Hello,
I’m writing a device driver which requires knowing the location of a file from
the process ID. Someone from this mailing list very kindly sent me the below
code (which came from this mailing list) but unfortunately it keeps crashing
on me between TAG1 and TAG2.
I know very little about the PE file format and the mechanisms behind starting
a process but it occurred to me I could get the process ID and location of the
file by hooking an API relating to how processes are started. Does anyone know
if this is possible and if so, what functions would need to be hooked? Obviously
this wouldn’t work for processes already running when my device driver starts
but I can live with this (though if someone knows what could be wrong with the
below code - that’d be fantastic).
Cheers
Stephen
PCHAR GetPathImageProcess( PCHAR PathImage )
{
PEPROCESS curproc;
DWORD dw = 0;
PDWORD tdw;
ANSI_STRING ansi;
NTSTATUS ntStatus;
PRTL_USER_PROCESS_PARAMETERS pupp = NULL;
if( ProcessNameOffset )
{
curproc = PsGetCurrentProcess();
//TAG1
if( 476==ProcessNameOffset )
{
tdw = (PDWORD)(((PCHAR)curproc)+0x18C);
dw = *tdw;
tdw = (PDWORD)((PCHAR)dw+0x10);
dw = *tdw;
tdw = (PDWORD)((PCHAR)dw + 0x0);
dw = *tdw;
}
else
{
tdw = (PDWORD)(((PCHAR)curproc)+0x1B0);
dw = *tdw;
tdw = (PDWORD)((PCHAR)dw+0x10);
dw = *tdw;
tdw = (PDWORD)((PCHAR)dw + 0x0);
dw = *tdw;
}
pupp = (PRTL_USER_PROCESS_PARAMETERS)(tdw);
//TAG2
ntStatus = RtlUnicodeStringToAnsiString( &ansi, &pupp->ImagePathName, TRUE);
if( ntStatus==STATUS_SUCCESS )
{
dw = ansi.Length;
if( dw > 2045 )
dw = 2045;
memcpy( PathImage, ansi.Buffer, dw );
PathImage[dw] = 0;
RtlFreeAnsiString( &ansi );
}
}
else
{
strcpy( PathImage, “???” );
}
return PathImage;
}
This message was sent from http://australia.edu
Check out the new international site at http://australia.edu/international