Dear forum members,
Would you please suggest me how can
I get process name (file or really name)
having handle to this process in kernel
mode. Should I use this handle to retrieve
process name from kernel object manually
or use some internal API to do it ?
I know it’s a piece of cake to you, but anyway
I really have to realize it.
Please help me.
Regards, Vladimir.
You can’t get the full filename or pathname of a process in kernel-mode
without delving into undocumented data structures.
Vladimir Magaziy wrote:
Dear forum members,
Would you please suggest me how can
I get process name (file or really name)
having handle to this process in kernel
mode. Should I use this handle to retrieve
process name from kernel object manually
or use some internal API to do it ?I know it’s a piece of cake to you, but anyway
I really have to realize it.Please help me.
Regards, Vladimir.
–
Nick Ryan (MVP for DDK)
Well, the first question is do you mean process name or name of executable
file? The process structure contains the process name, but most people
really want the executable file name. The blessed way of doing this is to
use PsSetLoadImageNotify and record the association of a process with it
executable in a table. A couple problems here are that once you issue the
call you cannot unload your driver, and you probably want to use
PsSetProcessNotifyRoutine also to track creation and termination of
processes so the table doesn’t get too large.
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
----- Original Message -----
From: “Vladimir Magaziy”
To: “Windows System Software Devs Interest List”
Sent: Friday, November 28, 2003 2:34 PM
Subject: [ntdev] Process name in kernel mode
> Dear forum members,
>
> Would you please suggest me how can
> I get process name (file or really name)
> having handle to this process in kernel
> mode. Should I use this handle to retrieve
> process name from kernel object manually
> or use some internal API to do it ?
>
> I know it’s a piece of cake to you, but anyway
> I really have to realize it.
>
> Please help me.
>
> Regards, Vladimir.B笶*'X!y -➮wz@Aa 0 Xy& ^qt jٲry rj:.˛ m
zf䢖%yګޞ^zX,ʭ&
Dear Don Burn and Nick Rayan,
Thanks you answered me so fast.
Actually, I need to know just process name, but
not its executable module. Don, I can’t get what
do you mean saying ``process structure" ?
I used undocumented Native API function
QuerySystemInformation in user mode, but to
retrieve process name I have to know process id
(or something else with the except of handle)
and it’s not useful - it looks like brute force using.
And I tried to use NtQueryInformationProcess, but
I did not find any documented necessary field I can
pass to this function (like Process and
KERNEL_USER_TIMES)
Everything I have to do: I get process in callback
routine I set using PsSetProcessNotifyRoutine and
my driver has to inform user-mode app that a process with
some name begins executing and I have to pass
this name to it.
Yes - thanks a lot. I thought about PsSetLoadImageNotify
after James M. Finnegan’s article reading, but the
problem is I must provide dynamic unloading 
Please say couple of words about ``process structure".
Regards, Vladimir.
----- Original Message -----
From: “Don Burn”
To: “Windows System Software Devs Interest List”
Sent: Friday, November 28, 2003 10:10 PM
Subject: [ntdev] Re: Process name in kernel mode
Well, the first question is do you mean process name or name of executable
file? The process structure contains the process name, but most people
really want the executable file name. The blessed way of doing this is to
use PsSetLoadImageNotify and record the association of a process with it
executable in a table. A couple problems here are that once you issue the
call you cannot unload your driver, and you probably want to use
PsSetProcessNotifyRoutine also to track creation and termination of
processes so the table doesn’t get too large.
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
> not its executable module. Don, I can’t get what
do you mean saying ``process structure" ?
I think Don meant _EPROCESS struct.
Regards, Calvin
Calvin Guan, Software Developer xxxxx@nospam.ati.com
SW2D-Radeon NT Core Drivers
ATI Technologies Inc.
1 Commerce Valley Drive East
Markham, Ontario, Canada L3T 7X6
Tel: (905) 882-2600 Ext. 8654
Find a driver: http://www.ati.com/support/driver.html
-----Original Message-----
From: Vladimir Magaziy [mailto:xxxxx@ukr.net]
Sent: Friday, November 28, 2003 4:07 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] Re: Process name in kernel modeDear Don Burn and Nick Rayan,
Thanks you answered me so fast.
