Re[3]: Get process full path from PEPROCESS structure

Hello Alberto,

Wednesday, May 25, 2005, 2:35:14 PM, you wrote:

AM> If I correctly recall, you can find a pointer to the full
AM> Unicode path string in the File Object.
yeas, that’s of course the way it works. but if you have eprocess, you
have section object in it, not file object. if you hook
ntcreateprocess to simulate microsoft callbacks (for example for nt4
compatability), you have section object, not file object. so it’s
section object -> file object -> full path.


Best regards,
Ivona Prenosilova

Yes. It’s a bit convoluted but it works fine. Of course you must
babysit built numbers, because sometimes the format of those
objects change from build to build!

Alberto.

----- Original Message -----
From: “ivona prenosilova”
To: “Windows System Software Devs Interest List”

Sent: Wednesday, May 25, 2005 8:43 AM
Subject: Re[3]: [ntdev] Get process full path from PEPROCESS
structure

> Hello Alberto,
>
> Wednesday, May 25, 2005, 2:35:14 PM, you wrote:
>
> AM> If I correctly recall, you can find a pointer to the full
> AM> Unicode path string in the File Object.
> yeas, that’s of course the way it works. but if you have
> eprocess, you
> have section object in it, not file object. if you hook
> ntcreateprocess to simulate microsoft callbacks (for example
> for nt4
> compatability), you have section object, not file object. so
> it’s
> section object -> file object -> full path.
>
> –
> Best regards,
> Ivona Prenosilova
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@ieee.org
> To unsubscribe send a blank email to
> xxxxx@lists.osr.com

While FileObject->FileName might contain a full path, it is not
guaranteed to do so. The only safe way to get a full path name is call
the underlying FSD and ask for it using an IRP_MJ_QUERY_INFORMATION;
using ObQueryObjectNameString does this and also prepends the device
object name on the front as well (which may - or may not - be what the
OP wanted).

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Alberto Moreira
Sent: Wednesday, May 25, 2005 8:35 AM
To: ntdev redirect
Subject: Re: Re:[ntdev] Get process full path from PEPROCESS structure

If I correctly recall, you can find a pointer to the full
Unicode path string in the File Object.

Alberto.

----- Original Message -----
From: “PeterGV (OSR)”
Newsgroups: ntdev
To: “Windows System Software Devs Interest List”

Sent: Tuesday, May 24, 2005 10:08 AM
Subject: Re:[ntdev] Get process full path from PEPROCESS
structure

> ivona prenosilova wrote:
>> Please read the following
>> text done by my friend. The problem is already fixed in new
>> versions
>> of Kerio Personal Firewall - the vendor was contacted some
>> months ago.
>>
>> www.wasteland.cz/!/bypassing.zip
>>
>
> One of the more cogent articles of its type, it actually makes
> sense. I’m not saying it’s assertions are correct (this isn’t
> my field), but it is certainly interesting.
>
> Recommended reading.
>
> Don’t forget that the ImageName field from the EPROCESS only
> has the NAME of the file, no path info provided. And its
> location does change from release to release. So, some method
> (such as slogging through the section object… Ugh!) is
> probably required.
>
> Peter
> OSR
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@ieee.org
> To unsubscribe send a blank email to
> xxxxx@lists.osr.com


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

You get that object created when the file opens, and for as long
as the file’s open, the pathname should be there. My experience
is, if for example you’re running notepad.exe, there will be a
valid file object with notepad.exe’s path in it for as long as
Notepad is running. Are you telling me that the OS destroys the
pathname after NtCreateFile is exited ? If that was so, things
like procexp might not work, although I don’t really know how
they get to the pathname they display.

Alberto.

----- Original Message -----
From: “Dan Partelly”
To: “Windows System Software Devs Interest List”

Sent: Wednesday, May 25, 2005 8:38 AM
Subject: Re: Re:[ntdev] Get process full path from PEPROCESS
structure

