I want the name of the process trying to connect to the net. How can
achieve the same in TDI Filter ?
Not possible to do in the driver (You can get the process ID).
Use a user mode service which will do this work on your part.
HTH,
-Farooque Khan
http://farooque.150m.com
“Abhijit” wrote in message news:xxxxx@ntdev…
> I want the name of the process trying to connect to the net. How can
> achieve the same in TDI Filter ?
>
>
>
XP & later - PsGetProcessImageFileName().
W2K & earlier. No safe way. You’ve got to dig into the KPEB.
“Abhijit” wrote in message news:xxxxx@ntdev…
> I want the name of the process trying to connect to the net. How can
> achieve the same in TDI Filter ?
>
>
>
PsGetProcessImageFileName ? I couldn’t find it with Google also.
Are you sure it is PsGetProcessImageFileName ?
“Jose Flores” wrote in message news:xxxxx@ntdev…
> XP & later - PsGetProcessImageFileName().
>
> W2K & earlier. No safe way. You’ve got to dig into the KPEB.
>
> “Abhijit” wrote in message news:xxxxx@ntdev…
> > I want the name of the process trying to connect to the net. How can
> > achieve the same in TDI Filter ?
> >
> >
> >
>
>
>
Yes the function name is PsGetProcessImageFileName.
PCHAR PsGetCurrentImageFileName(PEPROCESS pProcess);
If you disassemble and see this function you would see this returns the
address offset 0x174 of the first parameter. The parameter offcourse you
can guess would be PEPROCESS. So what the function is returning is 16
byte ANSI file name stored in EPROCESS structure. I believe this is not
what you are looking for, I believe you want the full image path of the
process. This function does not return that…
-Srin.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Abhijit
Sent: Friday, March 19, 2004 12:58 AM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Getting the process name in TDI Filter DriverPsGetProcessImageFileName ? I couldn’t find it with Google also.
Are you sure it is PsGetProcessImageFileName ?“Jose Flores” wrote in message
> news:xxxxx@ntdev…
> > XP & later - PsGetProcessImageFileName().
> >
> > W2K & earlier. No safe way. You’ve got to dig into the KPEB.
> >
> > “Abhijit” wrote in message news:xxxxx@ntdev…
> > > I want the name of the process trying to connect to the
> net. How can
> > > achieve the same in TDI Filter ?
> > >
> > >
> > >
> >
> >
> >
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@nai.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
Yes, I want the full image path. That means, the user mode service is
inevitable 
wrote in message news:xxxxx@ntdev…
Yes the function name is PsGetProcessImageFileName.
PCHAR PsGetCurrentImageFileName(PEPROCESS pProcess);
If you disassemble and see this function you would see this returns the
address offset 0x174 of the first parameter. The parameter offcourse you
can guess would be PEPROCESS. So what the function is returning is 16
byte ANSI file name stored in EPROCESS structure. I believe this is not
what you are looking for, I believe you want the full image path of the
process. This function does not return that…
-Srin.
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Abhijit
> Sent: Friday, March 19, 2004 12:58 AM
> To: Windows System Software Devs Interest List
> Subject: Re:[ntdev] Getting the process name in TDI Filter Driver
>
> PsGetProcessImageFileName ? I couldn’t find it with Google also.
> Are you sure it is PsGetProcessImageFileName ?
>
>
>
> “Jose Flores” wrote in message
> news:xxxxx@ntdev…
> > XP & later - PsGetProcessImageFileName().
> >
> > W2K & earlier. No safe way. You’ve got to dig into the KPEB.
> >
> > “Abhijit” wrote in message news:xxxxx@ntdev…
> > > I want the name of the process trying to connect to the
> net. How can
> > > achieve the same in TDI Filter ?
> > >
> > >
> > >
> >
> >
> >
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@nai.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
As you can see, this is not a security measure, since the EXE can be easily
renamed.
The only thing where it can be helpful is not security, but “annoyance
reduction” like “disable port 80 accesses from MSIMN.EXE”.
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
----- Original Message -----
From: “Abhijit”
Newsgroups: ntdev
To: “Windows System Software Devs Interest List”
Sent: Tuesday, March 23, 2004 8:52 AM
Subject: Re:[ntdev] Getting the process name in TDI Filter Driver
> Yes, I want the full image path. That means, the user mode service is
> inevitable
>
>
> wrote in message news:xxxxx@ntdev…
> Yes the function name is PsGetProcessImageFileName.
> PCHAR PsGetCurrentImageFileName(PEPROCESS pProcess);
>
> If you disassemble and see this function you would see this returns the
> address offset 0x174 of the first parameter. The parameter offcourse you
> can guess would be PEPROCESS. So what the function is returning is 16
> byte ANSI file name stored in EPROCESS structure. I believe this is not
> what you are looking for, I believe you want the full image path of the
> process. This function does not return that…
>
> -Srin.