Actually, I need to know just process name, but
not its executable module. Don, I can’t get what
do you mean saying ``process structure" ?I used undocumented Native API function
QuerySystemInformation in user mode, but to
retrieve process name I have to know process id
(or something else with the except of handle)
and it’s not useful - it looks like brute force using.
And I tried to use NtQueryInformationProcess, but
I did not find any documented necessary field I can
pass to this function (like Process and
KERNEL_USER_TIMES)Everything I have to do: I get process in callback
routine I set using PsSetProcessNotifyRoutine and
my driver has to inform user-mode app that a process with
some name begins executing and I have to pass
this name to it.Yes - thanks a lot. I thought about PsSetLoadImageNotify
after James M. Finnegan’s article reading, but the
problem is I must provide dynamic unloadingPlease say couple of words about ``process structure".
Regards, Vladimir.
----- Original Message -----
From: “Don Burn”
> To: “Windows System Software Devs Interest List”
> Sent: Friday, November 28, 2003 10:10 PM
> Subject: [ntdev] Re: Process name in kernel mode
>
>
> Well, the first question is do you mean process name or name
> of executable
> file? The process structure contains the process name, but
> most people
> really want the executable file name. The blessed way of
> doing this is to
> use PsSetLoadImageNotify and record the association of a
> process with it
> executable in a table. A couple problems here are that once
> you issue the
> call you cannot unload your driver, and you probably want to use
> PsSetProcessNotifyRoutine also to track creation and termination of
> processes so the table doesn’t get too large.
>
> Don Burn (MVP, Windows DDK)
> Windows 2k/XP/2k3 Filesystem and Driver Consulting
> B笶*‘X!y-➮wz@Aa> 0Xy&^qwnzb.&v’ׯj ڶ’(:.˛m֛zf%yޞ^]%l
>
The problem is the process structure (EPROCESS) is undocumented and changes
from rev to rev, the only approach I have seen for this is the from Filemon
from http://www.sysinternals.com where he searches for the name of a known
process in the structure, and then assumes that is the correct offset. I’m
not sure if Mark Russinovich considers this proprietary code, and I find the
approach kludgy at best.
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
----- Original Message -----
From: “Vladimir Magaziy”
To: “Windows System Software Devs Interest List”
Sent: Friday, November 28, 2003 4:07 PM
Subject: [ntdev] Re: Process name in kernel mode
> Dear Don Burn and Nick Rayan,
>
> Thanks you answered me so fast.
>
> Actually, I need to know just process name, but
> not its executable module. Don, I can’t get what
> do you mean saying process structure" ?<br>><br>> I used undocumented Native API function<br>> QuerySystemInformation in user mode, but to<br>> retrieve process name I have to know process id<br>> (or something else with the except of handle)<br>> and it's not useful - it looks like brute force using.<br>> And I tried to use NtQueryInformationProcess, but<br>> I did not find any documented necessary field I can<br>> pass to this function (like Process and<br>> KERNEL_USER_TIMES)<br>><br>> Everything I have to do: I get process in callback<br>> routine I set using PsSetProcessNotifyRoutine and<br>> my driver has to inform user-mode app that a process with<br>> some name begins executing and I have to pass<br>> this name to it.<br>><br>> Yes - thanks a lot. I thought about PsSetLoadImageNotify<br>> after James M. Finnegan's article reading, but the<br>> problem is I must provide dynamic unloading :(<br>><br>> Please say couple of words about process structure".
>
> Regards, Vladimir.