> The name derived from a file object should be considered valid
> only in the context of a create operation.
>
> Dan
>
> ----- Original Message -----
> From: “Alberto Moreira”
> To: “Windows System Software Devs Interest List”
>
> Sent: Wednesday, May 25, 2005 3:35 PM
> Subject: Re: Re:[ntdev] Get process full path from PEPROCESS
> structure
>
>
>> If I correctly recall, you can find a pointer to the full
>> Unicode path string in the File Object.
>>
>> Alberto.
>>
>>
>> ----- Original Message -----
>> From: “PeterGV (OSR)”
>> Newsgroups: ntdev
>> To: “Windows System Software Devs Interest List”
>>
>> Sent: Tuesday, May 24, 2005 10:08 AM
>> Subject: Re:[ntdev] Get process full path from PEPROCESS
>> structure
>>
>>
>>> ivona prenosilova wrote:
>>>> Please read the following
>>>> text done by my friend. The problem is already fixed in new
>>>> versions
>>>> of Kerio Personal Firewall - the vendor was contacted some
>>>> months ago.
>>>>
>>>> www.wasteland.cz/!/bypassing.zip
>>>>
>>>
>>> One of the more cogent articles of its type, it actually
>>> makes sense. I’m not saying it’s assertions are correct
>>> (this isn’t my field), but it is certainly interesting.
>>>
>>> Recommended reading.
>>>
>>> Don’t forget that the ImageName field from the EPROCESS only
>>> has the NAME of the file, no path info provided. And its
>>> location does change from release to release. So, some
>>> method (such as slogging through the section object… Ugh!)
>>> is probably required.
>>>
>>> Peter
>>> OSR
>>>
>>> —
>>> Questions? First check the Kernel Driver FAQ at
>>> http://www.osronline.com/article.cfm?id=256
>>>
>>> You are currently subscribed to ntdev as: xxxxx@ieee.org
>>> To unsubscribe send a blank email to
>>> xxxxx@lists.osr.com
>>
>>
>> —
>> Questions? First check the Kernel Driver FAQ at
>> http://www.osronline.com/article.cfm?id=256
>>
>> You are currently subscribed to ntdev as:
>> xxxxx@rdsor.ro
>> To unsubscribe send a blank email to
>> xxxxx@lists.osr.com
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@ieee.org
> To unsubscribe send a blank email to
> xxxxx@lists.osr.com

It is the file system that typically modifies this string. In addition,
opens can be relative to a related file object
(FileObject->RelatedFileObject) and THAT relationship is only valid
during the IRP_MJ_CREATE handler, since nothing requires the related
file object remain valid (in other words, this is not counted as a
reference against the RelatedFileObject).

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Alberto Moreira
Sent: Wednesday, May 25, 2005 8:48 AM
To: ntdev redirect
Subject: Re: Re:[ntdev] Get process full path from PEPROCESS structure

You get that object created when the file opens, and for as long
as the file’s open, the pathname should be there. My experience
is, if for example you’re running notepad.exe, there will be a
valid file object with notepad.exe’s path in it for as long as
Notepad is running. Are you telling me that the OS destroys the
pathname after NtCreateFile is exited ? If that was so, things
like procexp might not work, although I don’t really know how
they get to the pathname they display.

Alberto.

----- Original Message -----
From: “Dan Partelly”
To: “Windows System Software Devs Interest List”

Sent: Wednesday, May 25, 2005 8:38 AM
Subject: Re: Re:[ntdev] Get process full path from PEPROCESS
structure

> The name derived from a file object should be considered valid
> only in the context of a create operation.
>
> Dan
>
> ----- Original Message -----
> From: “Alberto Moreira”
> To: “Windows System Software Devs Interest List”
>
> Sent: Wednesday, May 25, 2005 3:35 PM
> Subject: Re: Re:[ntdev] Get process full path from PEPROCESS
> structure
>
>
>> If I correctly recall, you can find a pointer to the full
>> Unicode path string in the File Object.
>>
>> Alberto.
>>
>>
>> ----- Original Message -----
>> From: “PeterGV (OSR)”
>> Newsgroups: ntdev
>> To: “Windows System Software Devs Interest List”
>>
>> Sent: Tuesday, May 24, 2005 10:08 AM
>> Subject: Re:[ntdev] Get process full path from PEPROCESS
>> structure
>>
>>
>>> ivona prenosilova wrote:
>>>> Please read the following
>>>> text done by my friend. The problem is already fixed in new
>>>> versions
>>>> of Kerio Personal Firewall - the vendor was contacted some
>>>> months ago.
>>>>
>>>> www.wasteland.cz/!/bypassing.zip
>>>>
>>>
>>> One of the more cogent articles of its type, it actually
>>> makes sense. I’m not saying it’s assertions are correct
>>> (this isn’t my field), but it is certainly interesting.
>>>
>>> Recommended reading.
>>>
>>> Don’t forget that the ImageName field from the EPROCESS only
>>> has the NAME of the file, no path info provided. And its
>>> location does change from release to release. So, some
>>> method (such as slogging through the section object… Ugh!)
>>> is probably required.
>>>
>>> Peter
>>> OSR
>>>
>>> —
>>> Questions? First check the Kernel Driver FAQ at
>>> http://www.osronline.com/article.cfm?id=256
>>>
>>> You are currently subscribed to ntdev as: xxxxx@ieee.org
>>> To unsubscribe send a blank email to
>>> xxxxx@lists.osr.com
>>
>>
>> —
>> Questions? First check the Kernel Driver FAQ at
>> http://www.osronline.com/article.cfm?id=256
>>
>> You are currently subscribed to ntdev as:
>> xxxxx@rdsor.ro
>> To unsubscribe send a blank email to
>> xxxxx@lists.osr.com
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@ieee.org
> To unsubscribe send a blank email to
> xxxxx@lists.osr.com


