If you call PsGetCurrentProcess() in a filter or driver when processing IRP_MJ_CLEANUP for a kernel handle the system process is returned as NtClose() calls KeStackAttachProcess() if the handle belongs to a system process kernel table.
2: kd> !thread ffffc5006e6da080
THREAD ffffc5006e6da080 Cid 1588.05ec Teb: 00000000002aa000 Win32Thread: 0000000000000000 WAIT: (WrResource) KernelMode Non-Alertable
ffffc5006be8eb70 SynchronizationEvent
IRP List:
ffffc5006e2ba140: (0006,04c0) Flags: 00000404 Mdl: 00000000
ffffc50075b8aae0: (0006,0118) Flags: 00060000 Mdl: 00000000
Not impersonating
DeviceMap ffffd58256416bd0
Owning Process ffffc500733ff080 Image: XXXXXXXX
Attached Process ffffc5006b8b66c0 Image: System
No comments:
Post a Comment