of my learning gains today. If you think something is wrong, please correct me.