RE: RE:[ntdev] DbgPrint not always prints out

Bob_Ammerman-2 · March 29, 2017, 6:38pm

Should this:

Output[16] = ‘\0’;
memcpy(Output, tmp, 16); // decrease ref counter because

Be this:

Output[15] = ‘\0’;
memcpy(Output, tmp, 15); // decrease ref counter because

* Bob

Bob Ammerman
xxxxx@ramsystems.biz
716.864.8337

138 Liston St
Buffalo, NY 14223
www.ramsystems.biz

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:bounce-628462-
xxxxx@lists.osr.com] On Behalf Of puzzle
Sent: Wednesday, March 29, 2017 6:09 PM
To: Windows System Software Devs Interest List
> Subject: [ntdev] RE:[ntdev] DbgPrint not always prints out
>
> I did it this way:
>
> VOID GetProcessNameFromPid(HANDLE Pid, PCHAR Output) {
> LPSTR tmp;
> PEPROCESS Process;
>
> if (PsLookupProcessByProcessId(Pid, &Process) != STATUS_SUCCESS) {
> strcpy(Output, “N/A”);
> return;
> }
>
> tmp = (LPSTR)PsGetProcessImageFileName(Process);
> Output[16] = ‘\0’;
> memcpy(Output, tmp, 16); // decrease ref counter because
> ObDereferenceObject(Process); // PsLookupProcessByProcessId
> incremented it
> }
>
>
>
>
> 2017. március 27. 16:18 napon xxxxx@gmail.com írta:
>
> > PsGetProcessImageFileName is present in NTOSKRNL.LIB. So you just need
> the prototype.
> >
> > NTSYSAPI PUCHAR NTAPI PsGetProcessImageFileName(In PEPROCESS
> > Process);
> >
> > But be careful, the returned pointer is the address of a UCHAR[15] array that
> belongs to the _EPROCESS structure.
> >
> > kd> dt nt!_EPROCESS
> > +0x000 Pcb : _KPROCESS
> > …
> > +0x450 ImageFileName : [15] UChar
> > …
> >
> > This is confirmed by the disassembly:
> >
> > kd> uf nt!PsGetProcessImageFileName
> > nt!PsGetProcessImageFileName:
> > fffff803b6969b30 488d8150040000 lea rax,[rcx+450h] // 0x450 is<br>> ImageFileName's offset<br>> > fffff803b6969b37 c3 ret
> >
> > So the access should be read-only and the EPROCESS object should be
> referenced before it is used and dereferenced after it is used. Of course when
> you deal with an undocumented function, everything may vanish at any time.
> >
> > You can monitor process creation/termination with
> PsSetCreateProcessNotifyRoutineEx and get much more reliable informations.
> >
> >
> > —
> > NTDEV is sponsored by OSR
> >
> > Visit the list online at:
> > http:
> >
> > MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> > Details at http:
> >
> > To unsubscribe, visit the List Server section of OSR Online at
> > http:
> >
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: http:
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at
> http:</http:></http:></http:></http:></http:></http:>