Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTDEV

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Before Posting...

Please check out the Community Guidelines in the Announcements and Administration Category.

Identify the file path from the pid (Network path or not)

senninsennin Member Posts: 19

Hi.
How can I detect this process is a network file path or locally ?
i know, we can detect in DeviceObject->Characteristics but in my case i just have pid
thank you

Comments

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 14,218

    How can I detect this process is a network file path or locally ?

    I don't know what that means. Are you asking if the main executable for this process came from a network drive? What do you intend to do with this information?

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • senninsennin Member Posts: 19

    thank you for reply

    @Tim_Roberts said:
    I don't know what that means. Are you asking if the main executable for this process came from a network drive? What do you intend to do with this information?

    i set callback for process notify and i can identify that process has network file path or any removable file path
    my condition for checking are:

    if(....)
    _File_Object->DeviceObject->Characteristics & FILE_REMOVABLE_MEDIA ||
    _File_Object->DeviceObject->Characteristics & FILE_VIRTUAL_VOLUME ||
    _File_Object->DeviceObject->Characteristics & FILE_CHARACTERISTIC_WEBDAV_DEVICE ||
    _File_Object->DeviceObject->Characteristics & FILE_CHARACTERISTIC_TS_DEVICE ||
    _File_Object->DeviceObject->Characteristics & FILE_REMOTE_DEVICE)

    Now i am checking how to identify if the driver is not loaded from the boot and only we have a pid
    That i mean, when we do not have access to the _file_object structure

  • UltrasickUltrasick Member Posts: 7
    edited December 2021

    I am not 100% sure if I understood your situation.



    As far as I know: A process ID is a handle to a process. A process is never a file. So you need to check which files the process has opened. When you got a list of these file handles then you can loop through the list and check every file handle separately.



    Oh, and by the way: You can combine the flags:

    if(Characteristics & (
    FILE_REMOVABLE_MEDIA || FILE_VIRTUAL_VOLUME || ... || FILE_REMOTE_DEVICE
    )){
  • Tim_RobertsTim_Roberts Member - All Emails Posts: 14,218

    ... Now i am checking how to identify if the driver is not loaded from the boot and only we have a pid

    What driver? Drivers are not associated with PIDs, and drivers are not loaded from network shares.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • senninsennin Member Posts: 19

    I misinterpreted what I meant

    @Tim_Roberts said:

    ... Now i am checking how to identify if the driver is not loaded from the boot and only we have a pid

    What driver? Drivers are not associated with PIDs, and drivers are not loaded from network shares.

    I can get image full path name with ZwQueryInformationProcess, with process id
    for example process image path is:
    \Device\HardDisk..0\Windows\System32\notepad.exe
    but if i run application from network then output is:
    \Device\MUP\Sharefolder.local\app.exe
    so how can i identify this issue with just a pid

  • MBond2MBond2 Member Posts: 416

    The system does not assign PID in any particular order. You cannot say that because PID is in the range 1-100 it is some kind X and because it is in some other range 1000-5000 it is another kind Y

    PID is simply an integer that uniquely identifies a process that is currently running with respect to other processes that are also currently running. PID values can and are re-used to refer to different processes at different times. You cannot get any additional information about a process from a PID directly.

    Typically information like this is obtained in UM. To do that, you have to open a HANDLE to the target process. That HANDLE allows access to the target process based on a security check and will always refer to the same process until it is closed - even if the process terminates

  • senninsennin Member Posts: 19

    @MBond2 said:

    even if the process terminates

    thank you, all this is clear
    Can you explain this sentence further?
    even process has closed?

  • Aleh_KazakevichAleh_Kazakevich Member Posts: 80

    Hi!

    @sennin said:

    I can get image full path name with ZwQueryInformationProcess, with process id
    for example process image path is:
    \Device\HardDisk..0\Windows\System32\notepad.exe
    but if i run application from network then output is:
    \Device\MUP\Sharefolder.local\app.exe
    so how can i identify this issue with just a pid

    To retrieve FILE_OBJECT by process id you may try PsLookupProcessByProcessId and then
    PsReferenceProcessFilePointer (last is not documented).

  • MBond2MBond2 Member Posts: 416

    A UM process has three basic states in its lifetime

    1) It has been created and the OS is preparing to start to run it
    2) it is running
    3) it has terminated, and the OS is in the process of cleaning it up

    In state 3, if there are valid HANDLEs outstanding, the KM resources associated with that process will not be cleaned up until those handles are closed

    suppose the sequence

    a.exe begins and is assigned PID 123
    process B opens a HANDLE to process A
    a.exe terminates

    a new instance of a.exe begins. It is unlikely, but possible that it will also be assigned PID 123

    process B interrogates information about a process a.exe based on PID and gets the wrong information. or interrogates about a process based on the HANDLE that has been opened and gets the right information

    The HANDLE will always refer to the same specific 'object', but names like PID don't always

    *** There are important points that I am not mentioning

  • senninsennin Member Posts: 19

    @Aleh_Kazakevich said:
    To retrieve FILE_OBJECT by process id you may try PsLookupProcessByProcessId and then
    PsReferenceProcessFilePointer (last is not documented).

    This is what I need
    thank you

  • senninsennin Member Posts: 19

    @MBond2 said:
    A UM process has three basic states in its lifetime

    1) It has been created and the OS is preparing to start to run it
    2) it is running
    3) it has terminated, and the OS is in the process of cleaning it up

    In state 3, if there are valid HANDLEs outstanding, the KM resources associated with that process will not be cleaned up until those handles are closed

    suppose the sequence

    a.exe begins and is assigned PID 123
    process B opens a HANDLE to process A
    a.exe terminates

    a new instance of a.exe begins. It is unlikely, but possible that it will also be assigned PID 123

    process B interrogates information about a process a.exe based on PID and gets the wrong information. or interrogates about a process based on the HANDLE that has been opened and gets the right information

    The HANDLE will always refer to the same specific 'object', but names like PID don't always

    *** There are important points that I am not mentioning

    Thank you very much for your explanation
    I did not pay attention to this point

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. Sign in or register to get started.

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Writing WDF Drivers 24 January 2022 Live, Online
Internals & Software Drivers 7 February 2022 Live, Online
Kernel Debugging 21 March 2022 Live, Online
Developing Minifilters 23 May 2022 Live, Online