>
> > -----Original Message-----
> > From: xxxxx@lists.osr.com
> > [mailto:xxxxx@lists.osr.com] On Behalf Of Abhijit
> > Sent: Friday, March 19, 2004 12:58 AM
> > To: Windows System Software Devs Interest List
> > Subject: Re:[ntdev] Getting the process name in TDI Filter Driver
> >
> > PsGetProcessImageFileName ? I couldn’t find it with Google also.
> > Are you sure it is PsGetProcessImageFileName ?
> >
> >
> >
> > “Jose Flores” wrote in message
> > news:xxxxx@ntdev…
> > > XP & later - PsGetProcessImageFileName().
> > >
> > > W2K & earlier. No safe way. You’ve got to dig into the KPEB.
> > >
> > > “Abhijit” wrote in message news:xxxxx@ntdev…
> > > > I want the name of the process trying to connect to the
> > net. How can
> > > > achieve the same in TDI Filter ?
> > > >
> > > >
> > > >
> > >
> > >
> > >
> >
> >
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> > http://www.osronline.com/article.cfm?id=256
> >
> > You are currently subscribed to ntdev as: xxxxx@nai.com
> > To unsubscribe send a blank email to xxxxx@lists.osr.com
> >
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
It is security in that those single pixel hidden references to web sites
will be stopped. That keeps the message from providing validation of
your email address to the host site. Security can be obtained by
signing executables and having those signatures validated before
allowing the execution to happen. If you sign the executable with the
full program name, when it is copied to another name, the signature will
have the real name. Not completely fool proof, but if done on a clean
system, it can help. Full access control must also be implemented if
you want real security. Not easy, but possible.
“Maxim S. Shatskih” wrote in message
news:xxxxx@ntdev…
> As you can see, this is not a security measure, since the EXE can
be easily
> renamed.
>
> The only thing where it can be helpful is not security, but
“annoyance
> reduction” like “disable port 80 accesses from MSIMN.EXE”.
>
> Maxim Shatskih, Windows DDK MVP
> StorageCraft Corporation
> xxxxx@storagecraft.com
> http://www.storagecraft.com
>
>
> ----- Original Message -----
> From: “Abhijit”
> Newsgroups: ntdev
> To: “Windows System Software Devs Interest List”
> Sent: Tuesday, March 23, 2004 8:52 AM
> Subject: Re:[ntdev] Getting the process name in TDI Filter Driver
>
>
> > Yes, I want the full image path. That means, the user mode service
is
> > inevitable
> >
> >
> > wrote in message news:xxxxx@ntdev…
> > Yes the function name is PsGetProcessImageFileName.
> > PCHAR PsGetCurrentImageFileName(PEPROCESS pProcess);
> >
> > If you disassemble and see this function you would see this returns
the
> > address offset 0x174 of the first parameter. The parameter offcourse
you
> > can guess would be PEPROCESS. So what the function is returning is
16
> > byte ANSI file name stored in EPROCESS structure. I believe this is
not
> > what you are looking for, I believe you want the full image path of
the
> > process. This function does not return that…
> >
> > -Srin.
> >
> > > -----Original Message-----
> > > From: xxxxx@lists.osr.com
> > > [mailto:xxxxx@lists.osr.com] On Behalf Of Abhijit
> > > Sent: Friday, March 19, 2004 12:58 AM
> > > To: Windows System Software Devs Interest List
> > > Subject: Re:[ntdev] Getting the process name in TDI Filter Driver
> > >
> > > PsGetProcessImageFileName ? I couldn’t find it with Google also.
> > > Are you sure it is PsGetProcessImageFileName ?
> > >
> > >
> > >
> > > “Jose Flores” wrote in message
> > > news:xxxxx@ntdev…
> > > > XP & later - PsGetProcessImageFileName().
> > > >
> > > > W2K & earlier. No safe way. You’ve got to dig into the KPEB.
> > > >
> > > > “Abhijit” wrote in message
news:xxxxx@ntdev…
> > > > > I want the name of the process trying to connect to the
> > > net. How can
> > > > > achieve the same in TDI Filter ?
> > > > >
> > > > >
> > > > >
> > > >
> > > >
> > > >
> > >
> > >
> > >
> > > —
> > > Questions? First check the Kernel Driver FAQ at
> > > http://www.osronline.com/article.cfm?id=256
> > >
> > > You are currently subscribed to ntdev as: xxxxx@nai.com
> > > To unsubscribe send a blank email to
xxxxx@lists.osr.com
> > >
> >
> >
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
> >
> > You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> > To unsubscribe send a blank email to
xxxxx@lists.osr.com
>
>
> your email address to the host site. Security can be obtained by
signing executables and having those signatures validated before
allowing the execution to happen.
Correct. This is really security, and well-supported in .NET.
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com