search

kevoreilly / capemon

capemon: CAPE's monitor
GNU General Public License v3.0
102 stars 49 forks source link

Question : Defining new log function for Attribute #22

Closed 3ntr0phy closed 3 years ago

3ntr0phy commented 3 years ago

Hello, I am trying to extract more information from the API NtCreateUserProcess in particular from the argument AttributeList . I defined the PPS_ATTRIBUTE_LIST as following, taking the definition from https://github.com/processhacker/processhacker/blob/master/phnt/include/ntpsapi.h

typedef struct _PS_ATTRIBUTE
{
    ULONG_PTR Attribute;
    SIZE_T Size;
    union
    {
        ULONG_PTR Value;
        PVOID ValuePtr;
    };
    PSIZE_T ReturnLength;
} PS_ATTRIBUTE, *PPS_ATTRIBUTE;

typedef struct _PS_ATTRIBUTE_LIST
{
    SIZE_T TotalLength;
    PS_ATTRIBUTE Attributes[1];
} PS_ATTRIBUTE_LIST, *PPS_ATTRIBUTE_LIST;

I am trying to log and print the ULONG_PTR VALUE but all my trials failed. Do you have any suggestion on how to do that? Cheers

3ntr0phy commented 3 years ago

nvm done

kevoreilly commented 3 years ago

Did you find anything of interest?

3ntr0phy commented 3 years ago

I needed this extra logs for debugging reason :) It may includes interesting info as well !