>
>
> ----- Original Message -----
> From: “Don Burn”
> To: “Windows System Software Devs Interest List”
> Sent: Friday, November 28, 2003 10:10 PM
> Subject: [ntdev] Re: Process name in kernel mode
>
>
> Well, the first question is do you mean process name or name of executable
> file? The process structure contains the process name, but most people
> really want the executable file name. The blessed way of doing this is to
> use PsSetLoadImageNotify and record the association of a process with it
> executable in a table. A couple problems here are that once you issue the
> call you cannot unload your driver, and you probably want to use
> PsSetProcessNotifyRoutine also to track creation and termination of
> processes so the table doesn’t get too large.
>
> Don Burn (MVP, Windows DDK)
> Windows 2k/XP/2k3 Filesystem and Driver Consulting
> ByzAy q
Dear Don Born and Calvin Guan,
OK – thanks you find a possibility to consult me …
Reagards, Vladimir.
----- Original Message -----
From: “Don Burn”
To: “Windows System Software Devs Interest List”
Sent: Friday, November 28, 2003 11:19 PM
Subject: [ntdev] Re: Process name in kernel mode
> The problem is the process structure (EPROCESS) is undocumented and changes
> from rev to rev, the only approach I have seen for this is the from Filemon
> from http://www.sysinternals.com where he searches for the name of a known
> process in the structure, and then assumes that is the correct offset. I’m
> not sure if Mark Russinovich considers this proprietary code, and I find the
> approach kludgy at best.
>
> Don Burn (MVP, Windows DDK)
> Windows 2k/XP/2k3 Filesystem and Driver Consulting
Is there a reliable heuristic to tie a specific invocation of the
PsSetLoadImageNotify callback with the creation of a new process? I
vaguely recall trying this several years ago without success, but I
don’t remember what the issue was.
Don Burn wrote:
Well, the first question is do you mean process name or name of executable
file? The process structure contains the process name, but most people
really want the executable file name. The blessed way of doing this is to
use PsSetLoadImageNotify and record the association of a process with it
executable in a table. A couple problems here are that once you issue the
call you cannot unload your driver, and you probably want to use
PsSetProcessNotifyRoutine also to track creation and termination of
processes so the table doesn’t get too large.Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting----- Original Message -----
From: “Vladimir Magaziy”
> To: “Windows System Software Devs Interest List”
> Sent: Friday, November 28, 2003 2:34 PM
> Subject: [ntdev] Process name in kernel mode
>
>
>
>>Dear forum members,
>>
>> Would you please suggest me how can
>> I get process name (file or really name)
>> having handle to this process in kernel
>> mode. Should I use this handle to retrieve
>> process name from kernel object manually
>> or use some internal API to do it ?
>>
>> I know it’s a piece of cake to you, but anyway
>> I really have to realize it.
>>
>> Please help me.
>>
>>Regards, Vladimir.B笶*'X!y -➮wz@Aa 0 Xy& ^qt jٲry ׽rj:.˛ m
>
> zf䢖%yÚ«Þž^׿zX,Ê&
>
>
>
–
Nick Ryan (MVP for DDK)
The first call to PsSetLoadImageNotify for a process ID appears to allways
be the executable. You still want to use PsSetProcessNotifyRoutine so you
have a way of cleaning up the mapping.
Of course the above did not solve the OP’s goal, he wanted the “process
name” form the EPROCESS structure, and I know of no kernel interface to get
that.
–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
----- Original Message -----
From: “Nick Ryan”
Newsgroups: ntdev
To: “Windows System Software Devs Interest List”
Sent: Saturday, November 29, 2003 3:35 AM
Subject: [ntdev] Re: Process name in kernel mode
Is there a reliable heuristic to tie a specific invocation of the
PsSetLoadImageNotify callback with the creation of a new process? I
vaguely recall trying this several years ago without success, but I
don’t remember what the issue was.
Don Burn wrote:
> Well, the first question is do you mean process name or name of executable
> file? The process structure contains the process name, but most people
> really want the executable file name. The blessed way of doing this is to
> use PsSetLoadImageNotify and record the association of a process with it
> executable in a table. A couple problems here are that once you issue the
> call you cannot unload your driver, and you probably want to use
> PsSetProcessNotifyRoutine also to track creation and termination of
> processes so the table doesn’t get too large.
