Hi
In my driver I’d like to peek at the process SectionObject. I see that it is
a part of the EPROCESS structure but I could not find a way to get to it.
Any idea how I could get to read it from a process handle?
Put another way, is there a way to find out the section handle/pointer of
the process executable image file?
Please advise.
Hello Marco,
Wednesday, August 24, 2005, 2:48:59 PM, you wrote:
MP> In my driver I’d like to peek at the process SectionObject. I see that it is
MP> a part of the EPROCESS structure but I could not find a way to get to it.
MP> Any idea how I could get to read it from a process handle?
MP> Put another way, is there a way to find out the section handle/pointer of
MP> the process executable image file?
relatively stable way is to hook NtCreateProcess and create a table
with associations handle (which comes on return from this syscall) ->
sectionhandle (which is param of the syscall).
–
Best regards,
Ivona Prenosilova
Hi Ivona
thanks for the info. I’m aware of NtCreateProcess & NtCreateProcessEx but I
was wondering
if there exists other methods which are documented and which works on all OS
versions,
especially upcoming ones 
cheers,
Marco
“ivona prenosilova” wrote in message news:xxxxx@ntdev…
> Hello Marco,
>
> Wednesday, August 24, 2005, 2:48:59 PM, you wrote:
>
> MP> In my driver I’d like to peek at the process SectionObject. I see that
> it is
> MP> a part of the EPROCESS structure but I could not find a way to get to
> it.
> MP> Any idea how I could get to read it from a process handle?
> MP> Put another way, is there a way to find out the section handle/pointer
> of
> MP> the process executable image file?
>
> relatively stable way is to hook NtCreateProcess and create a table
> with associations handle (which comes on return from this syscall) ->
> sectionhandle (which is param of the syscall).
>
> –
> Best regards,
> Ivona Prenosilova
>
>