I need to get the current process name and its hash in Kernel Mode .
This seems to be the api to use . But I have no idea what PEPROCESS
Contains , how do I get this information ?
PEPROCESS
IoGetCurrentProcess(
);
Regards,
Adnan
Why do think you need this?
You do realize that when in the kernel, typically you are In arbitrary
thread context, so getting the current process name and hash most likely
will return who you aren’t?
Gary G. Little
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Adnan Bhutta
Sent: Tuesday, June 13, 2006 5:04 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] Getting Process Name and Process Hash
I need to get the current process name and its hash in Kernel Mode . This
seems to be the api to use . But I have no idea what PEPROCESS Contains ,
how do I get this information ?
PEPROCESS
IoGetCurrentProcess(
);
Regards,
Adnan
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
PCHAR
PsGetProcessImageFileName(
IN PEPROCESS Process
)
returns the corresponding field from the PEPROCESS structure( this is 16 bytes array ). Available on XP and later OSs.
“Adnan Bhutta” wrote in message news:xxxxx@ntdev…
I need to get the current process name and its hash in Kernel Mode . This seems to be the api to use . But I have no idea what PEPROCESS Contains , how do I get this information ?
PEPROCESS
IoGetCurrentProcess(
);
Regards,
Adnan
Thanks for the reply. Where do I find out what PEPROCESS contains ?
name ? what info about the process does it have ?
Regards,
Adnan
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Slava Imameyev
Sent: Tuesday, June 13, 2006 3:31 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Getting Process Name and Process Hash
PCHAR
PsGetProcessImageFileName(
IN PEPROCESS Process
)
returns the corresponding field from the PEPROCESS structure( this is
16 bytes array ). Available on XP and later OSs.
“Adnan Bhutta” wrote in message
news:xxxxx@ntdev…
I need to get the current process name and its hash in Kernel
Mode . This seems to be the api to use . But I have no idea what
PEPROCESS Contains , how do I get this information ?
PEPROCESS
IoGetCurrentProcess(
);
Regards,
Adnan
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
It is somewhat bizarre when somebody with @microsoft.com e-mail asks such questions here…
Best regards,
Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]
From: xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com] on behalf of Adnan Bhutta[SMTP:xxxxx@microsoft.com]
Reply To: Windows System Software Devs Interest List
Sent: Wednesday, June 14, 2006 12:45 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] Getting Process Name and Process HashThanks for the reply. Where do I find out what PEPROCESS contains ? name ? what info about the process does it have ?
Regards,
Adnan
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Slava Imameyev
Sent: Tuesday, June 13, 2006 3:31 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Getting Process Name and Process HashPCHAR
PsGetProcessImageFileName(
IN PEPROCESS Process
)returns the corresponding field from the PEPROCESS structure( this is 16 bytes array ). Available on XP and later OSs.
“Adnan Bhutta” > wrote in message news:xxxxx…
>
> I need to get the current process name and its hash in Kernel Mode . This seems to be the api to use . But I have no idea what PEPROCESS Contains , how do I get this information ?
>
> PEPROCESS
> IoGetCurrentProcess(
> );
>
>
>
>
>
>
>
> Regards,
>
> Adnan
>
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>
>
> —
> Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
></news:xxxxx>
ps.h file :-))
“Adnan Bhutta” wrote in message news:xxxxx@ntdev…
Thanks for the reply. Where do I find out what PEPROCESS contains ? name ? what info about the process does it have ?
Regards,
Adnan
------------------------------------------------------------------------------
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Slava Imameyev
Sent: Tuesday, June 13, 2006 3:31 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Getting Process Name and Process Hash
PCHAR
PsGetProcessImageFileName(
IN PEPROCESS Process
)
returns the corresponding field from the PEPROCESS structure( this is 16 bytes array ). Available on XP and later OSs.
“Adnan Bhutta” wrote in message news:xxxxx@ntdev…
I need to get the current process name and its hash in Kernel Mode . This seems to be the api to use . But I have no idea what PEPROCESS Contains , how do I get this information ?
PEPROCESS
IoGetCurrentProcess(
);
Regards,
Adnan
—
Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
yet another way!
kd>dt nt!_EPROCESS
“Adnan Bhutta” wrote in message news:xxxxx@ntdev…
Thanks for the reply. Where do I find out what PEPROCESS contains ? name ? what info about the process does it have ?
Regards,
Adnan
------------------------------------------------------------------------------
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Slava Imameyev
Sent: Tuesday, June 13, 2006 3:31 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Getting Process Name and Process Hash
PCHAR
PsGetProcessImageFileName(
IN PEPROCESS Process
)
returns the corresponding field from the PEPROCESS structure( this is 16 bytes array ). Available on XP and later OSs.