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

> Notepad is running. Are you telling me that the OS destroys the

pathname after NtCreateFile is exited ?

On NTFS, yes. Sometimes.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

Yes - that’s what he’s telling you.

-p

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Alberto Moreira
Sent: Wednesday, May 25, 2005 5:48 AM
To: Windows System Software Devs Interest List
Subject: Re: Re:[ntdev] Get process full path from PEPROCESS structure

You get that object created when the file opens, and for as
long as the file’s open, the pathname should be there. My
experience is, if for example you’re running notepad.exe,
there will be a valid file object with notepad.exe’s path in
it for as long as Notepad is running. Are you telling me that
the OS destroys the pathname after NtCreateFile is exited ?
If that was so, things like procexp might not work, although
I don’t really know how they get to the pathname they display.

Alberto.

----- Original Message -----
From: “Dan Partelly”
> To: “Windows System Software Devs Interest List”
>
> Sent: Wednesday, May 25, 2005 8:38 AM
> Subject: Re: Re:[ntdev] Get process full path from PEPROCESS structure
>
>
> > The name derived from a file object should be considered
> valid only in
> > the context of a create operation.
> >
> > Dan
> >
> > ----- Original Message -----
> > From: “Alberto Moreira”
> > To: “Windows System Software Devs Interest List”
> >
> > Sent: Wednesday, May 25, 2005 3:35 PM
> > Subject: Re: Re:[ntdev] Get process full path from
> PEPROCESS structure
> >
> >
> >> If I correctly recall, you can find a pointer to the full Unicode
> >> path string in the File Object.
> >>
> >> Alberto.
> >>
> >>
> >> ----- Original Message -----
> >> From: “PeterGV (OSR)”
> >> Newsgroups: ntdev
> >> To: “Windows System Software Devs Interest List”
> >>
> >> Sent: Tuesday, May 24, 2005 10:08 AM
> >> Subject: Re:[ntdev] Get process full path from PEPROCESS structure
> >>
> >>
> >>> ivona prenosilova wrote:
> >>>> Please read the following
> >>>> text done by my friend. The problem is already fixed in new
> >>>> versions of Kerio Personal Firewall - the vendor was
> contacted some
> >>>> months ago.
> >>>>
> >>>> www.wasteland.cz/!/bypassing.zip
> >>>>
> >>>
> >>> One of the more cogent articles of its type, it actually makes
> >>> sense. I’m not saying it’s assertions are correct (this isn’t my
> >>> field), but it is certainly interesting.
> >>>
> >>> Recommended reading.
> >>>
> >>> Don’t forget that the ImageName field from the EPROCESS
> only has the
> >>> NAME of the file, no path info provided. And its location does
> >>> change from release to release. So, some method (such as
> slogging
> >>> through the section object… Ugh!) is probably required.
> >>>
> >>> Peter
> >>> OSR
> >>>
> >>> —
> >>> Questions? First check the Kernel Driver FAQ at
> >>> http://www.osronline.com/article.cfm?id=256
> >>>
> >>> You are currently subscribed to ntdev as: xxxxx@ieee.org To
> >>> unsubscribe send a blank email to xxxxx@lists.osr.com
> >>
> >>
> >> —
> >> Questions? First check the Kernel Driver FAQ at
> >> http://www.osronline.com/article.cfm?id=256
> >>
> >> You are currently subscribed to ntdev as:
> >> xxxxx@rdsor.ro
> >> To unsubscribe send a blank email to
> xxxxx@lists.osr.com
> >
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> > http://www.osronline.com/article.cfm?id=256
> >
> > You are currently subscribed to ntdev as: xxxxx@ieee.org To
> > unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as:
> xxxxx@windows.microsoft.com To unsubscribe send a blank
> email to xxxxx@lists.osr.com
>

