Menu
I am "reviewing" some code that was written well before me and I'm noticing a pattern that I have some doubts about:
The result of the PsGetCurrentProcess() function is stored and then comparisons are made with that pointer (which is a pointer to an EPROCESS struct).
However, I'm not finding anything in the documentation, which suggests this function is guaranteed to return the same pointer each time. What is much more surprising to me is that this code has been apparently working for a long time.
Is this a bug, and would you recommend changing that logic to e.g. comparing Process IDs (Using PsGetProcessId)?
899
Yes, this is pretty much correct. The documentation of EPROCESS makes it clear that there is one such object per process, and any PEPROCESS points to this. This means PsGetCurrentProcess() does't return a pointer to an EPROCESS but to the EPROCESS. And two pointers compare equal if they point to the same object.
160
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