>
> Don Burn (MVP, Windows DDK)
> Windows 2k/XP/2k3 Filesystem and Driver Consulting
>
> ----- Original Message -----
> From: “Vladimir Magaziy”
> To: “Windows System Software Devs Interest List”
> Sent: Friday, November 28, 2003 2:34 PM
> Subject: [ntdev] Process name in kernel mode
>
>
>
>>Dear forum members,
>>
>> Would you please suggest me how can
>> I get process name (file or really name)
>> having handle to this process in kernel
>> mode. Should I use this handle to retrieve
>> process name from kernel object manually
>> or use some internal API to do it ?
>>
>> I know it’s a piece of cake to you, but anyway
>> I really have to realize it.
>>
>> Please help me.
>>
>>Regards, Vladimir.B笶*'X!y -➮wz@Aa 0 Xy& ^qt jٲry rj:.˛ m
>
> zf䢖%yګޞ^zX,ʭ&
>
>
>
–
Nick Ryan (MVP for DDK)
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: xxxxx@acm.org
To unsubscribe send a blank email to xxxxx@lists.osr.com
Dear Don Burn,
Thanks you’re interested in this topic.
As I’ve mentioned above I need to convert
process handle to process name in kernel mode.
May I ask you another thing ?
I guess I find something that will help me.
I’m using undocumented NtQuerySystemInformation,
but it works in NT 4.0 (SP6), 2K (SP4), XP and
2K3 (I checked up) in user mode.
I don’t know rules of this forum: I guess here I can’t
post my source code, but I will do it because I have to
realize it so quickly :(.
So, please take a look at (maybe it will be interesting for you):
/*----------------------------------------CUT LINE ------------------------------------------------*/
#include <tchar.h>
#include <windows.h>
#include <conio.h>
/* Common ntddk.h types /
typedef LONG NTSTATUS;
typedef LONG KPRIORITY;
#define NT_SUCCESS(_status) ((NTSTATUS)(_status) >= 0)
#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L)
/ Undocumented value /
#define SystemProcessesAndThreadsInformation 5
/ Common ntddk.h types /
typedef struct _CLIENT_ID {
DWORD UniqueProcess;
DWORD UniqueThread;
} CLIENT_ID;
typedef struct _UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING;
typedef struct _VM_COUNTERS {
SIZE_T PeakVirtualSize;
SIZE_T VirtualSize;
ULONG PageFaultCount;
SIZE_T PeakWorkingSetSize;
SIZE_T WorkingSetSize;
SIZE_T QuotaPeakPagedPoolUsage;
SIZE_T QuotaPagedPoolUsage;
SIZE_T QuotaPeakNonPagedPoolUsage;
SIZE_T QuotaNonPagedPoolUsage;
SIZE_T PagefileUsage;
SIZE_T PeakPagefileUsage;
} VM_COUNTERS;
/ Undocumented structures for NtQuerySystemInformation /
typedef struct _SYSTEM_THREADS {
LARGE_INTEGER KernelTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER CreateTime;
ULONG WaitTime;
PVOID StartAddress;
CLIENT_ID ClientId;
KPRIORITY Priority;
KPRIORITY BasePriority;
ULONG ContextSwitchCount;
LONG State;
LONG WaitReason;
} SYSTEM_THREADS, * PSYSTEM_THREADS;
typedef struct _SYSTEM_PROCESSES {
ULONG NextEntryDelta;
ULONG ThreadCount;
ULONG Reserved1[6];
LARGE_INTEGER CreateTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER KernelTime;
UNICODE_STRING ProcessName;
KPRIORITY BasePriority;
ULONG ProcessId;
ULONG InheritedFromProcessId;
ULONG HandleCount;
ULONG Reserved2[2];
VM_COUNTERS VmCounters;
#if _WIN32_WINNT >= 0x500
IO_COUNTERS IoCounters;
#endif
