On Sat, 30 May 2009, Maxim S. Shatskih wrote:
This string is truncated to IIRC 13 chars, and is not a full pathname.
It is possible to get the full path from the undocumented structures that
is available, below is two messages that has been posted before to this
list that shows how to do it:
RH> Hello!
RH> How can I get the full pathname for the process which requested current
RH> IRP? I currently receive the process name (as in FileMon sample), but I
RH> don’t want “iexplore.exe”. I want the full path name: “C:\Program
RH> Files\Internet Explorer\iexplore.exe”.
RH> Anyone knows how this can be done?
RH> Best wishes,
RH> Razvan Hobeanu
try that. I did that and it works
typedef struct _RTL_USER_PROCESS_PARAMETERS {
UCHAR dummy[0x38]; //ñìåùåíèå â ïàðàìåòðå 0x38 - ïðîöåññ, çàïóñòèâøèé ýòîò
UNICODE_STRING ImagePathName;
} RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS;
#define SYSNAME “System”
ULONG FileSpyGetProcessNameOffset( VOID)
{
PEPROCESS curproc;
int i;
//NTSTATUS Status = STATUS_SUCCESS;
curproc = PsGetCurrentProcess();
// Scan for 12KB, hoping the KPEB never grows that big!
//
for( i = 0; i < 3*PAGE_SIZE; i++ )
{
if( !strncmp( SYSNAME, (PCHAR) curproc + i, strlen(SYSNAME) ))
{
return i;
}
}
//
// Name not found - oh, well
//
return 0;
}
ProcessNameOffset = FileSpyGetProcessNameOffset();
PCHAR GetPathImageProcess( PCHAR PathImage )
{
PEPROCESS curproc;
char *nameptr;
DWORD dw = 0;
LPDWORD tdw;
ANSI_STRING ansi;
NTSTATUS ntStatus;
PRTL_USER_PROCESS_PARAMETERS pupp = NULL;
if( ProcessNameOffset )
{
curproc = PsGetCurrentProcess();
//nameptr = (PCHAR) curproc + ProcessNameOffset; //+0x1DC
//ÄËß NT 4
if( 476==ProcessNameOffset )
{
tdw = (LPDWORD)(((PCHAR)curproc)+0x18C); //??? 18C
dw = *tdw; //_PEB
tdw = (LPDWORD)((PCHAR)dw+0x10);
dw = *tdw; //ProcessParameters
tdw = (LPDWORD)((PCHAR)dw + 0x0);
dw = *tdw;
}
else
{
//ÄËß WIN 2000
tdw = (LPDWORD)(((PCHAR)curproc)+0x1B0); //???
dw = *tdw; //_PEB 0x7ffdf000
tdw = (LPDWORD)((PCHAR)dw+0x10);
dw = *tdw;
tdw = (LPDWORD)((PCHAR)dw + 0x0);
dw = *tdw;
}
//ïðèâåëè ó÷àñòîê ïàìÿòè ê äàííîé ñòðóêòóðå
pupp = (PRTL_USER_PROCESS_PARAMETERS)(tdw);
ntStatus = RtlUnicodeStringToAnsiString( &ansi, &pupp->ImagePathName, TRUE);
if( ntStatus==STATUS_SUCCESS )
{
dw = ansi.Length;
if( dw > 2045 )
dw = 2045;
memcpy( PathImage, ansi.Buffer, dw );
PathImage[dw] = 0;
RtlFreeAnsiString( &ansi );
}//ïîëó÷àþ îòêóäà áûë çàïóùåí
}
else
{
strcpy( PathImage, “???” );
}
return PathImage;
}
Hi, all.
I build a file system filter driver based on FILEMON. In IRP_MJ_CREATE dispatch, I want to
get the process full path name and the file full path name which is to be opened by the
process, the code like this:
////////////////////////////////////////////////////////////////////////////////////
PIO_STACK_LOCATION currentIrpStack = IoGetCurrentIrpStackLocation(Irp);
PIO_STACK_LOCATION nextIrpStack = IoGetNextIrpStackLocation(Irp);
hookExt = HookDevice->DeviceExtension;
case IRP_MJ_CREATE:
fileObject = currentIrpStack->FileObject;
fullPathName = ExAllocatePool(NonPagedPool, MAXPATHLEN );
if(fullPathName)
{
FilemonGetFullPath( fileObject, hookExt, fullPathName );
}
…
CurrentProcessName = GetCurrentProcessFileName( );
if ((CurrentProcessName != NULL))
{
//
…
RtlInitUnicodeString(&ProcessUnicodeName, CurrentProcessName); //Errors happened here!
}
////////////////////////////////////////////////////////////////////////////////////
PCWSTR GetCurrentProcessFileName()
{
DWORD dwAddress = (DWORD)PsGetCurrentProcess(); //PEPROCESS
if((dwAddress == 0) || (dwAddress == 0xFFFFFFFF))
return NULL;
dwAddress += 0x1B0; //PEPROCESS->Peb
if((dwAddress = *(DWORD*)dwAddress) == 0)
return NULL;
dwAddress += 0x10; //Peb->ProcessParameters
if((dwAddress = *(DWORD*)dwAddress) == 0)
return NULL;
dwAddress += 0x3C; //Peb->ProcessParameters.ImageFile
dwAddress = *((DWORD*)dwAddress);
return (PCWSTR)dwAddress;
}
//////////////////////////////////////////////////////////////////////////////////////////////
All is work fine except some conditions. For example, we want to debugg an application in VC6(or BCB) and
set breakpoints at the fist line in winmain. When we press F5 to start debugging, before stop at the
breakpoint we set, a fage fault occurs
at the “RtlInitUnicodeString(&ProcessUnicodeName, CurrentProcessName)”. At this point, we get
the fullpathname:
fullpathname = “c:\dev\debug\test.exe” // the application we debugg.
CurrentProcessName != NULl, such as 0x8e8.
: dd 0x8e8
0x8e8 ??? ??? ??? ???
it means NULL! That means at this time EPROCESS->PEB->PROCESSPARAMETERS->IMAGEFILENAME still not be
initilized with proper value. And exam the process list of the system using SOFTICE proc command,
I see process “test.exe” is at RUNNING state with both USERTIME and KERNELTIME equal to Zero. Also,
I can get the IRP_MJ_CREATE dispatch’ process id using PsGetCurrentProcessId(). Ccompare this pid
with the process list we get from softice proc command, I find IRP_MJ_CREATE dispatch is running with
the context in process “test.exe”! It means process “test.exe” want to open “c:\dev\debug\test.exe”.
The IRQL is equal to PASSIVE_LEVEL.
It is strange!
Please give me some advices.