I did some looking around and I found that the field at
FileObject+0x30 to be pretty reliable provided that there’s a
ControlArea that points to it and that the flags are right: I
found that that’s not always the case, though. Actually, it
seems that’s where the callback instated by
PsSetLoadImageNotifyRoutine gets the image name from. Actually,
that’s a pretty simple way of getting it, if all you want is the
path name. For more invasive surgery, you may need to hook
IoCreateFile or IopCreateFile.

Alberto.

----- Original Message -----
From: “Tony Mason”
To: “Windows System Software Devs Interest List”

Sent: Wednesday, May 25, 2005 9:29 AM
Subject: RE: Re:[ntdev] Get process full path from PEPROCESS
structure

It is the file system that typically modifies this string. In
addition,
opens can be relative to a related file object
(FileObject->RelatedFileObject) and THAT relationship is only
valid
during the IRP_MJ_CREATE handler, since nothing requires the
related
file object remain valid (in other words, this is not counted as
a
reference against the RelatedFileObject).

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Alberto
Moreira
Sent: Wednesday, May 25, 2005 8:48 AM
To: ntdev redirect
Subject: Re: Re:[ntdev] Get process full path from PEPROCESS
structure

You get that object created when the file opens, and for as long
as the file’s open, the pathname should be there. My experience
is, if for example you’re running notepad.exe, there will be a
valid file object with notepad.exe’s path in it for as long as
Notepad is running. Are you telling me that the OS destroys the
pathname after NtCreateFile is exited ? If that was so, things
like procexp might not work, although I don’t really know how
they get to the pathname they display.

Alberto.

----- Original Message -----
From: “Dan Partelly”
To: “Windows System Software Devs Interest List”

Sent: Wednesday, May 25, 2005 8:38 AM
Subject: Re: Re:[ntdev] Get process full path from PEPROCESS
structure

> The name derived from a file object should be considered valid
> only in the context of a create operation.
>
> Dan
>
> ----- Original Message -----
> From: “Alberto Moreira”
> To: “Windows System Software Devs Interest List”
>
> Sent: Wednesday, May 25, 2005 3:35 PM
> Subject: Re: Re:[ntdev] Get process full path from PEPROCESS
> structure
>
>
>> If I correctly recall, you can find a pointer to the full
>> Unicode path string in the File Object.
>>
>> Alberto.
>>
>>
>> ----- Original Message -----
>> From: “PeterGV (OSR)”
>> Newsgroups: ntdev
>> To: “Windows System Software Devs Interest List”
>>
>> Sent: Tuesday, May 24, 2005 10:08 AM
>> Subject: Re:[ntdev] Get process full path from PEPROCESS
>> structure
>>
>>
>>> ivona prenosilova wrote:
>>>> Please read the following
>>>> text done by my friend. The problem is already fixed in new
>>>> versions
>>>> of Kerio Personal Firewall - the vendor was contacted some
>>>> months ago.
>>>>
>>>> www.wasteland.cz/!/bypassing.zip
>>>>
>>>
>>> One of the more cogent articles of its type, it actually
>>> makes sense. I’m not saying it’s assertions are correct
>>> (this isn’t my field), but it is certainly interesting.
>>>
>>> Recommended reading.
>>>
>>> Don’t forget that the ImageName field from the EPROCESS only
>>> has the NAME of the file, no path info provided. And its
>>> location does change from release to release. So, some
>>> method (such as slogging through the section object… Ugh!)
>>> is probably required.
>>>
>>> Peter
>>> OSR
>>>
>>> —
>>> Questions? First check the Kernel Driver FAQ at
>>> http://www.osronline.com/article.cfm?id=256
>>>
>>> You are currently subscribed to ntdev as: xxxxx@ieee.org
>>> To unsubscribe send a blank email to
>>> xxxxx@lists.osr.com
>>
>>
>> —
>> Questions? First check the Kernel Driver FAQ at
>> http://www.osronline.com/article.cfm?id=256
>>
>> You are currently subscribed to ntdev as:
>> xxxxx@rdsor.ro
>> To unsubscribe send a blank email to
>> xxxxx@lists.osr.com
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@ieee.org
> To unsubscribe send a blank email to
> xxxxx@lists.osr.com