SYSTEM_THREADS Threads[1];
} SYSTEM_PROCESSES, * PSYSTEM_PROCESSES;
/ Common ntddk.h types for NtQueryInformation */
#define ProcessBasicInformation 0
typedef struct _PEB *PPEB;
typedef struct _PROCESS_BASIC_INFORMATION {
NTSTATUS ExitStatus;
PPEB PebBaseAddress;
KAFFINITY AffinityMask;
KPRIORITY BasePriority;
ULONG UniqueProcessId;
ULONG InheritedFromUniqueProcessId;
} PROCESS_BASIC_INFORMATION;
typedef PROCESS_BASIC_INFORMATION PPROCESS_BASIC_INFORMATION;
TCHAR g_szProcessName[MAX_PATH];
BOOL ProcessHandle2ProcessName(HANDLE hProcess) {
HINSTANCE hNtDll;
NTSTATUS ntStatus;
ULONG cbBuffer = 0x8000;
PVOID pBuffer = NULL;
typedef NTSTATUS (WINAPI PFNZWQUERYSYSTEMINFORMATION)(
UINT, PVOID, ULONG, PULONG);
PFNZWQUERYSYSTEMINFORMATION ZwQuerySystemInformation = NULL;
typedef NTSTATUS (WINAPI PFNZWQUERYINFORMATIONPROCESS)(
HANDLE, UINT, PVOID, ULONG, PULONG);
PFNZWQUERYINFORMATIONPROCESS ZwQueryInformationProcess = NULL;
HANDLE hHeap;
PCWSTR pszProcessName;
PSYSTEM_PROCESSES pProcesses;
PROCESS_BASIC_INFORMATION pbi;
hNtDll = GetModuleHandle(_T(“ntdll.dll”));
if (hNtDll == NULL)
return -1;
ZwQuerySystemInformation = (PFNZWQUERYSYSTEMINFORMATION)
GetProcAddress(hNtDll, “ZwQuerySystemInformation”);
ZwQueryInformationProcess = (PFNZWQUERYINFORMATIONPROCESS)
GetProcAddress(hNtDll, “ZwQueryInformationProcess”);
if (ZwQuerySystemInformation == NULL
|| ZwQueryInformationProcess == NULL)
return FALSE;
if (!NT_SUCCESS(ZwQueryInformationProcess(
hProcess, ProcessBasicInformation, &pbi,
sizeof(PROCESS_BASIC_INFORMATION), 0)))
return FALSE;
/ HOW IT WILL BE REALIZED IN KERNEL MODE ?
- I MEAN HEAP OPERATIONS/
/ Getting process heap /
hHeap = GetProcessHeap();
/ Getting buffer size /
do {
pBuffer = HeapAlloc(hHeap, 0, cbBuffer);
if (pBuffer == NULL)
return FALSE;
ntStatus = ZwQuerySystemInformation(
SystemProcessesAndThreadsInformation,
pBuffer, cbBuffer, NULL);
if (ntStatus == STATUS_INFO_LENGTH_MISMATCH) {
HeapFree(hHeap, 0, pBuffer);
cbBuffer = 2;
} else if (!NT_SUCCESS(ntStatus)) {
HeapFree(hHeap, 0, pBuffer);
return FALSE;
}
} while (ntStatus == STATUS_INFO_LENGTH_MISMATCH);
pProcesses = (PSYSTEM_PROCESSES)(pBuffer);
for (;
{
pszProcessName = pProcesses->ProcessName.Buffer;
if (pszProcessName == NULL)
pszProcessName = L"Idle";
if (pbi.UniqueProcessId == pProcesses->ProcessId) {
#ifdef UNICODE
lstrcpyW(g_szProcessName, pszProcessName);
#else
WideCharToMultiByte(CP_ACP, 0, pszProcessName, -1,
g_szProcessName, MAX_PATH, NULL, NULL);
#endif
break;
}
if (pProcesses->NextEntryDelta == 0)
break;
/ Finding the address of the next process structure /
pProcesses = (PSYSTEM_PROCESSES)(
(LPBYTE)(pProcesses) + pProcesses->NextEntryDelta);
}
HeapFree(hHeap, 0, pBuffer);
return TRUE;
}
int main() {
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, 1892);
if (!hProcess)
return -1;
if (ProcessHandle2ProcessName(hProcess))
_tprintf(“%s\n”, g_szProcessName);
else
_tprintf(“Error!\n”);
CloseHandle(hProcess);
return 0;
}
/----------------------------------------CUT LINE ------------------------------------------------/
My question is what equals to HeapAlloc and HeapFree
may I use in kernel mode ? I guess it’s ExAllocatePool
and ExFreePool, but it doesn’t work with them.
