Yes, you can locate the EPROCESS structure using that API. But my point
is why do that? Just use the process id for lookups, don’t bother with
the EPROCESS.
Pete
–
Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295
------ Original Message ------
From: xxxxx@yahoo.com
To: “Windows File Systems Devs Interest List”
Sent: 8/1/2016 10:05:10 PM
Subject: RE:[ntfsd] Re[2]: is PEPROCESS unique for a process if in
kernel?
>Sorry for posting twice :(.
>Thanks Pete and Maxim,
>Yes I do have a linked list which stores process id and if open calls’s
>process id matches then I do my work . However, I found out that in
>some scenario, Parent opens up File object, but IOs are received from
>actual process id I got in notification. So I miss the Open part hence
>can hook onto IOs. ( Same as pointed out by Maxim)
>
>Exact scenario .
>I hook onto a.exe and save its process id. It’s parent is b.exe.
>Normally open and IO both are from a.exe but in some scenario, Open
>comes from b.exe and IO comes from a.exe. My whole logic is based on
>detecting a.exe’s process id.
>
>Pete, I agree to your point but if I use PsLookupProcessByProcessId on
>process notification for child process id and save it along with
>process id. then Is it fine to compare PEPROCESS?
>
>
>—
>NTFSD is sponsored by OSR
>
>
>MONTHLY seminars on crash dump analysis, WDF, Windows internals and
>software drivers!
>Details at http:
>
>To unsubscribe, visit the List Server section of OSR Online at
>http:</http:></http:>