Hello ,Omer
Tuesday, May 24, 2005, 10:57:24 AM, you wrote:
OB> Any way to get the FULL path of a process from a given PEPROCESS
OB> structure ?
OB> I saw one code sample in this forum but it didn’t work …
OB> Target systems: win2k, winxp and windows 2003
Here is the code I wrote for my project.
It calculates the CRC of the process’ main module path and name. But
you can modify it to return the path itself.
NTSYSAPI
NTSTATUS
NTAPI
ZwOpenProcess (
OUT PHANDLE ProcessHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN PCLIENT_ID ClientId OPTIONAL
);
NTSYSAPI
NTSTATUS
NTAPI
ZwQueryInformationProcess (
IN HANDLE ProcessHandle,
IN PROCESSINFOCLASS ProcessInformationClass,
OUT PVOID ProcessInformation,
IN ULONG ProcessInformationLength,
OUT PULONG ReturnLength OPTIONAL
);
typedef struct _PEB_LDR_DATA {
ULONG Length;
BOOLEAN Initialized;
HANDLE SsHandle;
LIST_ENTRY InLoadOrderModuleList;
LIST_ENTRY InMemoryOrderModuleList;
LIST_ENTRY InInitializationOrderModuleList;
} PEB_LDR_DATA, *PPEB_LDR_DATA;
typedef struct _PEB {
UCHAR Reserved1[4];
PVOID Reserved2;
PVOID ImageBaseAddress;
PPEB_LDR_DATA Ldr;
UCHAR Reserved3[216];
PVOID Reserved4[59];
ULONG SessionId;
} PEB, *PPEB;
typedef struct _LDR_DATA_TABLE_ENTRY {
LIST_ENTRY InLoadOrderLinks;
LIST_ENTRY InMemoryOrderLinks;
LIST_ENTRY InInitializationOrderLinks;
PVOID DllBase;
PVOID EntryPoint;
ULONG SizeOfImage;
UNICODE_STRING FullDllName;
UNICODE_STRING BaseDllName;
ULONG Flags;
USHORT LoadCount;
USHORT TlsIndex;
union {
LIST_ENTRY HashLinks;
struct
{
PVOID SectionPointer;
ULONG CheckSum;
};
};
ULONG TimeDateStamp;
} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
ULONG GetMainModuleNameId(ULONG ProcessId)
{
PROCESS_BASIC_INFORMATION BasicInfo;
NTSTATUS Status;
PPEB Peb;
PPEB_LDR_DATA Ldr;
PLIST_ENTRY LdrHead;
PLIST_ENTRY LdrNext;
HANDLE hProcess = NULL;
CLIENT_ID clientId;
OBJECT_ATTRIBUTES objectAttributes;
clientId.UniqueProcess = (HANDLE)ProcessId;
clientId.UniqueThread = NULL;
InitializeObjectAttributes(
&objectAttributes,
NULL,
0,
NULL,
NULL);
Status = ZwOpenProcess(
&hProcess,
PROCESS_ALL_ACCESS,
&objectAttributes,
&clientId);
if( !NT_SUCCESS(Status) ) return 0;
Status = ZwQueryInformationProcess(
hProcess,
ProcessBasicInformation,
&BasicInfo,
sizeof(BasicInfo),
NULL);
if( !NT_SUCCESS(Status) )
{
ZwClose(hProcess);
return 0;
}
Peb = BasicInfo.PebBaseAddress;
if( Peb == NULL )
{
ZwClose(hProcess);
return 0;
}
Ldr = Peb->Ldr;
if( Ldr == NULL )
{
ZwClose(hProcess);
return 0;
}
LdrHead = &Ldr->InMemoryOrderModuleList;
LdrNext = LdrHead->Flink;
ZwClose(hProcess);
while( LdrNext != LdrHead )
{
PLDR_DATA_TABLE_ENTRY LdrEntry;
LdrEntry = CONTAINING_RECORD(LdrNext, LDR_DATA_TABLE_ENTRY, InMemoryOrderLinks);
if( LdrEntry->DllBase == Peb->ImageBaseAddress )
{
UNICODE_STRING usUpperCase;
if( RtlUpcaseUnicodeString(
&usUpperCase,
&LdrEntry->FullDllName,
TRUE) == STATUS_SUCCESS )
{
ANSI_STRING ansiStr;
if( RtlUnicodeStringToAnsiString(
&ansiStr,
&usUpperCase,
TRUE) == STATUS_SUCCESS )
{
ULONG ulCRC = GetCRC(ansiStr.Buffer, ansiStr.Length);
RtlFreeAnsiString(&ansiStr);
RtlFreeUnicodeString(&usUpperCase);
return ulCRC;
}
RtlFreeUnicodeString(&usUpperCase);
return 0;
}
return 0;
}
LdrNext = LdrEntry->InMemoryOrderLinks.Flink;
}
return 0;
}
–
Best regards,
Yura mailto:xxxxx@mail.zp.ua