I get to Full_Path of Process

OSR_Community_User · February 17, 2003, 2:50am

I wanna get full-path of process when it’s creating.
So, i used PEB and PROCESS_PARAMETERS in the
PsSetCreateProcessNotifyRoutine.
But the result was full-path of parent process.
Without these problems, How can i get full-path of process?
And is it possible to get full-path of previously created
processes(system/Explorer etc.)?

follow

->
VOID ProcessNotifyRoutine(HANDLE ParentId, HANDLE ProcessId, BOOLEAN Create)
{
PEPROCESS currentproc;
NTSTATUS status;
PPEB peb=NULL;

if(Create)
{
PsLookupProcessByProcessId(ProcessId, &currentproc);

peb=currentproc->Peb;
file_path=(WCHAR *)peb->ProcessParameters->ImagePath.Buffer;

DbgPrint(" ********* Id TEst **********\n");
DbgPrint(“%ws\n”,file_path);
DbgPrint(" ********* Id TEst **********\n");

ObDereferenceObject(currentproc);
}
}

But ‘file_path’ is Parent Path(Source path). I want find Current Process path (Destination Path)…!!
How do ???
I want Anser…!!!

krishnaa · February 19, 2003, 3:25am

Following is the code to get process full path. You need to assign the
PEPROCESS pointer of the process to dwAddress.This code uses EPROCESS
structure’s undocumented members to see the process name.You need to make
sure you have that EPROCESS in memory and not swapped out.

unsigned long dwAddress = PEPROCESS of the process whose name you want.
if(dwAddress == 0 || dwAddress == 0xFFFFFFFF)
return NULL;
dwAddress += 0x1B0;
if((dwAddress = *(unsigned long*)dwAddress) == 0)
return 0;
dwAddress += 0x10;
if((dwAddress = *(unsigned long*)dwAddress) == 0)
return 0;
dwAddress += 0x3C;
if((dwAddress = *(unsigned long*)dwAddress) == 0)
return 0;
DbgPrint(“Current Process Full Path Name: %ws\n¡”, (const
wchar_t*)dwAddress);

OSR_Community_User · February 21, 2003, 7:15am

2K and XP support PsSetLoadImageNotifyRoutine

Kim DJ wrote:

I wanna get full-path of process when it’s creating.
So, i used PEB and PROCESS_PARAMETERS in the
PsSetCreateProcessNotifyRoutine.
But the result was full-path of parent process.
Without these problems, How can i get full-path of process?
And is it possible to get full-path of previously created
processes(system/Explorer etc.)?

follow

->
VOID ProcessNotifyRoutine(HANDLE ParentId, HANDLE ProcessId, BOOLEAN Create)
{
PEPROCESS currentproc;
NTSTATUS status;
PPEB peb=NULL;

if(Create)
{
PsLookupProcessByProcessId(ProcessId, &currentproc);

peb=currentproc->Peb;
file_path=(WCHAR *)peb->ProcessParameters->ImagePath.Buffer;

DbgPrint(" ********* Id TEst **********\n");
DbgPrint(“%ws\n”,file_path);
DbgPrint(" ********* Id TEst **********\n");

ObDereferenceObject(currentproc);
}
}

But ‘file_path’ is Parent Path(Source path). I want find Current Process path (Destination Path)…!!
How do ???
I want Anser…!!!

You are currently subscribed to ntdev as: xxxxx@okena.com
To unsubscribe send a blank email to xxxxx@lists.osr.com