DriverVerifier and ZwQueryInformationProcess

Mircea_Omerness · January 30, 2012, 8:13am

Hello,

I need to get the full name of a process in a minifilter driver. Al goes well, but when I test my driver with driver verifier in windwos 7, I get a violation: Referencing user handle as KernelMode.

My mention is that I need to get the full paths of all the processes that create on startup.
I optain the PID using PsSetCreateProcessNotifyRoutine. Is there any other way to get the full name of the process without Driver Verifier jumping on me? Can I modify the existing code.

I use this function:

__inline
NTSTATUS GetProcessImageName( HANDLE PID, WCHAR **ProcessImageName)
{
NTSTATUS status;
ULONG returnedLength;
PVOID buffer = NULL;
HANDLE hProcess = NULL;
OBJECT_ATTRIBUTES objectAttributes;
CLIENT_ID ClientID;

PAGED_CODE(); // this eliminates the possibility of the IDLE Thread/Process

if (NULL == ZwQueryInformationProcess) {

UNICODE_STRING routineName;

RtlInitUnicodeString(&routineName, L"ZwQueryInformationProcess");

ZwQueryInformationProcess =
(QUERY_INFO_PROCESS) MmGetSystemRoutineAddress(&routineName);

if (NULL == ZwQueryInformationProcess) {
DbgPrint(“Cannot resolve ZwQueryInformationProcess\n”);
}
}

InitializeObjectAttributes(&objectAttributes, 0, 0, 0 , 0);
ClientID.UniqueProcess = PID;
ClientID.UniqueThread = 0;

status = ZwOpenProcess( &hProcess,
0x0400,
&objectAttributes,
&ClientID );
if( !NT_SUCCESS( status ) )
{
goto Cleanup;
}

status = ZwQueryInformationProcess( hProcess,
ProcessImageFileName,
NULL, // buffer
0, // buffer size
&returnedLength);

if (STATUS_INFO_LENGTH_MISMATCH != status)
{
goto Cleanup;
}

buffer = ExAllocatePoolWithTag(PagedPool, returnedLength, DEBUG_TAG);
if( NULL == buffer )
{
status = STATUS_INSUFFICIENT_RESOURCES;
goto Cleanup;
}

//
// Now lets go get the data
//
status = ZwQueryInformationProcess( hProcess,
ProcessImageFileName,
buffer,
returnedLength,
&returnedLength);

if( !NT_SUCCESS( status ) )
{
goto Cleanup;
}

//
// Ah, we got what we needed
//
*ProcessImageName = ExAllocatePoolWithTag(PagedPool, ((PUNICODE_STRING) buffer)->Length + sizeof( WCHAR ), DEBUG_TAG);
if( NULL == *ProcessImageName )
{
status = STATUS_NO_MEMORY;
goto Cleanup;
}
RtlZeroMemory( *ProcessImageName, ((PUNICODE_STRING) buffer)->Length + sizeof( WCHAR ) );
RtlCopyMemory( *ProcessImageName, ((PUNICODE_STRING) buffer)->Buffer, ((PUNICODE_STRING) buffer)->Length );

//
// And tell the caller what happened.
//
Cleanup:
if( buffer )
{
ExFreePoolWithTag( buffer, DEBUG_TAG);
buffer = NULL;
}

if ( hProcess )
{
ZwClose( hProcess );
hProcess = NULL;
}

return status;
}

Alexey_Barabash · January 30, 2012, 8:18am

Try to use

InitializeObjectAttributes(&objectAttributes, 0, OBJ_KERNEL_HANDLE, 0 , 0);

instead yours.

Best regards,
Alexey Barabash

Alexey_Barabash · January 30, 2012, 8:27am

You can also use PsSetCreateProcessNotifyRoutineEx, if it is enough for your driver to support Vista SP1 and later.
In that case PS_CREATE_NOTIFY_INFO comes into CreateProcessNotifyEx callback. It contains ImageFileName.

Best regards,
Alexey Barabash

Mircea_Omerness · January 30, 2012, 8:45am

Hello,

Using InitializeObjectAttributes(&objectAttributes, 0, OBJ_KERNEL_HANDLE, 0 , 0); worked. Thank you for a quick answer.

OSR_Community_User · January 30, 2012, 1:23pm

> status = ZwOpenProcess( &hProcess,

0x0400,
&objectAttributes,

Add OBJ_KERNEL_HANDLE here to “objectAttributes”.

–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com