In his cool presentation Alex Ionescu said:
There is very long and noticeable signature for testing of EJOB.JobFlags with value 0x40000000:
If you searching it in .text section you get only 5-6 matches. Now question is how to get offset to EJOB.JobFlags. It can be done from exported function PsGetCurrentSilo:
And few words about enumerating - it`s just good old HANDLE_TABLE, so we can use ExEnumHandleTable and get all Jobs IDs
PspUniqueJobIdTable - no way to open/enumerateSure there are always some ways. Lets see xrefs to PspUniqueJobIdTable:
- PspJobDelete
- NtCreateJobObject
- PspInitializeJobStructures
loc_14001B6B4: ; CODE XREF: PspJobDelete+2A3
; PspJobDelete+17FEA8
test dword ptr [rbx+518h], 40000000h ; EJOB.JobFlags
jnz loc_14019B3AD
loc_14001B6C4: ; CODE XREF: PspJobDelete+17FEB6
mov rax, gs:188h
dec word ptr [rax+1E4h]
mov eax, [rbx+4C4h] ; EJOB.JobId
test eax, eax
jz short loc_14001B701
mov rcx, cs:PspUniqueJobIdTable
mov edx, eax
call ExMapHandleToPointer
There is very long and noticeable signature for testing of EJOB.JobFlags with value 0x40000000:
18 05 00 00 00 00 00 40
If you searching it in .text section you get only 5-6 matches. Now question is how to get offset to EJOB.JobFlags. It can be done from exported function PsGetCurrentSilo:
PsGetCurrentSilo proc near
mov rax, gs:188h
cmp qword ptr [rax+7C8h], 0FFFFFFFFFFFFFFFDh
jnz short loc_1400B61BF
mov rax, [rax+220h] ; KTHREAD.Process
mov rax, [rax+3B0h] ; EPROCESS.Job
test rax, rax
jz short locret_1400B61BE
loc_1400B61A6: ; CODE XREF: PsGetCurrentSilo+3Cj
test dword ptr [rax+518h], 40000000h ; EJOB.JobFlags
And few words about enumerating - it`s just good old HANDLE_TABLE, so we can use ExEnumHandleTable and get all Jobs IDs