Regarding fullpath name of current process.

NTFSD
1

Hi all.

How can I get fullpath of process name from Kernel Mode?
FILEMON driver shows only process name(ImageName).
Is it impossible to get fullpath of current process?
I can’t find _EPROCESS and _PEB structure in any header file.

I tried following, but can’t get address that points fullpath.

  1. execute a application ( create process )
  2. search memory using softice ( search for fullpath of process )
    -> fullpath(Commandline) informations are in memory.
    .
    .
    .

I have been hardly researching a way to acomplish this but I have seen no
light regarding this subject yet.

I would appreciate any comment.
Thanks.

Terra.

You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

2

I don’t believe that the concept is defined. A process is not necessarily
associated with an executable at all. The executable is just a PE file that
the Win32 CreateProcess API happens to have mapped and jumped into.

You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

3

One way but it is painful is to use the PsSetLoadImageNotifyRoutine
call to get all image loads. You will get the full pathname, but you
will also get every load of a every DLL and executable. You will have
to build your own database of these. Also, you will not be able to
unload your driver.

The simpler method is to pass the ProcessId up to a service that can
use the EnumProcessModules and GetModuleFileNameEx calls to
get you the process module path.

Don Burn
Windows 2000 Device Driver and Filesystem consulting

How can I get fullpath of process name from Kernel Mode?
FILEMON driver shows only process name(ImageName).
Is it impossible to get fullpath of current process?
I can’t find _EPROCESS and _PEB structure in any header file.

You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

4

Or you can do it in much more simple way.
The only “little disadvantage” is that it uses some undocumented
structures, like PEB, PEB_LDR_DATA etc.
But if you want I can send you those structures with some basic
codes for functionality in EnumProcessModules and
GetModuleFileNameEx.

Both routines uses only:
NtQueryProcessInformation to obtain the PEB adress
and ReadProcessMemory to read the data.

In kernel mode you can use the ZwQueryInformationProcess routine
(and the handle you can obtain by ObOpenObjectByPointer from
the EPROCESS pointer) to get the PEB pointer, then attach to
the process using KeAttachProcess, walk the desired areas in its
user mode space and then detach using KeDetachProcess.

How is it simple, isn’t it ?

I hope the PEB and related loader user mode structures does not
change from build to build. If someone know that they do, please
let us know.

Paul

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Don Burn
Sent: Wednesday, July 11, 2001 2:02 PM
To: File Systems Developers
Subject: [ntfsd] Re: Regarding fullpath name of current process.

One way but it is painful is to use the PsSetLoadImageNotifyRoutine
call to get all image loads. You will get the full pathname, but you
will also get every load of a every DLL and executable. You will have
to build your own database of these. Also, you will not be able to
unload your driver.

The simpler method is to pass the ProcessId up to a service that can
use the EnumProcessModules and GetModuleFileNameEx calls to
get you the process module path.

Don Burn
Windows 2000 Device Driver and Filesystem consulting

How can I get fullpath of process name from Kernel Mode?
FILEMON driver shows only process name(ImageName).
Is it impossible to get fullpath of current process?
I can’t find _EPROCESS and _PEB structure in any header file.

You are currently subscribed to ntfsd as: xxxxx@compelson.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

5

Hi all.

thank you for your help and concern.
I tried to solve this subject last 3 days, I made following code.

when add this function to FILEMON source, it works well.
how about my codes? is it correct code?

I would appreciate any comment
Thanks.

Terra.

//----------------------------------------------------------------------
// GetProcessName
//----------------------------------------------------------------------
void GetProcessName(PWCHAR Name)
{
PEPROCESS curproc;
char* ptr;
int offset1, offset2;
short offset3;
WCHAR wBuff[255];

curproc = PsGetCurrentProcess();

ptr = (PCHAR)curproc + 0x1b0; // 0x1b0 : position of _PEB in _EPROCESS
structure
memcpy(&offset1, ptr, 4);

ptr = (PCHAR)(offset1 + 0x10); // 0x10 : position of ProcessParameters
in _PEB structure
memcpy(&offset2, ptr, 4);

ptr = (PCHAR)(offset2 + 0x3c); // 0x3c : position of
fullpath(ImagePath) in ProcessParameters
memcpy(&offset3, ptr, 2);

memcpy(wBuff, (char*)(offset2+offset3), 255 * sizeof(WCHAR));
// DbgPrint((“offset1:[%X], offset2:[%X], offset3:[%X], ImagePath:[%ws]\n”,
offset1, offset2, offset3, wBuff));

wcscpy(Name, wBuff);
return Name;
}

You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

6

Hmmmm, it is more than unportable.
As I know, the EPROCESS structure has changed from
NT4 to W2K. So you restrict the code for W2K only
(I don’t know how the EPROCESS looks in WinXP, but
there’s a high probability that it’s slightly different).
But using the pointer from beginning of PEB and
the RTL_USER_PROCESS_PARAMETERS structure itself seems
more stable to me.

So what I would do is to give a greater stability to
the giving the PEB pointer from the current process
by using the following code:

NTSTATUS Status;
PROCESS_BASIC_INFORMATION BasicInfo;
PRTL_USER_PROCESS_PARAMETERS UserParams;

Status = ZwQueryInformationProcess(
NtCurrentProcess(),
ProcessBasicInformation,
&BasicInfo,
sizeof(BasicInfo),
NULL
);

if (!NT_SUCCESS(Status))
{

}

UserParams = BasicInfo->PebBaseAddress->ProcessParameters;

Paul

PS: I would use at least some basic forms of definitions for
the needed structures instead of using HARD OFFSETS like
in your code. For example:

typedef struct _PEB {
UCHAR dummy[0x10];
struct _RTL_USER_PROCESS_PARAMETERS *ProcessParameters;
} PEB, *PPEB;

typedef struct _RTL_USER_PROCESS_PARAMETERS {
UCHAR dummy[0x3C];
UNICODE_STRING ImagePathName;
} RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS;

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of xxxxx@softonnet.com
Sent: Friday, July 13, 2001 12:00 AM
To: File Systems Developers
Subject: [ntfsd] Re: Regarding fullpath name of current process.

Hi all.

thank you for your help and concern.
I tried to solve this subject last 3 days, I made following code.

when add this function to FILEMON source, it works well.
how about my codes? is it correct code?

I would appreciate any comment
Thanks.

Terra.

//----------------------------------------------------------------------
// GetProcessName
//----------------------------------------------------------------------
void GetProcessName(PWCHAR Name)
{
PEPROCESS curproc;
char* ptr;
int offset1, offset2;
short offset3;
WCHAR wBuff[255];

curproc = PsGetCurrentProcess();

ptr = (PCHAR)curproc + 0x1b0; // 0x1b0 :
position of _PEB in _EPROCESS
structure
memcpy(&offset1, ptr, 4);

ptr = (PCHAR)(offset1 + 0x10); // 0x10 :
position of ProcessParameters
in _PEB structure
memcpy(&offset2, ptr, 4);

ptr = (PCHAR)(offset2 + 0x3c); // 0x3c :
position of
fullpath(ImagePath) in ProcessParameters
memcpy(&offset3, ptr, 2);

memcpy(wBuff, (char*)(offset2+offset3), 255 * sizeof(WCHAR));
// DbgPrint((“offset1:[%X], offset2:[%X], offset3:[%X],
ImagePath:[%ws]\n”,
offset1, offset2, offset3, wBuff));

wcscpy(Name, wBuff);
return Name;
}

You are currently subscribed to ntfsd as: xxxxx@compelson.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com