I think I have found the best way to get the full path name of a process,
basically :-
CLIENT_ID id;
OBJECT_ATTRIBUTES ObjectAttributes;
PROCESS_BASIC_INFORMATION BasicInfo;
PRTL_USER_PROCESS_PARAMETERS UserParams;
ZwOpenProcess(hProcess…)
ZwQueryInformationProcess( hProcess,ProcessBasicInformation,&BasicInfo,
sizeof(BasicInfo),NULL);
UserParams = BasicInfo.PebBaseAddress->ProcessParameters;
Now, the problem is reading the memory that the ProcessParameters points
to. The routes I have seen are KeAttachProcess, or NtReadVirtualMemory.
NtReadVirtualMemory doesn’t seem to work if you static link it (driver
won’t start due to missing proc), so you have to dynamically link it.
KeAttachProcess is too easy to get a BSOD on, so I don’t really want to go
that way.
Basically how can I get the address of NtReadVirtualMemory in the driver
(no user mode application can be used). Once I have the address of
NtReadVirtualMemory I can invoke it dynamically. Recoding GetProcAddress
seems ok, ut how do you get the system32 directory in kernel mode? Would
it involve putting in the %SYSTEM% tags and expanding it with some call?
Are there any GetProcAddress kernel functions freely available?
Finally is there any better/more reliable way of getting the full process
name of a process than the one I am trying to achieve? Again, if I could
use a user-mode app I would, but I am not asking for that. Thanks in
advance.