hi all,
i have posted this question once earlier , but didn’t get a good reply;
my doubt is that , how can we get the full path name of a process
i have the process name, but i want its path in the drive. this is to check whether the executing process is the correct one or imitating one.
i want to get the process path name within the driver, not in user side application.
Here i have the process number and process name.
thanks all,
bye from vaseef
Love cheap thrills? Enjoy PC-to-Phone calls to 30+ countries for just 2¢/min with Yahoo! Messenger with Voice.
This is discussed in many places in the archive. What is wrong with
using a combination of IoGetRequestorProcessId
and PsSetLoadImageNotifyRoutine?
vaseef - wrote:
hi all,
i have posted this question once earlier , but didn’t get a good reply;
my doubt is that , how can we get the full path name of a process
i have the process name, but i want its path in the drive. this is to
check whether the executing process is the correct one or imitating one.
i want to get the process path name within the driver, not in user
side application.
Here i have the process number and process name.
thanks all,
bye from vaseef
Love cheap thrills? Enjoy PC-to-Phone calls to 30+ countries
http:</http:>
for just 2¢/min with Yahoo! Messenger with Voice. — Questions? First
check the IFS FAQ at https://www.osronline.com/article.cfm?id=17 You
are currently subscribed to ntfsd as: xxxxx@comcast.net To
unsubscribe send a blank email to xxxxx@lists.osr.com
Hello,
If you are writing this for security purposes, I would advise you to add a
hash verificiation (SHA-1 is good enough), otherwise a malicious process
could easily impersonate the processus. For example first you check the path
(very quick) and then the hash (slower).
Regards
–
Edouard
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of vaseef -
Sent: Monday, May 15, 2006 07:22
To: Windows File Systems Devs Interest List
Subject: [ntfsd] process name
hi all,
i have posted this question once earlier , but didn’t get a good reply;
my doubt is that , how can we get the full path name of a process
i have the process name, but i want its path in the drive. this is to check
whether the executing process is the correct one or imitating one.
i want to get the process path name within the driver, not in user side
application.
Here i have the process number and process name.
thanks all,
bye from vaseef
Love cheap thrills? Enjoy PC-to-Phone calls
http:t=39666/*http://messenger.yahoo.com/> to 30+ countries for just 2?/min with
Yahoo! Messenger with Voice. — Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17 You are currently subscribed to
ntfsd as: xxxxx@wanadoo.fr To unsubscribe send a blank email to
xxxxx@lists.osr.com</http:>
>If you are writing this for security purposes, I would advise you to add a
hash verificiation (SHA-1 is good enough), otherwise a malicious process
Very bad idea. It will render the OS inoperable after, say, mshtml.dll will be
updated from Microsoft Update.
Not to say the negative performance impact.
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
I have the same problem,
I have to allow just a process which has not on the net updates (so they
are very rare).
When i receive PsSetLoadImageNotifyRoutine can i check the image loaded
in memory?
I mean can i create a hash from the memory mapped space or maybe it’s
better to retrieve the image path and open the executable and do the
hash in this way?
Thx
You can access the image in memory, you do need to be careful that you are
running in the process the image is being mapped into. This is normally the
case for executables, but can be different for dll injection. Also, be
careful with NtCreateProcess a process create can act like a Unix fork, and
you will get an image that may have it data section modified.
–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply
“[DF]Nester” wrote in message news:xxxxx@ntfsd…
>I have the same problem,
> I have to allow just a process which has not on the net updates (so they
> are very rare).
> When i receive PsSetLoadImageNotifyRoutine can i check the image loaded
> in memory?
> I mean can i create a hash from the memory mapped space or maybe it’s
> better to retrieve the image path and open the executable and do the
> hash in this way?
> Thx
>
>
>
> -----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Don Burn
Sent: Monday, May 15, 2006 14:16
To: Windows File Systems Devs Interest List
Subject: Re:[ntfsd] process name
You can access the image in memory, you do need to be careful
that you are running in the process the image is being mapped
into. This is normally the
case for executables, but can be different for dll injection.
Also, be
careful with NtCreateProcess a process create can act like a
Unix fork, and you will get an image that may have it data
section modified.
Don is right, you should only hash the code section and header. To get the
section directory, you simply have to parse the header. Generally it’s
called “.text”. Remember you are working on the virtual values, not the raw
values.
–
EA
> Don is right, you should only hash the code section and
header. To get the section directory, you simply have to
parse the header. Generally it’s called “.text”. Remember you
are working on the virtual values, not the raw values.
While I’m at it, if the executable you check has got some DLLs, you should
validate the list as well, or validate the imports. In theory relocation
cannot happen for an exe, so you won’t have to parse the relocation
structure (because otherwise your code hash would not be valid).
–
Edouard