Process Hacker Discussion Forum

 
wfunction
Member
Posts: 147
Joined: 19 Mar 2011 20:17

[Plugin] [Bug] [ExtendedTools] Wrong handling of x64 pointer

17 Jul 2012 02:54

Ignoring the fact that the 32-bit version of PH isn't meant to be run on an x64 system, it seems like the 32-bit version of ExtendedTools assumes that the structure for FileIo_Name for ETW is like

struct FileIo_Name
{
PVOID FileObject;
WCHAR Name[1];
};

which is incorrect, because it's really:

struct FileIo_Name32
{
PVOID FileObject;
WCHAR Name[1];
};

struct FileIo_Name64
{
PVOID64 FileObject;
WCHAR Name[1];
};


This causes the first 2 characters to look weird on the Disk tab.
 
User avatar
dmex
Admin
Posts: 1695
Joined: 17 Jan 2011 05:43

Re: [Plugin] [Bug] [ExtendedTools] Wrong handling of x64 poi

17 Jul 2012 10:13

wfunction wrote:
which is incorrect, because it's really:

struct FileIo_Name32
{
PVOID FileObject;
WCHAR Name[1];
};

struct FileIo_Name64
{
PVOID64 FileObject;
WCHAR Name[1];
};


This causes the first 2 characters to look weird on the Disk tab.
The definition of the struct you have is not the one we're using:

[c]
typedef struct
{
ULONG_PTR FileObject;
WCHAR FileName[1];
} FileIo_Name;[/c]
 
wfunction
Member
Posts: 147
Joined: 19 Mar 2011 20:17

Re: [Plugin] [Bug] [ExtendedTools] Wrong handling of x64 poi

17 Jul 2012 14:43

PVOID and ULONG_PTR are basically the same thing...
 
User avatar
dmex
Admin
Posts: 1695
Joined: 17 Jan 2011 05:43

Re: [Plugin] [Bug] [ExtendedTools] Wrong handling of x64 poi

17 Jul 2012 15:25

wfunction wrote:
PVOID and ULONG_PTR are basically the same thing...
Yes, probably until you cast it (like PH does) and later port the code to another platform such as 64bit.

http://msdn.microsoft.com/en-us/library ... 84264.aspx

Either way, I''ve never heard of the bug you mentioned with the disk tab, something else is going on there, if not something modifying the string then a buffer overrun of some type. I run across a similar situation with the search implementation messing with data around the process name string by accident.