MyOS/attach_8c_source.html

/*++


Module Name:


    attach.c


Purpose:


    This module contains the implementation of process attaching.


Author:


    slep (Matanel) 2025.


Revision History:


--*/


#include "../../includes/me.h"

#include "../../includes/ps.h"


void


MeAttachProcess(

    IN PIPROCESS Process,

    OUT PAPC_STATE ApcState

)


/*++


    Routine description:


        Attach to a process address space, this routine should be managed carefully, and have simple code between the attaching and detaching.


    Arguments:


        [IN]    PIPROCESS Process - Pointer to process to attach to (IPROCESS)

        [OUT]   PAPC_STATE - Pointer to store the state in resident memory.


    Return Values:


        None.


    Notes:


        DPCs CANNOT attach to a different process.


--*/


{

    if (MeIsExecutingDpc()) {

        // CANNOT Attach to a process while executing a DPC.

        MeBugCheckEx(

            INVALID_PROCESS_ATTACH_ATTEMPT,

            (void*)Process,

            (void*)(uintptr_t)RETADDR(0),

            (void*)MeIsExecutingDpc(),

            NULL

        );

    }


    PITHREAD CurrentThread = MeGetCurrentThread();

    if (unlikely(!CurrentThread)) return;


    // Save the process we were running on.

    ApcState->SavedApcProcess = CurrentThread->ApcState.SavedApcProcess;

    ApcState->SavedCr3 = __read_cr3();

    ApcState->AttachedToProcess = true;


    // Raise to SYNCH and lock scheduler.

    // TODO SYNCH

    MeAcquireSchedulerLock();


    // Switch identity to new process.

    CurrentThread->ApcState.SavedApcProcess = PsGetEProcessFromIProcess(Process);

    CurrentThread->ApcState.AttachedToProcess = true;


    // Switch CR3s.

    uint64_t TargetCr3 = Process->PageDirectoryPhysical;

    if (ApcState->SavedCr3 != TargetCr3) {

        __write_cr3(TargetCr3);

    }

}


void


MeDetachProcess(

    IN PAPC_STATE ApcState

)


/*++


    Routine description:


        Detach from a process address space.


    Arguments:


        [IN]    PAPC_STATE ApcState - The APC_STATE stored by MeAttachProcess.


    Return Values:


        None.


--*/


{

    PITHREAD CurrentThread = MeGetCurrentThread();

    if (unlikely(!CurrentThread)) return;

    if (!ApcState->AttachedToProcess) return;


    // Restore original CR3.

    uint64_t CurrentCr3 = __read_cr3();

    if (CurrentCr3 != ApcState->SavedCr3) {

        __write_cr3(ApcState->SavedCr3);

    }


    // Restore thread's identity to original process.

    CurrentThread->ApcState.SavedApcProcess = ApcState->SavedApcProcess;

    CurrentThread->ApcState.AttachedToProcess = ApcState->AttachedToProcess;


    // Restore scheduler lock / IRQL.

    // TODO SYNCH LEVEL

    MeReleaseSchedulerLock();


    // Clear attached state.

    ApcState->AttachedToProcess = false;

}


IN
#define IN
Definition annotations.h:7

OUT
#define OUT
Definition annotations.h:8

MeDetachProcess
void MeDetachProcess(IN PAPC_STATE ApcState)
Definition attach.c:86

MeAttachProcess
void MeAttachProcess(IN PIPROCESS Process, OUT PAPC_STATE ApcState)
Definition attach.c:23

MeBugCheckEx
NORETURN void MeBugCheckEx(IN enum _BUGCHECK_CODES BugCheckCode, IN void *BugCheckParameter1, IN void *BugCheckParameter2, IN void *BugCheckParameter3, IN void *BugCheckParameter4)
Definition bugcheck.c:305

PIPROCESS
IPROCESS * PIPROCESS
Definition core.h:38

PITHREAD
ITHREAD * PITHREAD
Definition core.h:34

__write_cr3
FORCEINLINE void __write_cr3(uint64_t val)
Definition intrin.h:83

__read_cr3
FORCEINLINE uint64_t __read_cr3(void)
Definition intrin.h:78

RETADDR
#define RETADDR(level)
Definition macros.h:38

unlikely
#define unlikely(x)
Definition macros.h:47

me.h

INVALID_PROCESS_ATTACH_ATTEMPT
@ INVALID_PROCESS_ATTACH_ATTEMPT
Definition me.h:134

MeGetCurrentThread
FORCEINLINE PITHREAD MeGetCurrentThread(void)
Definition me.h:431

MeIsExecutingDpc
FORCEINLINE bool MeIsExecutingDpc(void)
Definition me.h:453

MeReleaseSchedulerLock
FORCEINLINE void MeReleaseSchedulerLock(void)
Definition me.h:380

PAPC_STATE
struct _APC_STATE * PAPC_STATE

MeAcquireSchedulerLock
FORCEINLINE void MeAcquireSchedulerLock(void)
Definition me.h:365

ps.h

PsGetEProcessFromIProcess
FORCEINLINE PEPROCESS PsGetEProcessFromIProcess(IN PIPROCESS IProcess)
Definition ps.h:249

_APC_STATE::AttachedToProcess
bool AttachedToProcess
Definition me.h:250

_APC_STATE::SavedApcProcess
PEPROCESS SavedApcProcess
Definition me.h:249

_ITHREAD::ApcState
struct _APC_STATE ApcState
Definition me.h:270