----- Original Message -----
From: “Don Burn”
To: “Windows System Software Devs Interest List”
Sent: Saturday, November 29, 2003 2:54 PM
Subject: [ntdev] Re: Process name in kernel mode
The first call to PsSetLoadImageNotify for a process ID appears to allways
be the executable. You still want to use PsSetProcessNotifyRoutine so you
have a way of cleaning up the mapping.
Of course the above did not solve the OP’s goal, he wanted the “process
name” form the EPROCESS structure, and I know of no kernel interface to get
that.
–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting</conio.h></windows.h></tchar.h>
You should use ExAllocatePoolWithTag and ExFreePool for memory allocation in
the kernel.
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
----- Original Message -----
From: “Vladimir Magaziy”
To: “Windows System Software Devs Interest List”
Sent: Saturday, November 29, 2003 9:41 AM
Subject: [ntdev] Re: Process name in kernel mode
> Dear Don Burn,
>
> Thanks you’re interested in this topic.
> As I’ve mentioned above I need to convert
> process handle to process name in kernel mode.
>
> May I ask you another thing ?
>
> I guess I find something that will help me.
> I’m using undocumented NtQuerySystemInformation,
> but it works in NT 4.0 (SP6), 2K (SP4), XP and
> 2K3 (I checked up) in user mode.
>
> I don’t know rules of this forum: I guess here I can’t
> post my source code, but I will do it because I have to
> realize it so quickly :(.
>
> So, please take a look at (maybe it will be interesting for you):
>
> /----------------------------------------CUT
LINE ------------------------------------------------/
> #include <tchar.h>
> #include <windows.h>
> #include <conio.h>
>
> /* Common ntddk.h types /
> typedef LONG NTSTATUS;
> typedef LONG KPRIORITY;
> #define NT_SUCCESS(_status) ((NTSTATUS)(_status) >= 0)
> #define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L)
>
> / Undocumented value /
> #define SystemProcessesAndThreadsInformation 5
>
> / Common ntddk.h types /
> typedef struct _CLIENT_ID {
> DWORD UniqueProcess;
> DWORD UniqueThread;
> } CLIENT_ID;
>
> typedef struct _UNICODE_STRING {
> USHORT Length;
> USHORT MaximumLength;
> PWSTR Buffer;
> } UNICODE_STRING;
>
> typedef struct _VM_COUNTERS {
> SIZE_T PeakVirtualSize;
> SIZE_T VirtualSize;
> ULONG PageFaultCount;
> SIZE_T PeakWorkingSetSize;
> SIZE_T WorkingSetSize;
> SIZE_T QuotaPeakPagedPoolUsage;
> SIZE_T QuotaPagedPoolUsage;
> SIZE_T QuotaPeakNonPagedPoolUsage;
> SIZE_T QuotaNonPagedPoolUsage;
> SIZE_T PagefileUsage;
