Hmmmm, it is more than unportable.
As I know, the EPROCESS structure has changed from
NT4 to W2K. So you restrict the code for W2K only
(I don’t know how the EPROCESS looks in WinXP, but
there’s a high probability that it’s slightly different).
But using the pointer from beginning of PEB and
the RTL_USER_PROCESS_PARAMETERS structure itself seems
more stable to me.
So what I would do is to give a greater stability to
the giving the PEB pointer from the current process
by using the following code:
NTSTATUS Status;
PROCESS_BASIC_INFORMATION BasicInfo;
PRTL_USER_PROCESS_PARAMETERS UserParams;
Status = ZwQueryInformationProcess(
NtCurrentProcess(),
ProcessBasicInformation,
&BasicInfo,
sizeof(BasicInfo),
NULL
);
if (!NT_SUCCESS(Status))
{
…
}
UserParams = BasicInfo->PebBaseAddress->ProcessParameters;
…
Paul
PS: I would use at least some basic forms of definitions for
the needed structures instead of using HARD OFFSETS like
in your code. For example:
typedef struct _PEB {
UCHAR dummy[0x10];
struct _RTL_USER_PROCESS_PARAMETERS *ProcessParameters;
} PEB, *PPEB;
typedef struct _RTL_USER_PROCESS_PARAMETERS {
UCHAR dummy[0x3C];
UNICODE_STRING ImagePathName;
} RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS;
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of xxxxx@softonnet.com
Sent: Friday, July 13, 2001 12:00 AM
To: File Systems Developers
Subject: [ntfsd] Re: Regarding fullpath name of current process.
Hi all.
thank you for your help and concern.
I tried to solve this subject last 3 days, I made following code.
when add this function to FILEMON source, it works well.
how about my codes? is it correct code?
I would appreciate any comment
Thanks.
Terra.
//----------------------------------------------------------------------
// GetProcessName
//----------------------------------------------------------------------
void GetProcessName(PWCHAR Name)
{
PEPROCESS curproc;
char* ptr;
int offset1, offset2;
short offset3;
WCHAR wBuff[255];
curproc = PsGetCurrentProcess();
ptr = (PCHAR)curproc + 0x1b0; // 0x1b0 :
position of _PEB in _EPROCESS
structure
memcpy(&offset1, ptr, 4);
ptr = (PCHAR)(offset1 + 0x10); // 0x10 :
position of ProcessParameters
in _PEB structure
memcpy(&offset2, ptr, 4);
ptr = (PCHAR)(offset2 + 0x3c); // 0x3c :
position of
fullpath(ImagePath) in ProcessParameters
memcpy(&offset3, ptr, 2);
memcpy(wBuff, (char*)(offset2+offset3), 255 * sizeof(WCHAR));
// DbgPrint((“offset1:[%X], offset2:[%X], offset3:[%X],
ImagePath:[%ws]\n”,
offset1, offset2, offset3, wBuff));
wcscpy(Name, wBuff);
return Name;
}
You are currently subscribed to ntfsd as: xxxxx@compelson.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com