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@osr.com
To unsubscribe send a blank email to
xxxxx@lists.osr.com


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag
argument: ‘’
To unsubscribe send a blank email to
xxxxx@lists.osr.com

For some applications, talking to a driver to get information is
not a feasible avenue: for example, I may just not trust the
driver. If there’s no reliable way to get at the full path from
the kernel side and at “very low” level - meaning, underneath
the driver layer - I would encourage the designers to call that
a limitation and address it.

Alberto.

----- Original Message -----
From: “Tony Mason”
To: “Windows System Software Devs Interest List”

Sent: Wednesday, May 25, 2005 8:46 AM
Subject: RE: Re:[ntdev] Get process full path from PEPROCESS
structure

While FileObject->FileName might contain a full path, it is not
guaranteed to do so. The only safe way to get a full path name
is call
the underlying FSD and ask for it using an
IRP_MJ_QUERY_INFORMATION;
using ObQueryObjectNameString does this and also prepends the
device
object name on the front as well (which may - or may not - be
what the
OP wanted).

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Alberto
Moreira
Sent: Wednesday, May 25, 2005 8:35 AM
To: ntdev redirect
Subject: Re: Re:[ntdev] Get process full path from PEPROCESS
structure

If I correctly recall, you can find a pointer to the full
Unicode path string in the File Object.

Alberto.

----- Original Message -----
From: “PeterGV (OSR)”
Newsgroups: ntdev
To: “Windows System Software Devs Interest List”

Sent: Tuesday, May 24, 2005 10:08 AM
Subject: Re:[ntdev] Get process full path from PEPROCESS
structure

> ivona prenosilova wrote:
>> Please read the following
>> text done by my friend. The problem is already fixed in new
>> versions
>> of Kerio Personal Firewall - the vendor was contacted some
>> months ago.
>>
>> www.wasteland.cz/!/bypassing.zip
>>
>
> One of the more cogent articles of its type, it actually makes
> sense. I’m not saying it’s assertions are correct (this isn’t
> my field), but it is certainly interesting.
>
> Recommended reading.
>
> Don’t forget that the ImageName field from the EPROCESS only
> has the NAME of the file, no path info provided. And its
> location does change from release to release. So, some method
> (such as slogging through the section object… Ugh!) is
> probably required.
>
> Peter
> OSR
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@ieee.org
> To unsubscribe send a blank email to
> xxxxx@lists.osr.com


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@osr.com
To unsubscribe send a blank email to
xxxxx@lists.osr.com


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag
argument: ‘’
To unsubscribe send a blank email to
xxxxx@lists.osr.com

You guys then should be able to give me more detail ? Which
component does it, and under what conditions ?

Alberto.

----- Original Message -----
From: “Peter Wieland”
To: “Windows System Software Devs Interest List”

Sent: Wednesday, May 25, 2005 9:58 AM
Subject: RE: Re:[ntdev] Get process full path from PEPROCESS
structure

Yes - that’s what he’s telling you.

