Collectives™ on Stack Overflow

Find centralized, trusted content and collaborate around the technologies you use most.

Learn more about Collectives

Teams

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

Learn more about Teams

I have this peace of code as part of driver. This driver is for Windows 7 x64, so it executes on the same system.

PVOID GetProcessInformation(ULONG PID)
    NTSTATUS ntStatus = STATUS_UNSUCCESSFUL;
    HANDLE hProcess;
    PEPROCESS pProcess = NULL;
    PVOID pProcInfo = NULL;
    ULONG ulRet = 0;
    if ((pProcInfo = ExAllocatePoolWithTag(NonPagedPool, sizeof(PROCESS_BASIC_INFORMATION), 'QPI')) == NULL)
        DbgPrint("ExAllocatePoolWithTag failed");
        return NULL;
    ntStatus = PsLookupProcessByProcessId(PID, &pProcess);
    if (!NT_SUCCESS(ntStatus))
        DbgPrint("PsLookupProcessByProcessId Returned: 0x%08x\n", ntStatus);
        ExFreePool(pProcInfo);
        return NULL;
    ntStatus = ObOpenObjectByPointer(pProcess, 0, NULL, 0, 0, KernelMode, &hProcess);
    if (!NT_SUCCESS(ntStatus))
        DbgPrint("ObOpenObjectByPointer sReturned: 0x%08x\n", ntStatus);
        ExFreePool(pProcInfo);
        return NULL;
    ObDereferenceObject(pProcess);
    ntStatus = ZwQueryInformationProcess(hProcess, ProcessBasicInformation, pProcInfo, sizeof(PROCESS_BASIC_INFORMATION), &ulRet);
    if (!NT_SUCCESS(ntStatus))
        DbgPrint("ZwQueryInformationProcess Returned: 0x%08x\n", ntStatus);
        ExFreePool(pProcInfo);
        return NULL;
    if (ulRet != sizeof(PROCESS_BASIC_INFORMATION))
        DbgPrint("Warning : ZwQueryInformationProcess Returned Length is different than ProcessInformationLength");
    return pProcInfo;

PROCESS_BASIC_INFORMATION defined in ntddk. PID value is correct. But result of ZwQueryInformationProcess is odd. I get only lower part of PEB address (PPEB part in PROCESS_BASIC_INFORMATION structure). For example, another tool says PPEB is equal to 0x000007FFFFFDC000. My drivers knows only 0xFFFDC000. Also i try PsGetprocessPeb(...) function, with the same result. ZwQueryInformationProcess function is successed.

Corrected:
To address the I get only lower part of PEB address part of your question,
because pProcess is a pointer, use the pointer format specifier: %p.

ntStatus = PsLookupProcessByProcessId(PID, &pProcess);
// your error handling code
printf("PsLookupProcessByProcessId: 0x%p\n", pProcess);

The "%p" pointer format specifier displays the argument as a hexadecimal address.

Thank you for an answer and for solution. I need to use long long type variable to store address on a application side? – Thomas Andersen Apr 24, 2019 at 17:16 PEPROCESS is a pointer type (a pointer to an EPROCESS structure). To print a pointer type, use the p format specifier. long long (as well as %llx) is wrong for 2 reasons: long long is signed (a pointer isn't), and it has the wrong size on a 32-bit build. – IInspectable Apr 25, 2019 at 10:03 @IInspectable - I should have had my coffee before answering yesterday! Thank you for pointing out my error. It has been corrected. – ryyker Apr 25, 2019 at 13:47 @ThomasAndersen - Please note the correction to this answer. %llx is not the right way to print an address pointer variable. Sorry for that mistake. – ryyker Apr 25, 2019 at 13:57

Thanks for contributing an answer to Stack Overflow!

  • Please be sure to answer the question. Provide details and share your research!

But avoid

  • Asking for help, clarification, or responding to other answers.
  • Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.