> SIZE_T PeakPagefileUsage;
> } VM_COUNTERS;
>
> / Undocumented structures for NtQuerySystemInformation /
> typedef struct _SYSTEM_THREADS {
> LARGE_INTEGER KernelTime;
> LARGE_INTEGER UserTime;
> LARGE_INTEGER CreateTime;
> ULONG WaitTime;
> PVOID StartAddress;
> CLIENT_ID ClientId;
> KPRIORITY Priority;
> KPRIORITY BasePriority;
> ULONG ContextSwitchCount;
> LONG State;
> LONG WaitReason;
> } SYSTEM_THREADS, * PSYSTEM_THREADS;
>
> typedef struct _SYSTEM_PROCESSES {
> ULONG NextEntryDelta;
> ULONG ThreadCount;
> ULONG Reserved1[6];
> LARGE_INTEGER CreateTime;
> LARGE_INTEGER UserTime;
> LARGE_INTEGER KernelTime;
> UNICODE_STRING ProcessName;
> KPRIORITY BasePriority;
> ULONG ProcessId;
> ULONG InheritedFromProcessId;
> ULONG HandleCount;
> ULONG Reserved2[2];
> VM_COUNTERS VmCounters;
> #if _WIN32_WINNT >= 0x500
> IO_COUNTERS IoCounters;
> #endif
> SYSTEM_THREADS Threads[1];
> } SYSTEM_PROCESSES, * PSYSTEM_PROCESSES;
>
> / Common ntddk.h types for NtQueryInformation */
> #define ProcessBasicInformation 0
> typedef struct _PEB PPEB;
> typedef struct _PROCESS_BASIC_INFORMATION {
> NTSTATUS ExitStatus;
> PPEB PebBaseAddress;
> KAFFINITY AffinityMask;
> KPRIORITY BasePriority;
> ULONG UniqueProcessId;
> ULONG InheritedFromUniqueProcessId;
> } PROCESS_BASIC_INFORMATION;
> typedef PROCESS_BASIC_INFORMATION PPROCESS_BASIC_INFORMATION;
>
> TCHAR g_szProcessName[MAX_PATH];
>
> BOOL ProcessHandle2ProcessName(HANDLE hProcess) {
> HINSTANCE hNtDll;
> NTSTATUS ntStatus;
> ULONG cbBuffer = 0x8000;
> PVOID pBuffer = NULL;
>
> typedef NTSTATUS (WINAPI PFNZWQUERYSYSTEMINFORMATION)(
> UINT, PVOID, ULONG, PULONG);
> PFNZWQUERYSYSTEMINFORMATION ZwQuerySystemInformation = NULL;
>
> typedef NTSTATUS (WINAPI PFNZWQUERYINFORMATIONPROCESS)(
> HANDLE, UINT, PVOID, ULONG, PULONG);
> PFNZWQUERYINFORMATIONPROCESS ZwQueryInformationProcess = NULL;
>
> HANDLE hHeap;
> PCWSTR pszProcessName;
> PSYSTEM_PROCESSES pProcesses;
> PROCESS_BASIC_INFORMATION pbi;
>
> hNtDll = GetModuleHandle(_T(“ntdll.dll”));
> if (hNtDll == NULL)
> return -1;
>
> ZwQuerySystemInformation = (PFNZWQUERYSYSTEMINFORMATION)
> GetProcAddress(hNtDll, “ZwQuerySystemInformation”);
>
> ZwQueryInformationProcess = (PFNZWQUERYINFORMATIONPROCESS)
> GetProcAddress(hNtDll, “ZwQueryInformationProcess”);
>
> if (ZwQuerySystemInformation == NULL
> || ZwQueryInformationProcess == NULL)
> return FALSE;
>
> if (!NT_SUCCESS(ZwQueryInformationProcess(
> hProcess, ProcessBasicInformation, &pbi,
> sizeof(PROCESS_BASIC_INFORMATION), 0)))
> return FALSE;
>
>
> / HOW IT WILL BE REALIZED IN KERNEL MODE ?
