Page 1 of 1

Process.ID off by 1 ?

Posted: Sun Jan 11, 2015 9:15 am
by Overnissen
Dear madshi,

I have been seeing some rather strange behavior in madKernel.

I'm basically launching a process and then monitors the process to see when it exists, but I seem to experience that suddenly the PID reported by madKernel are off by 1.

I set up some status logging to try and capture exactly when it happens and to try and see if it somehow was something I did..

11-01-2015 10:04:16: pid 3179
11-01-2015 10:04:15: pid 3179
11-01-2015 10:04:14: pid 3179
11-01-2015 10:04:13: pid 3179
11-01-2015 10:04:12: pid 3179
11-01-2015 10:04:09: pid 3179
11-01-2015 10:04:08: Launched [C:\Program Files\Google\Chrome\Application\chrome.exe -- ""] with ID 3180

There exist no process on the system with ID 3179.

I could of course just add one to the ID reported by madKernel, but.. ;)

Forgot to mention that if I call GetProcessID(LaunchedProcess.Handle.Handle) I get 3180, which is the correct ID, so there may be something odd in the returned structure from the NtQueryInformationProcess() call in madKernel.

CurrentProcess.ID appears to return the correct Process ID though.

Re: Process.ID off by 1 ?

Posted: Tue Jan 20, 2015 7:49 pm
by madshi
Which OS are we talking about? Can you reproduce this with a small test project?

Re: Process.ID off by 1 ?

Posted: Sun Mar 08, 2015 9:47 am
by Overnissen
Hi madshi,

It's something I experienced on Windows7, running as a VM-Ware virtual machine and using Delphi XE5.

I don't think it's a general problem, it seems to come and go as it damn pleases, so it just might be a Window$ "feature" when Win7 is running in a virtual..

... or my machine is haunted.. ;)

I'll investigate a little further and if I can come up with some way to reliably show this, I'll post it here, otherwise I'd have to accept that my virtual dev machine might be up for a virtual lobotomy..

Re: Process.ID off by 1 ?

Posted: Thu Apr 09, 2015 4:07 am
by iconic

That's very bizarre. Windows OS represents identifiers (thread and process) by a DWORD value as you know and this value is always perfectly divisible by 4 so there's never a remainder as the ID is an even number and always a factor of 4. On the other hand, I have seen malicious software bypassing extremely weak and not well thought out protection schemes in which security software hook OpenProcess() and do this type of thing inside their hook callback to protect itself

Code: Select all

HANDLE OpenProcessCallback(ACCESS_MASK dwDesiredAccess, BOOL bInheritHandle, DWORD dwProcessId)
   return (dwProcessId == ProtectedProcessId) ? NULL : OpenProcessNext(dwDesiredAccess, bInheritHandle, dwProcessId);
The bypassing code just adds 1, 2 or 3 to the target process ID to be opened thus bypassing this kind of process ID security check, since it can be opened with say 3180 (checked and denied), (unchecked) 3181, 3182, 3183 etc. I used to check for this by ensuring that an identifier (ID) conformed to what I mentioned above and never returned a remainder

Code: Select all

ULONG GetValidProcessId(ULONG PID)
   return PID -= (PID % 4);
In your output however adding 1 to 3179 to make 3180 doesn't make sense, the correct process ID of 3179 should "legally" be 3176 and not 3180! Sounds like your machine is truly on some psychedelic drugs or some piece of code executed to change this value such as a hook at run-time that may be altering the returned process id by subtracting 1 within the pbi structure. I checked the madKernel structure definition of PROCESS_BASIC_INFORMATION (madCollection 2.x) and I don't see any issues that would ever cause this extremely odd circumstance. Are you able to reproduce this? You have me extremely curious as to what this could be