how can i get the current process's full path in the dispatch routine of IRP_MJ_WRITE

yin_yihua · April 28, 2007, 12:03am

Hi,
i’m get in a troubl when i want to get the full path of the current process in the dispatch routine of IRP_MJ_WRITE. the code is :

NTSTATUS
MyWrite(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp
)
{

PUNICODE_STRING processName = NULL;

ULONG offset = 0;

PEPROCESS CurrentProcess = NULL;

PIO_STACK_LOCATION irpSp = IoGetCurrentIrpStackLocation( Irp );

if(!(irpSp->FileObject->FileName).Buffer)

return SfPassThrough(DeviceObject,Irp);

if((irpSp->FileObject->FileName).Length<6)

return SfPassThrough(DeviceObject,Irp);

CurrentProcess = PsGetCurrentProcess();

KeAttachProcess(CurrentProcess);

offset = *(PULONG)((ULONG)CurrentProcess + 0x1B0); //to get the peb address

offset = *(PULONG)((ULONG)offset + 0x10); //here is a wrong pointed out by wdb

processName = (PUNICODE_STRING)(offset + 0x38); //imagefile

DbgPrint(“Current Process Full Path Name: %wZ\n”,processName);

KeDetachProcess();

return SfPassThrough(DeviceObject,Irp);

}

When i run these code in ,the system got a blue_screen…
who can tell me what’ why???

Thanks!

OSR_Community_User · April 28, 2007, 12:21pm

Just to preface, you should do a search regarding drivers and filenames in this list, or even in google.

In the IRP_MJ_WRITE, you should not rely on FileObject->Filename at this stage as it may be invalid. The only point you can and should do that is in the IRP_MJ_CREATE stage. You can read about the life cycle of a file object here: http://msdn2.microsoft.com/en-us/library/ms810023.aspx.

So that should explain one reason you would get a bluescreen is because you are trying to access an invalid object, let alone a reference to its buffer/length object that may not exist.

Also, using hard offset pointers to get the process name is a bad idea as well as it may work with your current OS that you are writing on, but rest assured that with a service pack, OS change, or 32/64 bit version that offset will be wrong, so the driver you would distribute today would not work across the board let alone cause you and your customers some serious headaches.

There is a workaround for this which you can do in the DriverEntry stage where you can get the current process and search for ‘System’, and when you hit it that will be your offset point. There are a few threads on this list that talks about it such as this one: http://www.osronline.com/showThread.cfm?link=30302

OSR_Community_User · April 28, 2007, 12:53pm

I’m curious why the response to this decided to discard consideration of
the approach we provided for obtaining the process name
(http://www.osronline.com/article.cfm?article=472) since one motivation
for this was to provide a more robust scheme than relying upon a 16 byte
string with no security attributes (e.g., all Trojan horses are now
called “svchost.exe”)

Just curious what you don’t like about this technique.

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

OSR_Community_User · April 28, 2007, 4:25pm

EPROCESS pointer has nothing to do with PEB.

To find the PEB, use Zw/NtQueryInformationProcess on a process handle with
some information code (disassemble psapi!GetModuleFileNameEx for details).

Then, accesses to PEB from kernel mode must be guarded by __try/__except

–
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

wrote in message news:xxxxx@ntfsd…
> Hi,
> i’m get in a troubl when i want to get the full path of the current
process in the dispatch routine of IRP_MJ_WRITE. the code is :
>
> NTSTATUS
> MyWrite(
> IN PDEVICE_OBJECT DeviceObject,
> IN PIRP Irp
> )
> {
>
> PUNICODE_STRING processName = NULL;
>
> ULONG offset = 0;
>
> PEPROCESS CurrentProcess = NULL;
>
> PIO_STACK_LOCATION irpSp = IoGetCurrentIrpStackLocation( Irp );
>
> if(!(irpSp->FileObject->FileName).Buffer)
>
> return SfPassThrough(DeviceObject,Irp);
>
> if((irpSp->FileObject->FileName).Length<6)
>
> return SfPassThrough(DeviceObject,Irp);
>
> CurrentProcess = PsGetCurrentProcess();
>
> KeAttachProcess(CurrentProcess);
>
> offset = *(PULONG)((ULONG)CurrentProcess + 0x1B0); //to get the peb
address
>
> offset = *(PULONG)((ULONG)offset + 0x10); //here is a wrong pointed
out by wdb
>
> processName = (PUNICODE_STRING)(offset + 0x38); //imagefile
>
> DbgPrint(“Current Process Full Path Name: %wZ\n”,processName);
>
> KeDetachProcess();
>
>
> return SfPassThrough(DeviceObject,Irp);
>
> }
>
> When i run these code in ,the system got a blue_screen…
> who can tell me what’ why???
>
>
> Thanks!
>
>
>
>
>

OSR_Community_User · April 28, 2007, 4:46pm

It wasnt my intention to discard the proposed methodology. I have always been a little skittish about using Zws in many cases just because MS can change them (even though ZwQueryInformationProcess hasnt changed and is highly used). I focused more on the factor of not using filename information at the IRP_MJ_WRITE event and not using hard offsets than reliably gathering the name itself.

Sorry for not linking the URL you posted as I should have linked and described it in there as well.

–Royal