I have a TDI driver where I want to get the process name in whose
context the functions are getting called (i.e. TdiConnect, TdiSend,
etc).
Is there a DDK function which gives the full process name (including
path) and not just the process name?
e.g. if the application is outlook.exe, I want the function to return -
C:\Program Files\Microsoft Office\OFFICE11\outlook.exe, and not just
outlook.exe
Any info on this is appreciated…
Sanjay
Hello Sanjay,
Thursday, January 13, 2005, 3:03:52 AM, you wrote:
SC> I have a TDI driver where I want to get the process name
SC> inwhose context the functions are getting called (i.e. TdiConnect,
SC> TdiSend, etc).
SC> Is there a DDK function which gives the full process
SC> name(including path) and not just the process name?
SC> e.g. if the application is outlook.exe, I want the functionto
SC> return - C:\Program Files\Microsoft Office\OFFICE11\outlook.exe,
SC> and notjust outlook.exe
(i assume you’re doing some behaviour blocker, prolly personal av prog
that allows other programs to access network based on their full image
path/name.)
you can search the list archive for an answer. you’ll prolly find two
answers - one is to use some user mode code that uses win32 functions to
query the process name (or kernel equivalent that does what these
functions do - read the data from PEB) or the use of
PsSetLoadImageNotifyRoutine on W2k+. the only secure and documented
way is to use the latter as i’ll explain later. if you’ll have to
support NT4, you’ll have to dig to undocumented stuff (maybe the load
image notify was added in some sp, please correct me in that case). i
advise to use pssetload* and support w2k+ even though there can be
only 8 of the notifies routine installed concurently (at least on w2k).
well, anything that touches PEB is unsecure since the data in PEB can
be touched from user mode directly. so i can run an aplication, change
in my own PEB image path and i will look for other applications that
use apis that touch the PEB to get the filename as another
application. using this i could exploit the scheme of your personal
firewall process authentization (in fact, this can be used to exploit
for example Kerio Personal firewall all versions). so this is a NO NO
for any serious blocking app.
now the tricks that can be used to get the full image path/name in a
secure way. first, you could change the page protection of the
appropriate memory area inside the PEB. but that would also mean to
hook syscall for changing page permission, else the process could
change it back. this is doable, though hooking gets involved.
the second option is to use the sectionhandle in EPROCESS (on xp+ it’s
directly sectionobject?) and dig into it to get the filename. but this
is the least compatible way to go since it differs among nt versions.
maybe others could suggest othe possibilities …
–
Best regards,
Ivona Prenosilova