Hi all!
I have used IoQueryFileDosDeviceName() to get full path of a process. Now my question is how to convert this full path (c:\myfolder\ApacheOpenOfficeEng.exe) to process name (ApacheOpenOfficeEng.exe)
I already try psGetProcessImageFileName() but only 14 characters (ApacheOpenOffi) is printed because this fonction is limited to the first 16 (ASCII) characters of the image file name.
Sorry for my english.
Thank advance.
Did you REALLY need to ask this question? Do you honestly mean to say that, given a full path string, you do not know how to find the file name part? If that’s true, then I don’t want your code anywhere near the kernel.
@Tim_Roberts said:
Did you REALLY need to ask this question? Do you honestly mean to say that, given a full path string, you do not know how to find the file name part? If that’s true, then I don’t want your code anywhere near the kernel.
I’m astounded by this question.
Hello Sir Tim_Roberts.
Sorry if my question has astounded you. But the normal way i always used to get only process name like (explorer.exe) is to call psGetProcessImageFileName() and this work fine. But the problem i’m now facing is that the process name lenght is up than 23 characters (ApacheOpenOfficeEng.exe). So when i use psGetProcessImageFileName(), on part of process name is printed like (ApacheOpenOffi).
Below is a part of my code.
status = PsReferenceProcessFilePointer(PsGetCurrentProcess(), &pFilePoint);
if (!NT_SUCCESS(status))
{
return OB_PREOP_SUCCESS;
}
status = IoQueryFileDosDeviceName(pFilePoint, &pObjectNameInfo); //Full path of process is ok
if (!NT_SUCCESS(status))
{
ObDereferenceObject(pFilePoint);
return OB_PREOP_SUCCESS;
}
/*
Many lines of code has been skipped
*/
status = PsLookupProcessByProcessId(TargetPid, &eProcess);
if (!NT_SUCCESS(status))
{
ObDereferenceObject(eProcess);
RtlFreeUnicodeString(&UpCaseProcNameUS);
RtlFreeUnicodeString(&UpCaseMainProcNameUS);
return OB_PREOP_SUCCESS;
}
CaptPsProcImageName = (char*)PsGetProcessImageFileName(eProcess); // **This function only print 14 characters**
If you have a string containing an executable’s full path name, then you search backwards from the end to find the last backslash. Everything after that point is the executable’s file name. You don’t need any APIs. How is that not painfully obvious?
@Tim_Roberts said:
If you have a string containing an executable’s full path name, then you search backwards from the end to find the last backslash. Everything after that point is the executable’s file name. You don’t need any APIs. How is that not painfully obvious?
Mr. Tim Roberts, thank you for giving me the idea to solve my problem. I will apply it.
Certainly be careful of the path specifier characters that you use. I have never done anything like this in KM (hardly any need to do string parsing there), but CreateFile specifically documents that either slashes may be used.