PTfinder relies on some internal structures and magic numbers of the NT kernel to find traces of processes and threads. My proof-of-concept implementation only works on Microsoft Windows 2000. In this article I'll give the full set of parameters needed to adapt PTfinder to other versions up to Vista.
The first table contains the Type/Size pairs used to identify DISPATCHER_HEADER for several kinds of objects. As stated in an earlier post, the type doesn't change between Windows versions, so it's given here for completeness only.
| Parameter | Version of Microsoft Windows | |||||
|---|---|---|---|---|---|---|
| 2000, SP 4 | XP | XP, SP 2 | 2003 | Vista (5270) | ||
| Sync Event | Type | 0x01 | 0x01 | 0x01 | 0x01 | 0x01 |
| Size | 0x04 | 0x04 | 0x04 | 0x04 | 0x04 | |
| Process | Type | 0x03 | 0x03 | 0x03 | 0x03 | 0x03 |
| Size | 0x1b | 0x1b | 0x1b | 0x1b | 0x20 | |
| Semaphore | Type | 0x05 | 0x05 | 0x05 | 0x05 | 0x05 |
| Size | 0x05 | 0x05 | 0x05 | 0x05 | 0x05 | |
| Thread | Type | 0x06 | 0x06 | 0x06 | 0x06 | 0x06 |
| Size | 0x6c | 0x70 | 0x70 | 0x72 | 0x74 | |
| Notification Timer | Type | 0x08 | 0x08 | 0x08 | 0x08 | 0x08 |
| Size | 0x0a | 0x0a | 0x0a | 0x0a | 0x18 | |
The next table lists the offsets of certain EPROCESS members used in PTfinder.
| Parameter | Version of Microsoft Windows | ||||
|---|---|---|---|---|---|
| 2000, SP 4 | XP | XP, SP 2 | 2003 | Vista (5270) | |
| ofs PageDirectoryBase | 0x018 | 0x018 | 0x018 | 0x018 | 0x018 |
| ofs ThreadListHeadFlink | 0x050 | 0x050 | 0x050 | 0x050 | 0x050 |
| ofs ThreadListHeadBlink | 0x054 | 0x054 | 0x054 | 0x054 | 0x054 |
| ofs ExitStatus | 0x06c | 0x24c | 0x24c | 0x24c | 0x234 |
| ofs CreateTimeLo | 0x088 | 0x070 | 0x070 | 0x070 | 0x088 |
| ofs CreateTimeHi | 0x08c | 0x074 | 0x074 | 0x074 | 0x08c |
| ofs ExitTimeLo | 0x090 | 0x078 | 0x078 | 0x078 | 0x090 |
| ofs ExitTimeHi | 0x094 | 0x07c | 0x07c | 0x07c | 0x094 |
| ofs PID | 0x09c | 0x084 | 0x084 | 0x084 | 0x09c |
| ofs PPID | 0x1c8 | 0x14c | 0x14c | 0x128 | 0x124 |
| ofs ImageFileName | 0x1fc | 0x174 | 0x174 | 0x154 | 0x154 |
| ofs Sync Event 1 | 0x070 | - | - | - | - |
| ofs Sync Event 2 | 0x13c | 0x0d8 | 0x0d8 | 0x0dc | - |
| ofs Sync Event 3 | 0x164 | 0x0fc | 0x0fc | 0x224 | - |
| sizeof struct | 0x290 | 0x258 | 0x260 | 0x278 | 0x268 |
And finally the same for ETHREAD members.
| Parameter | Version of Microsoft Windows | ||||
|---|---|---|---|---|---|
| 2000, SP 4 | XP | XP, SP 2 | 2003 | Vista (5270) | |
| ofs CreateTimeLo | 0x1b0 | 0x1c0 | 0x1c0 | 0x1c8 | 0x1d0 |
| ofs CreateTimeHi | 0x1b4 | 0x1c4 | 0x1c4 | 0x1cc | 0x1d4 |
| ofs ExitTimeLo | 0x1b8 | 0x1c8 | 0x1c8 | ox1d0 | 0x1d8 |
| ofs ExitTimeHi | 0x1bc | 0x1cc | 0x1cc | 0x1d4 | 0x1dc |
| ofs ExitStatus | 0x1c0 | 0x1d0 | 0x1d0 | 0x1d8 | 0x1e0 |
| ofs PID | 0x1e0 | 0x1ec | 0x1ec | 0x1f4 | 0x1fc |
| ofs TID | 0x1e4 | 0x1f0 | 0x1f0 | 0x1f8 | 0x200 |
| ofs HasTerminated | 0x224 | - | - | - | - |
| ofs Terminated | - | 0x248:0 | 0x248:0 | 0x250:0 | 0x250:0 |
| ofs ThreadsProcess | 0x22c | 0x220 | 0x220 | 0x228 | 0x13c |
| ofs StartAddress | 0x230 | 0x224 | 0x224 | 0x22c | 0x234 |
| ofs Win32StartAddress | 0x234 | 0x228 | 0x228 | 0x230 | 0x230 |
| ofs Notification Timer | 0x0e8 | 0x0f0 | 0x0f0 | 0x078 | 0x080 |
| ofs Semaphore 1 | 0x190 | 0x19c | 0x19c | 0x190 | 0x1a4 |
| ofs Semaphore 2 | 0x1e8 | 0x1f4 | 0x1f4 | 0x1fc | 0x204 |
| ofs Semaphore 3 | - | - | - | - | 0x270 |
| sizeof struct | 0x248 | 0x258 | 0x258 | 0x260 | 0x278 |
The notation 0x248:0 denotes bit 0 of the DWORD starting at offset 0x248.
04/18/2006: added Synchronization Event and ThreadsProcess for Vista.
