Bug in GetProcessIDFromProcessHandle

[wmsuper]

NtQueryInformationProcess return STATUS_ACCESS_VIOLATION Nt* function may need system thread context System:win7 x64

[Mattiwatti]

What do you mean by "may need system thread context"? If you call an Nt function from within a system thread context, it is the same as calling the Zw function. In that case a STATUS_ACCESS_VIOLATION exception would have been a BSOD instead of an error status because no probing would have been done. The error lies with the user mode caller passing an invalid buffer.

[wmsuper]

I am not sure what caused the failure. Can you reproduce bug in win7 x64？ GetProcessIDFromProcessHandle always return 0 because NtQueryInformationProcess fail. The bug make HookNtQueryInformationProcess do not work.

[Mattiwatti]

Ah, you're right. This is indeed caused by calling NtQIP and not ZwQIP. The reason is that the buffer is allocated in kernel space, which will cause NtQIP to return STATUS_ACCESS_VIOLATION. I haven't actually tested that this will fix it but it seems pretty clear from the source code, and this was a recent change I made.

The original issue I fixed was this: if you call ZwQIP with a user (non-kernel) handle, you get a bugcheck when running Driver Verifier because you're not supposed to pass user handles to Zw functions. However, the new issue is that calling NtQIP with a buffer residing in kernel address space (i.e. always) will result in a STATUS_ACCESS_VIOLATION because the buffer address is > MmUserProbeAddress.

I will fix this by reverting the change for now, because while the DV issue is fixable, it seems overkill to call NtAllocateVirtualMemory to allocate 48 bytes and then NtFreeVirtualMemory them again afterwards just to issue the NtQIP call.

Good catch considering there isn't even any logging when this NtQIP call fails...

[Mattiwatti]

I redid the original fix in 43a6592, but I forgot to tag this issue. In my tests this now fixes both STATUS_ACCESS_VIOLATION and the Driver Verifier bugcheck.