PsActiveProcessHead is a pointer to the start of the kerne's list of _EPROCESS structures.
1. Get the FS register value: 0xffdff000, which points to the Kernel Processor Control Region (KPCR) structure
2. KDVersionBlock is at the offset 0x34 of KPCR
3. Get the KdVersionBlock value: 0x8054c738 (run x /20w 0xffdff034 in QEMU monitor)
4. PsActiveProcessHead is at the offset 0x78 of KdVersionBlock, which is at location 0x8054c7b0
5. Get the PsActiveProcessHead value: 0x80560bd8 ( run x /20w 0x8054c7b0)
6. See the LIST_ENTRY field of PsActiveProcessHead, and it is a double linked list.
7. See the process name ( run x /20c location)
7. See the process name ( run x /20c location)
More Info:
http://www.reverse-engineering.info/SystemInformation/GetVarXP.pdf
2 comments:
hi, thanks this post. I am new at qemu. and I have a question that how can I do the last 2 step? how to see LIST_ENTRY. and what does location mean?
i mean can i show process name in qemu?
Post a Comment