-p

> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Alberto
> Moreira
> Sent: Wednesday, May 25, 2005 5:48 AM
> To: Windows System Software Devs Interest List
> Subject: Re: Re:[ntdev] Get process full path from PEPROCESS
> structure
>
> You get that object created when the file opens, and for as
> long as the file’s open, the pathname should be there. My
> experience is, if for example you’re running notepad.exe,
> there will be a valid file object with notepad.exe’s path in
> it for as long as Notepad is running. Are you telling me that
> the OS destroys the pathname after NtCreateFile is exited ?
> If that was so, things like procexp might not work, although
> I don’t really know how they get to the pathname they display.
>
> Alberto.
>
>
> ----- Original Message -----
> From: “Dan Partelly”
> To: “Windows System Software Devs Interest List”
>
> Sent: Wednesday, May 25, 2005 8:38 AM
> Subject: Re: Re:[ntdev] Get process full path from PEPROCESS
> structure
>
>
> > The name derived from a file object should be considered
> valid only in
> > the context of a create operation.
> >
> > Dan
> >
> > ----- Original Message -----
> > From: “Alberto Moreira”
> > To: “Windows System Software Devs Interest List”
> >
> > Sent: Wednesday, May 25, 2005 3:35 PM
> > Subject: Re: Re:[ntdev] Get process full path from
> PEPROCESS structure
> >
> >
> >> If I correctly recall, you can find a pointer to the full
> >> Unicode
> >> path string in the File Object.
> >>
> >> Alberto.
> >>
> >>
> >> ----- Original Message -----
> >> From: “PeterGV (OSR)”
> >> Newsgroups: ntdev
> >> To: “Windows System Software Devs Interest List”
> >>
> >> Sent: Tuesday, May 24, 2005 10:08 AM
> >> Subject: Re:[ntdev] Get process full path from PEPROCESS
> >> structure
> >>
> >>
> >>> ivona prenosilova wrote:
> >>>> Please read the following
> >>>> text done by my friend. The problem is already fixed in
> >>>> new
> >>>> versions of Kerio Personal Firewall - the vendor was
> contacted some
> >>>> months ago.
> >>>>
> >>>> www.wasteland.cz/!/bypassing.zip
> >>>>
> >>>
> >>> One of the more cogent articles of its type, it actually
> >>> makes
> >>> sense. I’m not saying it’s assertions are correct (this
> >>> isn’t my
> >>> field), but it is certainly interesting.
> >>>
> >>> Recommended reading.
> >>>
> >>> Don’t forget that the ImageName field from the EPROCESS
> only has the
> >>> NAME of the file, no path info provided. And its location
> >>> does
> >>> change from release to release. So, some method (such as
> slogging
> >>> through the section object… Ugh!) is probably required.
> >>>
> >>> Peter
> >>> OSR
> >>>
> >>> —
> >>> Questions? First check the Kernel Driver FAQ at
> >>> http://www.osronline.com/article.cfm?id=256
> >>>
> >>> You are currently subscribed to ntdev as:
> >>> xxxxx@ieee.org To
> >>> unsubscribe send a blank email to
> >>> xxxxx@lists.osr.com
> >>
> >>
> >> —
> >> Questions? First check the Kernel Driver FAQ at
> >> http://www.osronline.com/article.cfm?id=256
> >>
> >> You are currently subscribed to ntdev as:
> >> xxxxx@rdsor.ro
> >> To unsubscribe send a blank email to
> xxxxx@lists.osr.com
> >
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> > http://www.osronline.com/article.cfm?id=256
> >
> > You are currently subscribed to ntdev as: xxxxx@ieee.org
> > To
> > unsubscribe send a blank email to
> > xxxxx@lists.osr.com
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as:
> xxxxx@windows.microsoft.com To unsubscribe send a blank
> email to xxxxx@lists.osr.com
>


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag
argument: ‘’
To unsubscribe send a blank email to
xxxxx@lists.osr.com

You know, Max, this isn’t the first time I’m surprised by
Windows doing something that I consider to be a strong no-no.
This is obviously pretty easy to circumvent, I’ll leave it to
your imagination how. To me, it’s one more point that should be
rectified: people seem to forget that lower layer software must
not rely on upper layers to do stuff, and that some information
may be important at lower layer - if nothing else to monitoring
and security inner components. Golly, how difficult is it to
just add a pointer to the File Object that always points to the
original string ?

Alberto.

----- Original Message -----
From: “Maxim S. Shatskih”
To: “Windows System Software Devs Interest List”

Sent: Wednesday, May 25, 2005 9:48 AM
Subject: Re: Re:[ntdev] Get process full path from PEPROCESS
structure

>> Notepad is running. Are you telling me that the OS destroys
>> the
>> pathname after NtCreateFile is exited ?
>
> On NTFS, yes. Sometimes.
>
> Maxim Shatskih, Windows DDK MVP
> StorageCraft Corporation
> xxxxx@storagecraft.com
> http://www.storagecraft.com
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@ieee.org
> To unsubscribe send a blank email to
> xxxxx@lists.osr.com

> I did some looking around and I found that the field at

FileObject+0x30 to be pretty reliable provided that there’s a
ControlArea that points to it

Is 0x30 - ->FsContext?

