If you just need any EPROCESS struct
I believe there is a kernel function:
KeGetCurrentProcess()
which returns PEPROCESS for the process which calls the IOCTL. That should indeed do the trick to avoid hardcoding the list head. You'd still need to hardcode the offsets of the list pointers, so you don't really gain that much.
As for ObReferenceObjectByHandle, I posted that because I was lead to believe it worked by passing in a PROCESS ID as opposed to a PROCESS HANDLE. When I noticed the distinction I edited my post.
Here's an interesting function...
Lost,
I think that KeGetCurrentProcess *MAY* be an undocumented export. I also know that this function:
PsLookupProcessByProcessId(IN ULONG ulProcId,OUT struct _EPROCESS ** pEProcess);
Is definitely undocumented. You can find some info on it here:
http://www.beyondlogic.org/porttalk/porttalk.htm
and it is also exported by the public version of NTIFS.H which is maintained at:
http://www.acc.umu.se/~bosse/
Cheers and good luck :)
- Fez
Are you sure about MmGetPhysicalAddress?
Hrm... I've never actually checked but I would think that MmMapIoSpace would fail on virtual protect rather than MmGetPhysicalAddress... The reasons being:
1) MmGetPhysicalAddress supposedly just converts a virtual address into a physical address given the context of a process. That can be done even if it is protected because it needs to be mapped for access. It would make more sense to tell you where something is before telling you that you can't get there.
2) MmMapIoSpace returns a PVOID vs. a PHYSICAL_ADDRESS for MmGetPhysicalAddress. The PVOID can be null on failure whereas I don't think PHYSICAL_ADDRESS is equivalent to a pointer.
Not that I would expect anything in this M$ API to make logical sense though :)
It just seems funny to me that Microsoft would protect something by just not letting you figure out where it is and then allowing you to call a MmMapIoSpace on it regardless of privilege as long as you could find it yourself.
Now that you say it that way...
It makes much more sense as to WHY ;)
It just doesn't really offer any real protection. That's good for our case, but suxxor for the OS itself.
Fez