How can i got the process file name from the PEPROCESS struct?

OSR_Community_User · November 30, 2005, 5:56am

hi,everybody.
i’m a beginner of the ifs driver developing,and i want to get the process’s
file name from the return value of the IoThreadToProcess(),it should be a
PEPROCESS struct,where can i find the members of this struct?Or i should use
other function?

OSR_Community_User · November 30, 2005, 6:03am

Please, check the old archives, there were lots of discussions about it.

L.

OSR_Community_User · November 30, 2005, 10:20am

> i’m a beginner of the ifs driver developing,and i want to get the process’s

file name from the return value of the IoThreadToProcess(),it should be a
PEPROCESS struct,where can i find the members of this struct?Or i should use

KeAttachProcess to the process
__try
access the user-mode PEB
it contains the full EXE pathname

This is what PSAPI.DLL uses (it has the routine to get this full pathname)

This is what Windows Firewall (ipnathlp.dll) uses for rules dependant on EXE
pathname - it is based on PSAPI.

The name in EPROCESS is 8.3 and not Unicode, it is truncated if the EXE name is
too long.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

OSR_Community_User · November 30, 2005, 12:17pm

A general answer to your question about determining the members of a
structure like EPROCESS is the dt command in WinDbg:

dt -b -v _EPROCESS

will list all the members of _EPROCESS, including offset information
(-v) and the members of all nested structures (-b).

dt -b -v _EPROCESS

will do the same, but also include the values of the instance of the
_EPROCESS structure located at .

If you're looking to do this in code (as opposed to in a debugger),
you're on your own to create a C structure from this information. All
the usual caveats about versioning, et. c. apply.

>>> xxxxx@storagecraft.com 2005-11-30 10:20 >>>
> i'm a beginner of the ifs driver developing,and i want to get the
process's
> file name from the return value of the IoThreadToProcess(),it should
be a
> PEPROCESS struct,where can i find the members of this struct?Or i
should use

KeAttachProcess to the process
__try
access the user-mode PEB
it contains the full EXE pathname

This is what PSAPI.DLL uses (it has the routine to get this full
pathname)

This is what Windows Firewall (ipnathlp.dll) uses for rules dependant
on EXE
pathname - it is based on PSAPI.

The name in EPROCESS is 8.3 and not Unicode, it is truncated if the EXE
name is
too long.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

---
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@evitechnology.com
To unsubscribe send a blank email to xxxxx@lists.osr.com