I wanna get full-path of process when it’s creating.
So, i used PEB and PROCESS_PARAMETERS in the
PsSetCreateProcessNotifyRoutine.
But the result was full-path of parent process.
Next, I used PsSetLoadImageNotifyRoutine.
But this routine has a problem.
My driver cannot be unloaded.
Without these problems, How can i get full-path of process?
And is it possible to get full-path of previously created
processes(system/Explorer etc.)?
Thanks for any suggestions!
Sincerely!
Chang Sung, Jung.
If you have the PEPROCESS of the process, get the file object that
corresponds to that process, and get the file name behind it.
This is quite a big hack, of course:-)
You can also enumerate the files opened by a process, and the name
of the process’s image file will be among them - I don’t know if there
is any guarantee that it will be the first file name listed.
Without these problems, How can i get full-path of process?
And is it possible to get full-path of previously created
processes(system/Explorer etc.)?
–
Kind regards, Dejan M. www.alfasp.com
E-mail: xxxxx@alfasp.com ICQ#: 56570367
Alfa File Monitor - File monitoring library for Win32 developers.
Alfa File Protector - File protection and hiding library for Win32
developers.