Im trying to get the full file path name of the current process. I have been using some code I found by Tony Mason. It works fine in XP & Vista and was stated to work in 2000, however I am running into issues with 2000. Everytime I try and run ZwQueryInformationProcess I get an ACCESS_VIOLATION.
Here is the code:
typedef NTSTATUS (*QUERY_INFO_PROCESS) (
__in HANDLE ProcessHandle,
__in PROCESSINFOCLASS ProcessInformationClass,
__out_bcount(ProcessInformationLength) PVOID ProcessInformation,
__in ULONG ProcessInformationLength,
__out_opt PULONG ReturnLength
);
QUERY_INFO_PROCESS ZwQueryInformationProcess;
NTSTATUS GetProcessImageName(PUNICODE_STRING ProcessImageName)
{
NTSTATUS status;
ULONG returnedLength;
ULONG bufferLength;
PVOID buffer;
PUNICODE_STRING imageName;
PAGED_CODE(); // this eliminates the possibility of the IDLE
Thread/Process
if (NULL == ZwQueryInformationProcess) {
UNICODE_STRING routineName;
RtlInitUnicodeString(&routineName,
L"ZwQueryInformationProcess");
ZwQueryInformationProcess = (QUERY_INFO_PROCESS)
MmGetSystemRoutineAddress(&routineName);
if (NULL == ZwQueryInformationProcess) {
DbgPrint(“Cannot resolve ZwQueryInformationProcess\n”);
}
}
//
// Step one - get the size we need
//
status = ZwQueryInformationProcess( NtCurrentProcess(),
ProcessImageFileName,
NULL, // buffer
0, // buffer size
&returnedLength);
if (STATUS_INFO_LENGTH_MISMATCH != status) {
return status;
}
//
// Is the passed-in buffer going to be big enough for us? This
function returns a single contguous buffer model…
//
bufferLength = returnedLength - sizeof(UNICODE_STRING);
if (ProcessImageName->MaximumLength < bufferLength) {
ProcessImageName->Length = (USHORT) bufferLength;
return STATUS_BUFFER_OVERFLOW;
}
//
// If we get here, the buffer IS going to be big enough for us, so
let’s allocate some storage.
//
buffer = ExAllocatePoolWithTag(PagedPool, returnedLength, ‘boof’);
if (NULL == buffer) {
return STATUS_INSUFFICIENT_RESOURCES;
}
//
// Now lets go get the data
//
status = ZwQueryInformationProcess( NtCurrentProcess(),
ProcessImageFileName,
buffer,
returnedLength,
&returnedLength);
if (NT_SUCCESS(status)) {
//
// Ah, we got what we needed
//
imageName = (PUNICODE_STRING) buffer;
RtlCopyUnicodeString(ProcessImageName, imageName);
}
//
// free our buffer
//
ExFreePool(buffer);
//
// And tell the caller what happened.
//
return status;
}
Why would I be getting an access violation? Does anyone know any alternative methods for getting the full file path?