I wanna get full-path of process when it’s creating.
So, i used PEB and PROCESS_PARAMETERS in the
PsSetCreateProcessNotifyRoutine.
But the result was full-path of parent process.
Next, I used PsSetLoadImageNotifyRoutine.
But this routine has a problem.
My driver cannot be unloaded.
Without these problems, How can i get full-path of process?
And is it possible to get full-path of previously created
processes(system/Explorer etc.)?
Thanks for any suggestions!
Sincerely!
Chang Sung, Jung.