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

Even if so - what if this is a relative open? Then you will not be able to
obtain the absolute pathname from FileObject->FileName anyway.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: “Alberto Moreira”
To: “Windows System Software Devs Interest List”
Sent: Thursday, May 26, 2005 4:57 PM
Subject: Re: Re:[ntdev] Get process full path from PEPROCESS structure

> You know, Max, this isn’t the first time I’m surprised by
> Windows doing something that I consider to be a strong no-no.
> This is obviously pretty easy to circumvent, I’ll leave it to
> your imagination how. To me, it’s one more point that should be
> rectified: people seem to forget that lower layer software must
> not rely on upper layers to do stuff, and that some information
> may be important at lower layer - if nothing else to monitoring
> and security inner components. Golly, how difficult is it to
> just add a pointer to the File Object that always points to the
> original string ?
>
> Alberto.
>
>
> ----- Original Message -----
> From: “Maxim S. Shatskih”
> To: “Windows System Software Devs Interest List”
>
> Sent: Wednesday, May 25, 2005 9:48 AM
> Subject: Re: Re:[ntdev] Get process full path from PEPROCESS
> structure
>
>
> >> Notepad is running. Are you telling me that the OS destroys
> >> the
> >> pathname after NtCreateFile is exited ?
> >
> > On NTFS, yes. Sometimes.
> >
> > Maxim Shatskih, Windows DDK MVP
> > StorageCraft Corporation
> > xxxxx@storagecraft.com
> > http://www.storagecraft.com
> >
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> > http://www.osronline.com/article.cfm?id=256
> >
> > You are currently subscribed to ntdev as: xxxxx@ieee.org
> > To unsubscribe send a blank email to
> > xxxxx@lists.osr.com
>
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com

I don’t know. I’m a machine level guy, I work in hex! :slight_smile: And I
don’t use Windbg too often, so, once I learn where something is
I usually get there by number: for example, the road to my gym
may be the Daniel Webster Highway to everybody else, but to me
it’s Route 3A. I have in one of my drivers this pretty sensitive
piece of code to fish out path names from Ntoskrnl, handcrafted
in machine language, and so far it hasn’t broken yet. But then,
after Tony Mason’s advice, I’m going to double check this whole
thing just to be sure I’m not missing something!

Alberto.

----- Original Message -----
From: “Maxim S. Shatskih”
To: “Windows System Software Devs Interest List”

Sent: Thursday, May 26, 2005 2:03 PM
Subject: Re: Re:[ntdev] Get process full path from PEPROCESS
structure

>> I did some looking around and I found that the field at
>> FileObject+0x30 to be pretty reliable provided that there’s a
>> ControlArea that points to it
>
> Is 0x30 - ->FsContext?
>
> Maxim Shatskih, Windows DDK MVP
> StorageCraft Corporation
> xxxxx@storagecraft.com
> http://www.storagecraft.com
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@ieee.org
> To unsubscribe send a blank email to
> xxxxx@lists.osr.com

What do you think about this code ??
works on win2K and winxp, but for some reason, on xp sp2
RtlUnicodeStringToAnsiString makes BSOD. Little research found that
the memory that contains the path is protected and cannot be copied.
why is that ?

typedef struct _PEB {
UCHAR dummy[0x10];
struct _RTL_USER_PROCESS_PARAMETERS *ProcessParameters;
} PEB, *PPEB;

typedef struct _RTL_USER_PROCESS_PARAMETERS {
UCHAR dummy[0x38];
UNICODE_STRING imagePathName;
} RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS;

PROCESS_BASIC_INFORMATION BasicInfo;
PRTL_USER_PROCESS_PARAMETERS UserParams;
ANSI_STRING ansiPath;

status = ZwQueryInformationProcess(
NtCurrentProcess(),
ProcessBasicInformation,
&BasicInfo,
sizeof(BasicInfo),
NULL
);

if (NT_SUCCESS(status))
{
UserParams = BasicInfo.PebBaseAddress>ProcessParameters;
status = RtlUnicodeStringToAnsiString( &ansiPath,
&UserParams->imagePathName, TRUE);
}

