search
DownloadResearchTutorialhwdbg
githubEdit

Mapping Data & Create Structures, and Enums From Symbols

Using the 'dt' and the 'struct' commands

In this example, we'll see how to change the process name of the notepad.exe in the Task Manager by utilizing the 'dtarrow-up-right' and the 'structarrow-up-right' commands of the HyperDbg.

From our previous Windows internals knowledge, we know that the process name is available in the SeAuditProcessCreationInfo field of the process's _EPROCESS.

Note that there is an ImageFileName field in the _EPROCESS. However, it's not what we're looking for as it's not the field shown in the Task Manager.

After looking at the _EPROCESS, we see that the SeAuditProcessCreationInfo is of the _SE_AUDIT_PROCESS_CREATION_INFO type. Let's see this structure recursively to see how Windows stores the process name.

HyperDbg> struct _SE_AUDIT_PROCESS_CREATION_INFO
typedef struct _SE_AUDIT_PROCESS_CREATION_INFO
{
  /* 0x0000 */ struct _OBJECT_NAME_INFORMATION* ImageFileName;
} SE_AUDIT_PROCESS_CREATION_INFO, *PSE_AUDIT_PROCESS_CREATION_INFO; /* size: 0x0008 */


HyperDbg> struct _OBJECT_NAME_INFORMATION
typedef struct _OBJECT_NAME_INFORMATION
{
  /* 0x0000 */ struct _UNICODE_STRING Name;
} OBJECT_NAME_INFORMATION, *POBJECT_NAME_INFORMATION; /* size: 0x0010 */


HyperDbg> struct _UNICODE_STRING
typedef struct _UNICODE_STRING
{
  /* 0x0000 */ uint16_t Length;
  /* 0x0002 */ uint16_t MaximumLength;
  /* 0x0004 */ long Padding_0;
  /* 0x0008 */ wchar_t* Buffer;
} UNICODE_STRING, *PUNICODE_STRING; /* size: 0x0010 */

As you can see, we've reached a _UNICODE_STRING structure, and this is where Windows stores the process name. Now let's open notepad.exe.

As demonstrated, the Process ID is 5616 in decimal. We can convert it to the hex format by using the '.formatsarrow-up-right' command by adding a 0n prefix which indicates that the value is in decimal format.

Now, we need to find the _EPROCESS of our target process. It's possible by using the '.processarrow-up-right' command.

After that, we'll map the _EPROCESS of the notepad.exe to find the location of SeAuditProcessCreationInfo. As is evident, it's located at +0x05c0 from the start of the _EPROCESS.

Now, we'll map it to _SE_AUDIT_PROCESS_CREATION_INFO to find the ImageFileName.

Before that, we want to convert the notepad.exe to HyperDbg.exe. For this purpose, we need to convert "HyperDbg.exe" to the hex format and add 00 to each character because this field is in Unicode format.

We read the pointer located at _EPROCESS+0x05c0 and modify the notepad.exe in the target _UNCODE_STRING by using the 'ebarrow-up-right' command.

It's time to continue the debuggee and see the results.

As it might be seen, it's changed to 'HyperDbg.ex' because we didn't update the Length field of the _UNICODE_STRING. Changing this value is left as an exercise for the reader.

That's it. In this example, we saw how we could use the structure mapping commands in HyperDbg to change the process name in the Task Manager.

PreviousSwitching to a Specific Process or ThreadNextevents

Last updated