Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.More Info on Driver Writing and Debugging
The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.
Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/
Identify the file path from the pid (Network path or not)
Hi.
How can I detect this process is a network file path or locally ?
i know, we can detect in DeviceObject->Characteristics but in my case i just have pid
thank you
Howdy, Stranger!
| Upcoming OSR Seminars | ||
|---|---|---|
| OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead! | ||
| Internals & Software Drivers | 19-23 June 2023 | Live, Online |
| Writing WDF Drivers | 10-14 July 2023 | Live, Online |
| Kernel Debugging | 16-20 October 2023 | Live, Online |
| Developing Minifilters | 13-17 November 2023 | Live, Online |
Comments
I don't know what that means. Are you asking if the main executable for this process came from a network drive? What do you intend to do with this information?
Tim Roberts, [email protected]
Providenza & Boekelheide, Inc.
thank you for reply
i set callback for process notify and i can identify that process has network file path or any removable file path
my condition for checking are:
if(....)
_File_Object->DeviceObject->Characteristics & FILE_REMOVABLE_MEDIA ||
_File_Object->DeviceObject->Characteristics & FILE_VIRTUAL_VOLUME ||
_File_Object->DeviceObject->Characteristics & FILE_CHARACTERISTIC_WEBDAV_DEVICE ||
_File_Object->DeviceObject->Characteristics & FILE_CHARACTERISTIC_TS_DEVICE ||
_File_Object->DeviceObject->Characteristics & FILE_REMOTE_DEVICE)
Now i am checking how to identify if the driver is not loaded from the boot and only we have a pid
That i mean, when we do not have access to the _file_object structure
I am not 100% sure if I understood your situation.
As far as I know: A process ID is a handle to a process. A process is never a file. So you need to check which files the process has opened. When you got a list of these file handles then you can loop through the list and check every file handle separately.
Oh, and by the way: You can combine the flags:
What driver? Drivers are not associated with PIDs, and drivers are not loaded from network shares.
Tim Roberts, [email protected]
Providenza & Boekelheide, Inc.
I misinterpreted what I meant
I can get image full path name with ZwQueryInformationProcess, with process id
for example process image path is:
\Device\HardDisk..0\Windows\System32\notepad.exe
but if i run application from network then output is:
\Device\MUP\Sharefolder.local\app.exe
so how can i identify this issue with just a pid
The system does not assign PID in any particular order. You cannot say that because PID is in the range 1-100 it is some kind X and because it is in some other range 1000-5000 it is another kind Y
PID is simply an integer that uniquely identifies a process that is currently running with respect to other processes that are also currently running. PID values can and are re-used to refer to different processes at different times. You cannot get any additional information about a process from a PID directly.
Typically information like this is obtained in UM. To do that, you have to open a HANDLE to the target process. That HANDLE allows access to the target process based on a security check and will always refer to the same process until it is closed - even if the process terminates
thank you, all this is clear
Can you explain this sentence further?
even process has closed?
Hi!
To retrieve FILE_OBJECT by process id you may try PsLookupProcessByProcessId and then
PsReferenceProcessFilePointer (last is not documented).
A UM process has three basic states in its lifetime
1) It has been created and the OS is preparing to start to run it
2) it is running
3) it has terminated, and the OS is in the process of cleaning it up
In state 3, if there are valid HANDLEs outstanding, the KM resources associated with that process will not be cleaned up until those handles are closed
suppose the sequence
a.exe begins and is assigned PID 123
process B opens a HANDLE to process A
a.exe terminates
a new instance of a.exe begins. It is unlikely, but possible that it will also be assigned PID 123
process B interrogates information about a process a.exe based on PID and gets the wrong information. or interrogates about a process based on the HANDLE that has been opened and gets the right information
The HANDLE will always refer to the same specific 'object', but names like PID don't always
*** There are important points that I am not mentioning
This is what I need
thank you
Thank you very much for your explanation
I did not pay attention to this point