“Adnan Bhutta” wrote in message news:xxxxx@ntdev…
I need to get the current process name and its hash in Kernel Mode . This seems to be the api to use . But I have no idea what PEPROCESS Contains , how do I get this information ?
PEPROCESS
IoGetCurrentProcess(
);
Regards,
Adnan
—
Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
Which is only good for one version of the OS + SP since this can change on any given release.
d
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Slava Imameyev
Sent: Tuesday, June 13, 2006 4:35 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Getting Process Name and Process Hash
yet another way!
?
kd>dt nt!_EPROCESS
“Adnan Bhutta” wrote in message news:xxxxx@ntdev…
Thanks for the reply. Where do I find out what PEPROCESS contains ?? name ? what info about the process does it have ?
Regards,
Adnan
________________________________________
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Slava Imameyev
Sent: Tuesday, June 13, 2006 3:31 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Getting Process Name and Process Hash
PCHAR
PsGetProcessImageFileName(
??? IN PEPROCESS? Process
??? )
returns the corresponding field from the PEPROCESS? structure( this is 16 bytes array ). Available on XP and later OSs.
?
“Adnan Bhutta” wrote in message news:xxxxx@ntdev…
I need to get the current process name and its hash in Kernel Mode . This seems to be the api to use . But I have no idea what PEPROCESS Contains , how do I get this information ?
PEPROCESS?
??IoGetCurrentProcess(
???);
Regards,
Adnan
—
Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
—
Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
PCHAR
PsGetProcessImageFileName(
IN PEPROCESS Process
)
returns the corresponding field from the PEPROCESS structure( this is 16 bytes
array ). Available on XP and later OSs.
Yes. This name is ANSI and 8.3 short, and not a full pathname. This is the same
name Task Manager uses.
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
Adnan Bhutta wrote:
Thanks for the reply. Where do I find out what PEPROCESS contains ?
name ? what info about the process does it have ?Regards,
Adnan
Info that you don’t need. Why do you need the Process’s name?
Best regards,
Alex Ionescu
This question comes up over and over again. It really is legitimate to
need the process name. The DDK ought to expose more process information
to kernel mode so that various third party kernel components don’t have
to wander over to Undocumented NT Secrets From Some Early and Obsolete
Release of the OS to use fragile offset based access methods to get this
information.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Alex Ionescu
[397670]
Sent: Monday, June 19, 2006 10:24 AM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Getting Process Name and Process Hash
Adnan Bhutta wrote:
Thanks for the reply. Where do I find out what PEPROCESS contains ?
name ? what info about the process does it have ?Regards,
Adnan
Info that you don’t need. Why do you need the Process’s name?
Best regards,
Alex Ionescu
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
ADNAN:
In WinDbg,
dt -b -v _EPROCESS
All of the standard caveats apply as far as using this information in
production code.
>> xxxxx@videotron.ca 2006-06-19 10:24 >>>
Adnan Bhutta wrote:
Thanks for the reply. Where do I find out what PEPROCESS contains ?
name ? what info about the process does it have ?Regards,
Adnan
Info that you don’t need. Why do you need the Process’s name?
Best regards,
Alex Ionescu
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
I don’t see why.
Drivers are supposed to provide access to hardware to the system and be
process-agnostic.
Kernel modules, on the other hand, might need this information (by
“Kernel module” I mean a kernel-mode piece of code that relates to
another process, for example, the kernel-mode component of a CPU
Identification tool), it’s true… but because they are supposed to be
paired with a user-mode utility that uses them, then all that user-mode
component has to do is send an IOCTL with its name.
The only reason a hardware driver would want to know the process name,
imho, is so that it can cheat on benchmark tests…and where have we
seen that again?
Best regards,
Alex Ionescu
Roddy, Mark wrote:
This question comes up over and over again. It really is legitimate to
need the process name. The DDK ought to expose more process information
to kernel mode so that various third party kernel components don’t have
to wander over to Undocumented NT Secrets From Some Early and Obsolete
Release of the OS to use fragile offset based access methods to get this
information.-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Alex Ionescu
[397670]
Sent: Monday, June 19, 2006 10:24 AM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Getting Process Name and Process HashAdnan Bhutta wrote:
>Thanks for the reply. Where do I find out what PEPROCESS contains ?
>name ? what info about the process does it have ?
>
>
>
>Regards,
>
>Adnan
>Info that you don’t need. Why do you need the Process’s name?