> - I MEAN HEAP OPERATIONS/
>
> / Getting process heap /
> hHeap = GetProcessHeap();
>
> / Getting buffer size /
> do {
> pBuffer = HeapAlloc(hHeap, 0, cbBuffer);
> if (pBuffer == NULL)
> return FALSE;
>
> ntStatus = ZwQuerySystemInformation(
> SystemProcessesAndThreadsInformation,
> pBuffer, cbBuffer, NULL);
>
> if (ntStatus == STATUS_INFO_LENGTH_MISMATCH) {
> HeapFree(hHeap, 0, pBuffer);
> cbBuffer = 2;
> } else if (!NT_SUCCESS(ntStatus)) {
> HeapFree(hHeap, 0, pBuffer);
> return FALSE;
> }
> } while (ntStatus == STATUS_INFO_LENGTH_MISMATCH);
>
> pProcesses = (PSYSTEM_PROCESSES)(pBuffer);
>
> for (; {
> pszProcessName = pProcesses->ProcessName.Buffer;
>
> if (pszProcessName == NULL)
> pszProcessName = L"Idle";
>
> if (pbi.UniqueProcessId == pProcesses->ProcessId) {
> #ifdef UNICODE
> lstrcpyW(g_szProcessName, pszProcessName);
> #else
> WideCharToMultiByte(CP_ACP, 0, pszProcessName, -1,
> g_szProcessName, MAX_PATH, NULL, NULL);
> #endif
> break;
> }
>
> if (pProcesses->NextEntryDelta == 0)
> break;
>
> / Finding the address of the next process structure /
> pProcesses = (PSYSTEM_PROCESSES)(
> (LPBYTE)(pProcesses) + pProcesses->NextEntryDelta);
> }
>
> HeapFree(hHeap, 0, pBuffer);
>
> return TRUE;
> }
>
> int main() {
> HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, 1892);
> if (!hProcess)
> return -1;
>
> if (ProcessHandle2ProcessName(hProcess))
> _tprintf(“%s\n”, g_szProcessName);
> else
> _tprintf(“Error!\n”);
>
> CloseHandle(hProcess);
>
> return 0;
> }
>
> /----------------------------------------CUT
LINE ------------------------------------------------/
>
> My question is what equals to HeapAlloc and HeapFree
> may I use in kernel mode ? I guess it’s ExAllocatePool
> and ExFreePool, but it doesn’t work with them.
>
> ----- Original Message -----
> From: “Don Burn”
> To: “Windows System Software Devs Interest List”
> Sent: Saturday, November 29, 2003 2:54 PM
> Subject: [ntdev] Re: Process name in kernel mode
>
>
> The first call to PsSetLoadImageNotify for a process ID appears to allways
> be the executable. You still want to use PsSetProcessNotifyRoutine so you
> have a way of cleaning up the mapping.
>
> Of course the above did not solve the OP’s goal, he wanted the “process
> name” form the EPROCESS structure, and I know of no kernel interface to
get
> that.
> –
> Don Burn (MVP, Windows DDK)
> Windows 2k/XP/2k3 Filesystem and Driver Consulting
> B綰Xy w⮸zA ʞXy q tj麞ryr:.˛ m zf䢖%yګޞ^zX,ʭ&</conio.h></windows.h></tchar.h>
Dear Don Born,
OK – I will try to do it. Thank you.
Regards, Vladimir.
----- Original Message -----
From: “Don Burn”
To: “Windows System Software Devs Interest List”
Sent: Saturday, November 29, 2003 4:47 PM
Subject: [ntdev] Re: Process name in kernel mode
You should use ExAllocatePoolWithTag and ExFreePool for memory allocation in
the kernel.
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
I think this is another one of those cases where it’s really helpful to
know what you’re trying to accomplish, and why you need to do it in
kernel mode.
For example: you already appear to have some code that works in user
mode, why not figure it out in a user-mode app/service and pass the
information down to the driver in an IOCTL?
Another example: there are easier ways to do some things depending on
the context you’re in. For example, if the process is performing an IO
request, and you’re a top level driver, then you’re running the the
process’s thread context, and different hacks are potentially available
than if you’re just trying to find the process name of some arbitrary
process…
Vladimir Magaziy wrote:
Dear forum members,
Would you please suggest me how can
I get process name (file or really name)
having handle to this process in kernel
mode. Should I use this handle to retrieve
process name from kernel object manually
or use some internal API to do it ?I know it’s a piece of cake to you, but anyway
I really have to realize it.Please help me.
Regards, Vladimir.
–
…/ray..