Mapping Data & Create Structures, and Enums From Symbols
Using the 'dt' and the 'struct' commands
From our previous Windows internals knowledge, we know that the process name is available in the
SeAuditProcessCreationInfo field of the process's _EPROCESS.Note that there is an
ImageFileName field in the _EPROCESS. However, it's not what we're looking for as it's not the field shown in the Task Manager.After looking at the
_EPROCESS, we see that the SeAuditProcessCreationInfo is of the _SE_AUDIT_PROCESS_CREATION_INFO type. Let's see this structure recursively to see how Windows stores the process name.1
HyperDbg> struct _SE_AUDIT_PROCESS_CREATION_INFO
2
typedef struct _SE_AUDIT_PROCESS_CREATION_INFO
3
{
4
/* 0x0000 */ struct _OBJECT_NAME_INFORMATION* ImageFileName;
5
} SE_AUDIT_PROCESS_CREATION_INFO, *PSE_AUDIT_PROCESS_CREATION_INFO; /* size: 0x0008 */
6
​
7
​
8
HyperDbg> struct _OBJECT_NAME_INFORMATION
9
typedef struct _OBJECT_NAME_INFORMATION
10
{
11
/* 0x0000 */ struct _UNICODE_STRING Name;
12
} OBJECT_NAME_INFORMATION, *POBJECT_NAME_INFORMATION; /* size: 0x0010 */
13
​
14
​
15
HyperDbg> struct _UNICODE_STRING
16
typedef struct _UNICODE_STRING
17
{
18
/* 0x0000 */ uint16_t Length;
19
/* 0x0002 */ uint16_t MaximumLength;
20
/* 0x0004 */ long Padding_0;
21
/* 0x0008 */ wchar_t* Buffer;
22
} UNICODE_STRING, *PUNICODE_STRING; /* size: 0x0010 */
Copied!
As you can see, we've reached a
_UNICODE_STRING structure, and this is where Windows stores the process name. Now let's open notepad.exe.
As demonstrated, the Process ID is 5616 in decimal. We can convert it to the hex format by using the '.formats' command by adding a 0n prefix which indicates that the value is in decimal format.
1
1: kHyperDbg> .format 0n5616
2
evaluate expression:
3
Hex : 00000000`000015f0
4
Decimal : 5616
5
Octal : 12760
6
Binary : 00000000 00000000 00000000 00000000 00000000 00000000 00010101 11110000
7
Char : ........
8
Time : 04/19/22 - 12:53AM
9
Float : 0.00 +3e-320 2.774673E-320
10
Double : 2.77467266704444059e-320
Copied!
Now, we need to find the
_EPROCESS of our target process. It's possible by using the '.process' command.1
1: kHyperDbg> .process list
2
​
3
...
4
​
5
PROCESS ffff948cc1517080
6
Process Id: 23d0 DirBase (Kernel Cr3): 00000000127c0002 Image: dllhost.exe
7
​
8
PROCESS ffff948cc2393080
9
Process Id: 15f0 DirBase (Kernel Cr3): 0000000190649002 Image: notepad.exe
10
​
11
PROCESS ffff948cc06f6080
12
Process Id: 0fc4 DirBase (Kernel Cr3): 000000002902c002 Image: Taskmgr.exe
13
...
Copied!
After that, we'll map the
_EPROCESS of the notepad.exe to find the location of SeAuditProcessCreationInfo. As is evident, it's located at +0x05c0 from the start of the _EPROCESS.1
1: kHyperDbg> dt nt!_EPROCESS ffff948cc2393080
2
_EPROCESS
3
​
4
...
5
​
6
+0x05b7 uint8_t PriorityClass : 0x2
7
+0x05b8 void* SecurityPort : (null)
8
+0x05c0 _SE_AUDIT_PROCESS_CREATION_INFO SeAuditProcessCreationInfo : ffff948c`c25fa2a0
9
+0x05c8 _LIST_ENTRY JobLinks : _LIST_ENTRY [ 00000000`00000000 - 00000000`00000000 ]
10
...
Copied!
Now, we'll map it to
_SE_AUDIT_PROCESS_CREATION_INFO to find the ImageFileName.
Before that, we want to convert the notepad.exe to HyperDbg.exe. For this purpose, we need to convert "HyperDbg.exe" to the hex format and add 00 to each character because this field is in Unicode format.
We read the pointer located at
_EPROCESS+0x05c0 and modify the notepad.exe in the target _UNCODE_STRING by using the 'eb' command.
It's time to continue the debuggee and see the results.
As it might be seen, it's changed to 'HyperDbg.ex' because we didn't update the
Length field of the _UNICODE_STRING. Changing this value is left as an exercise for the reader.That's it. In this example, we saw how we could use the structure mapping commands in HyperDbg to change the process name in the Task Manager.
Last modified 2mo ago
Copy link
Edit on GitHub