Best regards,
Alex Ionescu
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
Alex,
I have written a large number of Windows device drivers over the last
12 years, but by your definition I only written a drivers drivers or a
“kernel module” since many of mine are not paired with a specific utility.
There is nothing that says a driver has to have hardware, or a virtual
driver needs a specific utility, and to limit ones approach to this, is what
causes a lot of the lousy designs and hacks I have seen in Windows drivers.
I agree with Mark that this is one of those things that Microsoft
could do better on. A reference to the executable path is stored in the
PROCESS structure, and there should be an API to access it. One things I
noticed in this discussion is people are using “process name” and
“executable path” as if they are the same. The process name is typically
the filename of the executable, but this is not required to be the case. I
know of little value of the process name in the kernel, but a lot of reasons
to use the executable path.
–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
http://www.windrvr.com
Remove StopSpam from the email to reply
“Alex Ionescu [397670]” wrote in message
news:xxxxx@ntdev…
>I don’t see why.
>
> Drivers are supposed to provide access to hardware to the system and be
> process-agnostic.
>
> Kernel modules, on the other hand, might need this information (by
> “Kernel module” I mean a kernel-mode piece of code that relates to
> another process, for example, the kernel-mode component of a CPU
> Identification tool), it’s true… but because they are supposed to be
> paired with a user-mode utility that uses them, then all that user-mode
> component has to do is send an IOCTL with its name.
>
> The only reason a hardware driver would want to know the process name,
> imho, is so that it can cheat on benchmark tests…and where have we
> seen that again?
>
> Best regards,
> Alex Ionescu
I agree - also about executable path vs ‘name’. Policies based on who
the requesting process is are a frequent requirement in higher level
drivers of various sorts.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Don Burn
Sent: Monday, June 19, 2006 1:19 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Getting Process Name and Process Hash
Alex,
I have written a large number of Windows device drivers over the
last
12 years, but by your definition I only written a drivers drivers or a
“kernel module” since many of mine are not paired with a specific
utility.
There is nothing that says a driver has to have hardware, or a virtual
driver needs a specific utility, and to limit ones approach to this, is
what
causes a lot of the lousy designs and hacks I have seen in Windows
drivers.
I agree with Mark that this is one of those things that Microsoft
could do better on. A reference to the executable path is stored in the
PROCESS structure, and there should be an API to access it. One things
I
noticed in this discussion is people are using “process name” and
“executable path” as if they are the same. The process name is
typically
the filename of the executable, but this is not required to be the case.
I
know of little value of the process name in the kernel, but a lot of
reasons
to use the executable path.
–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
http://www.windrvr.com
Remove StopSpam from the email to reply
“Alex Ionescu [397670]” wrote in message
news:xxxxx@ntdev…
>I don’t see why.
>
> Drivers are supposed to provide access to hardware to the system and
be
> process-agnostic.
>
> Kernel modules, on the other hand, might need this information (by
> “Kernel module” I mean a kernel-mode piece of code that relates to
> another process, for example, the kernel-mode component of a CPU
> Identification tool), it’s true… but because they are supposed to be
> paired with a user-mode utility that uses them, then all that
user-mode
> component has to do is send an IOCTL with its name.
>
> The only reason a hardware driver would want to know the process name,
> imho, is so that it can cheat on benchmark tests…and where have we
> seen that again?
>
> Best regards,
> Alex Ionescu
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
Alex, thinks don’t really sit the way you see them. and Im not familiar
with the definition you create for a “driver” and “kernel module”. They
are not the generally accepted ones.
----- Original Message -----
From: “Alex Ionescu [397670]”
Newsgroups: ntdev
To: “Windows System Software Devs Interest List”
Sent: Monday, June 19, 2006 7:46 PM
Subject: Re:[ntdev] Getting Process Name and Process Hash
>I don’t see why.
>
> Drivers are supposed to provide access to hardware to the system and be
> process-agnostic.
>
> Kernel modules, on the other hand, might need this information (by
> “Kernel module” I mean a kernel-mode piece of code that relates to
> another process, for example, the kernel-mode component of a CPU
> Identification tool), it’s true… but because they are supposed to be
> paired with a user-mode utility that uses them, then all that user-mode
> component has to do is send an IOCTL with its name.
>
> The only reason a hardware driver would want to know the process name,
> imho, is so that it can cheat on benchmark tests…and where have we
> seen that again?
