uint32_t kdvb, psAPH, curr_proc, next_proc; process *pe; DECAF_read_mem(env, gkpcr + KDVB_OFFSET, 4, &kdvb); DECAF_read_mem(env, kdvb + PSAPH_OFFSET, 4, &psAPH); DECAF_read_mem(env, psAPH, 4, &curr_proc); while (curr_proc != 0 && curr_proc != psAPH) { uint32_t pid, proc_cr3; uint32_t curr_proc_base = curr_proc - handle_funds[GuestOS_index].offset->PSAPL_OFFSET; DECAF_read_mem(env, curr_proc_base + handle_funds[GuestOS_index].offset->PSAPID_OFFSET, 4, &pid); if (VMI_find_process_by_pid(pid) != NULL) //we have seen this process goto next; DECAF_read_mem(env, curr_proc_base + 0x18, 4, &proc_cr3); if(cr3 != proc_cr3) //This is a new process, but not the current one. Skip it! goto next; //This is the one we are looking for pe = new process(); pe->EPROC_base_addr = curr_proc_base; pe->pid = pid; pe->cr3 = proc_cr3; DECAF_read_mem(env, curr_proc_base + handle_funds[GuestOS_index].offset->PSAPNAME_OFFSET, NAMESIZE, pe->name); DECAF_read_mem(env, curr_proc_base + handle_funds[GuestOS_index].offset->PSAPPID_OFFSET, 4, &pe->parent_pid); VMI_create_process(pe); return pe; next: DECAF_read_mem(env, curr_proc, 4, &next_proc); if (curr_proc == next_proc) { //why do we need this check? break; } curr_proc = next_proc; } return NULL; }