On 5/27/05, Alberto Moreira wrote:
> I don’t know. I’m a machine level guy, I work in hex! :slight_smile: And I
> don’t use Windbg too often, so, once I learn where something is
> I usually get there by number: for example, the road to my gym
> may be the Daniel Webster Highway to everybody else, but to me
> it’s Route 3A. I have in one of my drivers this pretty sensitive
> piece of code to fish out path names from Ntoskrnl, handcrafted
> in machine language, and so far it hasn’t broken yet. But then,
> after Tony Mason’s advice, I’m going to double check this whole
> thing just to be sure I’m not missing something!
>
> Alberto.
>
>
> ----- Original Message -----
> From: “Maxim S. Shatskih”
> To: “Windows System Software Devs Interest List”
>
> Sent: Thursday, May 26, 2005 2:03 PM
> Subject: Re: Re:[ntdev] Get process full path from PEPROCESS
> structure
>
>
> >> I did some looking around and I found that the field at
> >> FileObject+0x30 to be pretty reliable provided that there’s a
> >> ControlArea that points to it
> >
> > Is 0x30 - ->FsContext?
> >
> > Maxim Shatskih, Windows DDK MVP
> > StorageCraft Corporation
> > xxxxx@storagecraft.com
> > http://www.storagecraft.com
> >
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> > http://www.osronline.com/article.cfm?id=256
> >
> > You are currently subscribed to ntdev as: xxxxx@ieee.org
> > To unsubscribe send a blank email to
> > xxxxx@lists.osr.com
>
>
> —
> Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@gmail.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

Check your IRQL; RtlUnicodeStringToAnsiString requires IRQL = PASSIVE_LEVEL.

“Omer B” wrote in message news:xxxxx@ntdev…
What do you think about this code ??
works on win2K and winxp, but for some reason, on xp sp2
RtlUnicodeStringToAnsiString makes BSOD. Little research found that
the memory that contains the path is protected and cannot be copied.
why is that ?

typedef struct _PEB {
UCHAR dummy[0x10];
struct _RTL_USER_PROCESS_PARAMETERS *ProcessParameters;
} PEB, *PPEB;

typedef struct _RTL_USER_PROCESS_PARAMETERS {
UCHAR dummy[0x38];
UNICODE_STRING imagePathName;
} RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS;

PROCESS_BASIC_INFORMATION BasicInfo;
PRTL_USER_PROCESS_PARAMETERS UserParams;
ANSI_STRING ansiPath;

status = ZwQueryInformationProcess(
NtCurrentProcess(),
ProcessBasicInformation,
&BasicInfo,
sizeof(BasicInfo),
NULL
);

if (NT_SUCCESS(status))
{
UserParams = BasicInfo.PebBaseAddress>ProcessParameters;
status = RtlUnicodeStringToAnsiString( &ansiPath,
&UserParams->imagePathName, TRUE);
}

On 5/27/05, Alberto Moreira wrote:
> I don’t know. I’m a machine level guy, I work in hex! :slight_smile: And I
> don’t use Windbg too often, so, once I learn where something is
> I usually get there by number: for example, the road to my gym
> may be the Daniel Webster Highway to everybody else, but to me
> it’s Route 3A. I have in one of my drivers this pretty sensitive
> piece of code to fish out path names from Ntoskrnl, handcrafted
> in machine language, and so far it hasn’t broken yet. But then,
> after Tony Mason’s advice, I’m going to double check this whole
> thing just to be sure I’m not missing something!
>
> Alberto.
>
>
> ----- Original Message -----
> From: “Maxim S. Shatskih”
> To: “Windows System Software Devs Interest List”
>
> Sent: Thursday, May 26, 2005 2:03 PM
> Subject: Re: Re:[ntdev] Get process full path from PEPROCESS
> structure
>
>
> >> I did some looking around and I found that the field at
> >> FileObject+0x30 to be pretty reliable provided that there’s a
> >> ControlArea that points to it
> >
> > Is 0x30 - ->FsContext?
> >
> > Maxim Shatskih, Windows DDK MVP
> > StorageCraft Corporation
> > xxxxx@storagecraft.com
> > http://www.storagecraft.com
> >
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> > http://www.osronline.com/article.cfm?id=256
> >
> > You are currently subscribed to ntdev as: xxxxx@ieee.org
> > To unsubscribe send a blank email to
> > xxxxx@lists.osr.com
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@gmail.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>