Mapping Data & Create Structures, and Enums From Symbols
Using the 'dt' and the 'struct' commands
In this example, we'll see how to change the process name of the notepad.exe in the Task Manager by utilizing the 'dt' and the 'struct' commands of the HyperDbg.
From our previous Windows internals knowledge, we know that the process name is available in the SeAuditProcessCreationInfo field of the process's _EPROCESS.
Note that there is an ImageFileName field in the _EPROCESS. However, it's not what we're looking for as it's not the field shown in the Task Manager.
After looking at the _EPROCESS, we see that the SeAuditProcessCreationInfo is of the _SE_AUDIT_PROCESS_CREATION_INFO type. Let's see this structure recursively to see how Windows stores the process name.
1
HyperDbg> struct _SE_AUDIT_PROCESS_CREATION_INFO
2
typedef struct _SE_AUDIT_PROCESS_CREATION_INFO
3
{
4
/* 0x0000 */ struct _OBJECT_NAME_INFORMATION* ImageFileName;
5
} SE_AUDIT_PROCESS_CREATION_INFO, *PSE_AUDIT_PROCESS_CREATION_INFO; /* size: 0x0008 */
6
7
8
HyperDbg> struct _OBJECT_NAME_INFORMATION
9
typedef struct _OBJECT_NAME_INFORMATION
10
{
11
/* 0x0000 */ struct _UNICODE_STRING Name;
12
} OBJECT_NAME_INFORMATION, *POBJECT_NAME_INFORMATION; /* size: 0x0010 */
13
14
15
HyperDbg> struct _UNICODE_STRING
16
typedef struct _UNICODE_STRING
17
{
18
/* 0x0000 */ uint16_t Length;
19
/* 0x0002 */ uint16_t MaximumLength;
20
/* 0x0004 */ long Padding_0;
21
/* 0x0008 */ wchar_t* Buffer;
22
} UNICODE_STRING, *PUNICODE_STRING; /* size: 0x0010 */
Copied!
As you can see, we've reached a _UNICODE_STRING structure, and this is where Windows stores the process name. Now let's open notepad.exe.
As demonstrated, the Process ID is 5616 in decimal. We can convert it to the hex format by using the '.formats' command by adding a 0n prefix which indicates that the value is in decimal format.
1
1: kHyperDbg> .format 0n5616
2
evaluate expression:
3
Hex : 00000000`000015f0
4
Decimal : 5616
5
Octal : 12760
6
Binary : 00000000 00000000 00000000 00000000 00000000 00000000 00010101 11110000
7
Char : ........
8
Time : 04/19/22 - 12:53AM
9
Float : 0.00 +3e-320 2.774673E-320
10
Double : 2.77467266704444059e-320
Copied!
Now, we need to find the _EPROCESS of our target process. It's possible by using the '.process' command.
1
1: kHyperDbg> .process list
2
3
...
4
5
PROCESS ffff948cc1517080
6
Process Id: 23d0 DirBase (Kernel Cr3): 00000000127c0002 Image: dllhost.exe
7
8
PROCESS ffff948cc2393080
9
Process Id: 15f0 DirBase (Kernel Cr3): 0000000190649002 Image: notepad.exe
10
11
PROCESS ffff948cc06f6080
12
Process Id: 0fc4 DirBase (Kernel Cr3): 000000002902c002 Image: Taskmgr.exe
13
...
Copied!
After that, we'll map the _EPROCESS of the notepad.exe to find the location of SeAuditProcessCreationInfo. As is evident, it's located at +0x05c0 from the start of the _EPROCESS.
1
1: kHyperDbg> dt nt!_EPROCESS ffff948cc2393080
2
_EPROCESS
3
4
...
5
6
+0x05b7 uint8_t PriorityClass : 0x2
7
+0x05b8 void* SecurityPort : (null)
8
+0x05c0 _SE_AUDIT_PROCESS_CREATION_INFO SeAuditProcessCreationInfo : ffff948c`c25fa2a0
9
+0x05c8 _LIST_ENTRY JobLinks : _LIST_ENTRY [ 00000000`00000000 - 00000000`00000000 ]
10
...
Copied!
Now, we'll map it to _SE_AUDIT_PROCESS_CREATION_INFO to find the ImageFileName.
Before that, we want to convert the notepad.exe to HyperDbg.exe. For this purpose, we need to convert "HyperDbg.exe" to the hex format and add 00 to each character because this field is in Unicode format.
We read the pointer located at _EPROCESS+0x05c0 and modify the notepad.exe in the target _UNCODE_STRING by using the 'eb' command.
It's time to continue the debuggee and see the results.
As it might be seen, it's changed to 'HyperDbg.ex' because we didn't update the Length field of the _UNICODE_STRING. Changing this value is left as an exercise for the reader.
That's it. In this example, we saw how we could use the structure mapping commands in HyperDbg to change the process name in the Task Manager.
Copy link
Edit on GitHub