Full pathname for the process which requested current IRP

Hello!

How can I get the full pathname for the process which requested current
IRP? I currently receive the process name (as in FileMon sample), but I
don’t want “iexplore.exe”. I want the full path name: “C:\Program
Files\Internet Explorer\iexplore.exe”.

Anyone knows how this can be done?

Best wishes,
Razvan Hobeanu

Its stored somewhere in PEB. Your advised not to touch it. You can however,
pass only the PID back to user mode from your driver using IOCTLs and have a
user mode service query the information it needs based on those process IDs.
Donno if this scenario is suitable to you.

----- Original Message -----
From: “Razvan Hobeanu”
To: “File Systems Developers”
Sent: Sunday, July 21, 2002 6:43 PM
Subject: [ntfsd] Full pathname for the process which requested current IRP

> Hello!
>
> How can I get the full pathname for the process which requested current
> IRP? I currently receive the process name (as in FileMon sample), but I
> don’t want “iexplore.exe”. I want the full path name: “C:\Program
> Files\Internet Explorer\iexplore.exe”.
>
> Anyone knows how this can be done?
>
> Best wishes,
> Razvan Hobeanu
>
> —
> You are currently subscribed to ntfsd as: xxxxx@rdsor.ro
> To unsubscribe send a blank email to %%email.unsub%%
>

Çäðàâñòâóéòå, Razvan.

Âû ïèñàëè 21 èþëÿ 2002 ã., 19:43:51:

RH> Hello!

RH> How can I get the full pathname for the process which requested current
RH> IRP? I currently receive the process name (as in FileMon sample), but I
RH> don’t want “iexplore.exe”. I want the full path name: “C:\Program
RH> Files\Internet Explorer\iexplore.exe”.

RH> Anyone knows how this can be done?

RH> Best wishes,
RH> Razvan Hobeanu

RH> —
RH> You are currently subscribed to ntfsd as: xxxxx@comstek.ru
RH> To unsubscribe send a blank email to %%email.unsub%%

try that. I did that and it works

typedef struct _RTL_USER_PROCESS_PARAMETERS {
UCHAR dummy[0x38]; //ñìåùåíèå â ïàðàìåòðå 0x38 - ïðîöåññ, çàïóñòèâøèé ýòîò
UNICODE_STRING ImagePathName;
} RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS;

#define SYSNAME “System”

ULONG FileSpyGetProcessNameOffset( VOID)
{
PEPROCESS curproc;
int i;

//NTSTATUS Status = STATUS_SUCCESS;

curproc = PsGetCurrentProcess();

// Scan for 12KB, hoping the KPEB never grows that big!
//
for( i = 0; i < 3*PAGE_SIZE; i++ )
{
if( !strncmp( SYSNAME, (PCHAR) curproc + i, strlen(SYSNAME) ))
{
return i;
}
}

//
// Name not found - oh, well
//
return 0;
}

ProcessNameOffset = FileSpyGetProcessNameOffset();

PCHAR GetPathImageProcess( PCHAR PathImage )
{
PEPROCESS curproc;
char *nameptr;
DWORD dw = 0;
LPDWORD tdw;
ANSI_STRING ansi;
NTSTATUS ntStatus;
PRTL_USER_PROCESS_PARAMETERS pupp = NULL;

if( ProcessNameOffset )
{
curproc = PsGetCurrentProcess();
//nameptr = (PCHAR) curproc + ProcessNameOffset; //+0x1DC
//ÄËß NT 4
if( 476==ProcessNameOffset )
{
tdw = (LPDWORD)(((PCHAR)curproc)+0x18C); //??? 18C
dw = *tdw; //_PEB
tdw = (LPDWORD)((PCHAR)dw+0x10);
dw = *tdw; //ProcessParameters
tdw = (LPDWORD)((PCHAR)dw + 0x0);
dw = *tdw;
}
else
{
//ÄËß WIN 2000
tdw = (LPDWORD)(((PCHAR)curproc)+0x1B0); //???
dw = *tdw; //_PEB 0x7ffdf000
tdw = (LPDWORD)((PCHAR)dw+0x10);
dw = *tdw;
tdw = (LPDWORD)((PCHAR)dw + 0x0);
dw = *tdw;
}
//ïðèâåëè ó÷àñòîê ïàìÿòè ê äàííîé ñòðóêòóðå
pupp = (PRTL_USER_PROCESS_PARAMETERS)(tdw);
ntStatus = RtlUnicodeStringToAnsiString( &ansi, &pupp->ImagePathName, TRUE);
if( ntStatus==STATUS_SUCCESS )
{
dw = ansi.Length;
if( dw > 2045 )
dw = 2045;
memcpy( PathImage, ansi.Buffer, dw );
PathImage[dw] = 0;
RtlFreeAnsiString( &ansi );
}//ïîëó÷àþ îòêóäà áûë çàïóùåí
}
else
{
strcpy( PathImage, “???” );
}
return PathImage;
}


Ñ óâàæåíèåì,
Konstantin mailto:xxxxx@comstek.ru