I was trying to get name or full path of a running driver or a process at kernel level.So,I used PsGetCurrentProcess to get the PEPROCESS object.Now how to extract the name of the process as given PEPROCESS object is undocumented.
I thought I the given function is not giving the process object so I tried using PsGetCurrentProcessId and then used PsLookupProcessByProcessId which worked fine returning STATUS_SUCCESS.
Now tell me what to do?I am unable to use PsGetProcessImageFileName().
See the links below:
http://msdn.microsoft.com/en-us/library/aa813706(VS.85).aspx
http://msdn.microsoft.com/en-us/library/aa813741(v=VS.85).aspx
From RTL_USER_PROCESS_PARAMETERS you can get ImagePathName and CommandLine strings.
Don’t use PsGetProcessImageFileName, it fails in strange ways with non-ascii filenames.
–pa
Or just do the query from a helper process using QueryFullProcessImageName or GetProcessImageFileName. Fully supported, and more secure than reading undocumented stuff from the PEB (which apps can mess with, since it’s in the user space).
Thanks,
Pavel
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@fastmail.fm
Sent: Wednesday, November 17, 2010 6:13 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Getting name information from PEPROCESS object
See the links below:
http://msdn.microsoft.com/en-us/library/aa813706(VS.85).aspx
http://msdn.microsoft.com/en-us/library/aa813741(v=VS.85).aspx
From RTL_USER_PROCESS_PARAMETERS you can get ImagePathName and CommandLine strings.
Don’t use PsGetProcessImageFileName, it fails in strange ways with non-ascii filenames.
–pa
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
Reading something from PEB may not work if process is in early initializing phase, instead of path you will get an empty string.
> Reading something from PEB may not work if process is in early initializing
phase, instead of path you will get an empty string.
There was some way to get it even in the early phase; the data is still there. Sorry, don’t remember off top of my head how exactly 
– pa
>>There was some way to get it even in the early phase; the data is still there. Sorry, don’t remember off top of my head how exactly <<
I eventually moved to Ps Image Notify Routines to accomplish this job 
There is OSR’s article about it: What’s in a (Process) Name? Obtaining A Useful Name for the Executable Image in a Process (http://www.osronline.com/article.cfm?article=472). Also read about possible limitations in the comments for it.
Kris
Krzysztof,
It is still non-universal solution, as it does not work for 2k. In 2k it immidiatly BSODs when using ZwQueryInformationProcess with ProcessImageFileName class (I may be wrong, but I remember, I had bsods because of that).
Amazyingly interesting fact, but in enterprise world many companies in (Western) Europe still use 2k in production, mostly in closed environments, for example, in factories. So, 2k is still in game, at least for me.
Volodymyr, that’s the reason why I mentioned that OP should read about possible limitations in the comments for this article…
To be perfectly honest I would still use this method on >= XP and some other method (potentially less stable) on 2k.
Kris
[
Krzysztof Uchronski:
>To be perfectly honest I would still use this method on >= XP and some other method (potentially less stable) on 2k. <<
]
Maybe you are right. But this approach means you will have to have two binaries for each OS (2k, XP) which is already a disadvantage in some cases. But it all depends, of course.
>>But this approach means you will have to have two binaries for each OS (2k, XP) which is already a disadvantage in some cases. But it all depends, of course.<<
Mea culpa. I was too fast when answering on this.
One may do one binary for 2k, xp by checking in runtime version of Windows and just calling appropriate class for ZwQueryInformationProcess or do something else.