June 2019

Hey guys. I'm finalizing a driver on Windows and faced with a problem. I'm trying to get PPEB via ZwQueryInformationProcess but get error codes 0xC0000008 or 0xC0000024.
I read the doc but sure that hadnlers are correct. I got it via ZwQuerySystemInformation and looping (PSYSTEM_PROCESS_INFORMATION elements).
OS: Windows 10: x86.
The main goal is getting PPEB. If you know another approach for this, please share it.

P.S. To be sure that you got it

β€” Bsod?

β€” No. Just returned code

β€” Ok. Can you read exception thrown?


    KeStackAttachProcess(pProcess, &apc);

status = ZwQueryInformationProcess(processId,
&pbi, sizeof(pbi), NULL);

if (!NT_SUCCESS(status))
InjDbgPrint("[injlib]: Couldn't get basic information process. Aborting. (PID: %u, x86, Name: '%s'); LastCode: 0x%X\n",
processId, PsGetProcessImageFileName(pProcess), status);

β€” In event manager

β€” Within __try and __except.
Of course.

β€” Hmmm. I didn't try it. Give me few minutes I will try to do it.