RE:[ntdev] DbgPrint not always prints out

I did it this way:

VOID GetProcessNameFromPid(HANDLE Pid, PCHAR Output)
{
LPSTR tmp;
PEPROCESS Process;

if (PsLookupProcessByProcessId(Pid, &Process) != STATUS_SUCCESS) {
strcpy(Output, “N/A”);
return;
}

tmp = (LPSTR)PsGetProcessImageFileName(Process);
Output[16] = ‘\0’;
memcpy(Output, tmp, 16); // decrease ref counter because
ObDereferenceObject(Process); // PsLookupProcessByProcessId incremented it
}

  1. március 27. 16:18 napon xxxxx@gmail.com írta:

PsGetProcessImageFileName is present in NTOSKRNL.LIB. So you just need the prototype.

NTSYSAPI PUCHAR NTAPI PsGetProcessImageFileName(In PEPROCESS Process);

But be careful, the returned pointer is the address of a UCHAR[15] array that belongs to the _EPROCESS structure.

kd> dt nt!_EPROCESS
+0x000 Pcb : _KPROCESS

+0x450 ImageFileName : [15] UChar

This is confirmed by the disassembly:

kd> uf nt!PsGetProcessImageFileName
nt!PsGetProcessImageFileName:
fffff803b6969b30 488d8150040000 lea rax,[rcx+450h] // 0x450 is ImageFileName's offset fffff803b6969b37 c3 ret

So the access should be read-only and the EPROCESS object should be referenced before it is used and dereferenced after it is used. Of course when you deal with an undocumented function, everything may vanish at any time.

You can monitor process creation/termination with PsSetCreateProcessNotifyRoutineEx and get much more reliable informations.


NTDEV is sponsored by OSR

Visit the list online at: http:
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at http:
></http:></http:></http:>