About PIDs?

[vefatica]

After recommending 4UTILS's @MODULE[] in another thread, I discovered:

v:\> for /l %pid in (%@eval[%_pid - 1],1,%@eval[%_pid + 4]) echo %@module[%pid]
N/A
D:\tcmd10\tcc.exe
D:\tcmd10\tcc.exe
D:\tcmd10\tcc.exe
D:\tcmd10\tcc.exe
N/A

It's not really a bug in @MODULE since, indeed, you can OpenProcess() using any of 4 different PIDs. I don't understand it (does anyone?) and asked in an MS newsgroup, showing a simple test in "C". I don't suppose this can be exploited. Shall I add a test to @MODULE to accept only the "base" PID (the visible one, the one which is 0 MOD 4)?

 

[vefatica]

@ISPROC[PID} behaves the same way:

v:\> for /l %pid in (%@eval[%_pid - 1],1,%@eval[%_pid + 4]) echo %@isproc[%pid]
0
1
1
1
1
0

 

[dcantor]

After recommending 4UTILS's @MODULE[] in another thread, I discovered:

v:\> for /l %pid in (%@eval[%_pid - 1],1,%@eval[%_pid + 4]) echo %@module[%pid]
N/A
D:\tcmd10\tcc.exe
D:\tcmd10\tcc.exe
D:\tcmd10\tcc.exe
D:\tcmd10\tcc.exe
N/A

It's not really a bug in @MODULE since, indeed, you can OpenProcess() using any of 4 different PIDs. I don't understand it (does anyone?) and asked in an MS newsgroup, showing a simple test in "C". I don't suppose this can be exploited. Shall I add a test to @MODULE to accept only the "base" PID (the visible one, the one which is 0 MOD 4)?

Knowing almost nothing about the internals of Windows other than that it's somewhat similar to VMS (er, excuse me, OpenVMS), I'm going to guess that there are some bits in the PID which aren't significant. Continuing to guess -- the PID you supply is probably right-shifted two bits (and maybe some high-order bits are masked out) and the resulting number is used as an index into a table of process control or process information blocks somewhere in memory.

Just guesses.

Dave C.