>
> Best regards,
> Alex Ionescu
>
> Roddy, Mark wrote:
>> This question comes up over and over again. It really is legitimate to
>> need the process name. The DDK ought to expose more process information
>> to kernel mode so that various third party kernel components don’t have
>> to wander over to Undocumented NT Secrets From Some Early and Obsolete
>> Release of the OS to use fragile offset based access methods to get this
>> information.
>>
>> -----Original Message-----
>> From: xxxxx@lists.osr.com
>> [mailto:xxxxx@lists.osr.com] On Behalf Of Alex Ionescu
>> [397670]
>> Sent: Monday, June 19, 2006 10:24 AM
>> To: Windows System Software Devs Interest List
>> Subject: Re:[ntdev] Getting Process Name and Process Hash
>>
>> Adnan Bhutta wrote:
>>
>>>Thanks for the reply. Where do I find out what PEPROCESS contains ?
>>>name ? what info about the process does it have ?
>>>
>>>
>>>
>>>Regards,
>>>
>>>Adnan
>>>
>>
>>
>> Info that you don’t need. Why do you need the Process’s name?
>>
>> Best regards,
>> Alex Ionescu
>>
>> —
>> Questions? First check the Kernel Driver FAQ at
>> http://www.osronline.com/article.cfm?id=256
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
Hi,
Don Burn wrote:
Alex,
A reference to the executable path is stored in the
PROCESS structure, and there should be an API to access it.
I’m not aware of the path being stored in EPROCESS, only the
actual image name. If you really want to read it, use
PsGetProcessImageFileName (IIRC, undocumented, but “better” then reading
EPROCESS-by-offset).
There is no way to get the full path unless you dig into the section
object or user-mode structures.
One things I
noticed in this discussion is people are using “process name” and
“executable path” as if they are the same. The process name is typically
the filename of the executable, but this is not required to be the case. I
know of little value of the process name in the kernel, but a lot of reasons
to use the executable path.
Well, I can’t think of many… and I’d like to think that if in all this
time, there still isn’t a way to get it, and that none of the Microsoft
drivers need it (see for example the DDK/IFS sample drivers), there
probably is good reason for this.
As for my definition of “driver” and “kernel module”, they are -my-
definitions. I never said anything about “industry standard” or
“generally applied”. Of course in technical terms, *anything* that loads
in the kernel is a “kernel module”. I just called things differently for
the purposes of my previous talk.
Best regards,
Alex Ionescu
“Alex Ionescu [397670]” wrote in message
news:xxxxx@ntdev…
> Don Burn wrote:
>> Alex,
>>
>> A reference to the executable path is stored in the
>> PROCESS structure, and there should be an API to access it.
>
> There is no way to get the full path unless you dig into the section
> object or user-mode structures.
Note I said reference, yes technically it is through the section object.
>
> Well, I can’t think of many… and I’d like to think that if in all this
> time, there still isn’t a way to get it, and that none of the Microsoft
> drivers need it (see for example the DDK/IFS sample drivers), there
> probably is good reason for this.
>
Actually, Microsoft does use this in some of their file system drivers,
unfortunately not the stuff they put in IFS kit. I have implemented my own
model for a half dozen customers/ I have answered the question so often, I
should probably write a complete answer and post it on my website, and just
respond with the link.
I’m not saying the process path is always the best thing to use, but it is
used and needed for a lot of purposes.
–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
http://www.windrvr.com
Remove StopSpam from the email to reply
Don Burn wrote:
“Alex Ionescu [397670]” wrote in message
> news:xxxxx@ntdev…
>
>>Don Burn wrote:
>>
>>>Alex,
>>>
>>> A reference to the executable path is stored in the
>>>PROCESS structure, and there should be an API to access it.
>>
>>There is no way to get the full path unless you dig into the section
>>object or user-mode structures.
>
>
> Note I said reference, yes technically it is through the section object.
>
>>Well, I can’t think of many… and I’d like to think that if in all this
>>time, there still isn’t a way to get it, and that none of the Microsoft
>>drivers need it (see for example the DDK/IFS sample drivers), there
>>probably is good reason for this.
>>
>
> Actually, Microsoft does use this in some of their file system drivers,
> unfortunately not the stuff they put in IFS kit. I have implemented my own
> model for a half dozen customers/ I have answered the question so often, I
> should probably write a complete answer and post it on my website, and just
> respond with the link.
>
> I’m not saying the process path is always the best thing to use, but it is
> used and needed for a lot of purposes.
>
>
Unforunately it also suffers from a bug :(… I’m sure you’re aware of
it (renaming a file then re-opening it will result in the previous name
being in the section object, due to caching). If you put it up on your
site, might wanna mention that too…
Best regards,
Alex Ionescu