MESSAGE LABS SPAM: Re: DbgPrint not always prints out

prabhakar_vinayagam · March 27, 2017, 6:20am

Could you please check this

http://www.osronline.com/article.cfm?id=295

On Mon, Mar 27, 2017 at 1:42 PM, wrote:

> Thanks, with your hint I figured it out. Apparently
> PsGetProcessImageFileName() is not defined nowhere in my header files. My
> compiler did not complain about it neither my linker, but the latter took
> it as its return value was DWORD.
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: http:> showlists.cfm?list=ntdev>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer>
></http:></http:>

OSR_Community_User · March 27, 2017, 10:17am

PsGetProcessImageFileName is present in NTOSKRNL.LIB. So you just need the prototype.

NTSYSAPI PUCHAR NTAPI PsGetProcessImageFileName(In PEPROCESS Process);

But be careful, the returned pointer is the address of a UCHAR[15] array that belongs to the _EPROCESS structure.

kd> dt nt!_EPROCESS
+0x000 Pcb : _KPROCESS
…
+0x450 ImageFileName : [15] UChar
…

This is confirmed by the disassembly:

kd> uf nt!PsGetProcessImageFileName
nt!PsGetProcessImageFileName:
fffff803b6969b30 488d8150040000 lea rax,[rcx+450h] // 0x450 is ImageFileName's offset fffff803b6969b37 c3 ret

So the access should be read-only and the EPROCESS object should be referenced before it is used and dereferenced after it is used. Of course when you deal with an undocumented function, everything may vanish at any time.

You can monitor process creation/termination with PsSetCreateProcessNotifyRoutineEx and get much more reliable informations.

Pavel_A1 · March 27, 2017, 12:25pm

> The problem comes when I

also want to print out the process name using %s format specifier:

DbgPrint(“%.4x %s”, ProcessId, GetProcessNameFromPid(ProcessId));

This does not print out anything at all.

I’ve seen this behavior when exception occurs in output formatting (such as printing garbage as unicode string).
It looks like the underlying worker of DbgPrint… has an internal exception handler that silently returns.

– pa

Alex_Grig · March 27, 2017, 12:54pm

@Tim:
In x64, minimum size of vararg is 8.