Hi,
How do I get the process name from an available PEProcess ?
I looked through the forum history but got confused!!
Also, Documentation says zwQueryInformationProcess is not to be used!!
Regards,
Prasad
Why do you think that you need to do this?
Process name is not a reliable way to identify processes uniquely nor authoritatively.
- S
-----Original Message-----
From: xxxxx@yahoo.com
Sent: Thursday, May 28, 2009 02:25
To: Windows File Systems Devs Interest List
Subject: [ntfsd] Processname from PEProcess
Hi,
How do I get the process name from an available PEProcess ?
I looked through the forum history but got confused!!
Also, Documentation says zwQueryInformationProcess is not to be used!!
Regards,
Prasad
—
NTFSD is sponsored by OSR
For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
Hi
The process name offset can be founded form peprocess but you should write a
simple code.
First of all call PsGetCurrentProcess() to achieve the address of peprocess
of current process then search for the string “System” in the increasing
offsets form peprocess.
If you find "System " string , the related offset is the name offset.
Cheers
Shabnam Aboughadareh
On Thu, May 28, 2009 at 1:26 AM, wrote:
> Hi,
>
> How do I get the process name from an available PEProcess ?
>
> I looked through the forum history but got confused!!
> Also, Documentation says zwQueryInformationProcess is not to be used!!
>
> Regards,
> Prasad
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule of debugging and file system seminars
> (including our new fs mini-filter seminar) visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
That works for some systems but not all, since they changed the PEPROCESS
structure. Why in the world would you want this, it can be arbitrarily set
to anything one wants, it is just by default that it is the executable name.
The OP needs to tell us why he thinks this is something he needs, and why he
cannot go to user space and get it with well known methods
–
Don Burn (MVP, Windows DDK)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
“shabnam abooghadare” wrote in message
news:xxxxx@ntfsd…
> Hi
>
> The process name offset can be founded form peprocess but you should write
> a
> simple code.
> First of all call PsGetCurrentProcess() to achieve the address of
> peprocess
> of current process then search for the string “System” in the increasing
> offsets form peprocess.
> If you find "System " string , the related offset is the name offset.
>
>
> Cheers
> Shabnam Aboughadareh
>
> On Thu, May 28, 2009 at 1:26 AM, wrote:
>
>> Hi,
>>
>> How do I get the process name from an available PEProcess ?
>>
>> I looked through the forum history but got confused!!
>> Also, Documentation says zwQueryInformationProcess is not to be used!!
>>
>> Regards,
>> Prasad
>>
>> —
>> NTFSD is sponsored by OSR
>>
>> For our schedule of debugging and file system seminars
>> (including our new fs mini-filter seminar) visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
>
>
> Information from ESET NOD32 Antivirus, version of virus
> signature database 4112 (20090528)
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
Information from ESET NOD32 Antivirus, version of virus signature database 4112 (20090528)
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
Please do not attempt to do this. It’s completely fragile and subject to breaking at any time.
Instead, the OP needs to specify what they’re trying to do at heart here, so that a properly engineered solution can be applied.
- S
From: shabnam abooghadare
Sent: Thursday, May 28, 2009 09:19
To: Windows File Systems Devs Interest List
Subject: Re: [ntfsd] Processname from PEProcess
Hi
The process name offset can be founded form peprocess but you should write a simple code.
First of all call PsGetCurrentProcess() to achieve the address of peprocess of current process then search for the string “System” in the increasing offsets form peprocess.
If you find "System " string , the related offset is the name offset.
Cheers
Shabnam Aboughadareh
On Thu, May 28, 2009 at 1:26 AM, > wrote:
Hi,
How do I get the process name from an available PEProcess ?
I looked through the forum history but got confused!!
Also, Documentation says zwQueryInformationProcess is not to be used!!
Regards,
Prasad
—
NTFSD is sponsored by OSR
For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
— NTFSD is sponsored by OSR For our schedule of debugging and file system seminars (including our new fs mini-filter seminar) visit: http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
> It’s completely fragile and subject to breaking at any time.
This is what filemon did years ago.
It was never good, and then (then) it worked.
----- Original Message -----
From: Skywing
To: Windows File Systems Devs Interest List
Sent: Thursday, May 28, 2009 12:45 PM
Subject: RE: [ntfsd] Processname from PEProcess
Please do not attempt to do this. It’s completely fragile and subject to breaking at any time.
Instead, the OP needs to specify what they’re trying to do at heart here, so that a properly engineered solution can be applied.
- S
From: shabnam abooghadare
Sent: Thursday, May 28, 2009 09:19
To: Windows File Systems Devs Interest List
Subject: Re: [ntfsd] Processname from PEProcess
Hi
The process name offset can be founded form peprocess but you should write a simple code.
First of all call PsGetCurrentProcess() to achieve the address of peprocess of current process then search for the string “System” in the increasing offsets form peprocess.
If you find "System " string , the related offset is the name offset.
Cheers
Shabnam Aboughadareh
On Thu, May 28, 2009 at 1:26 AM, wrote:
Hi,
How do I get the process name from an available PEProcess ?
I looked through the forum history but got confused!!
Also, Documentation says zwQueryInformationProcess is not to be used!!
Regards,
Prasad
—
NTFSD is sponsored by OSR
For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
— NTFSD is sponsored by OSR For our schedule of debugging and file system seminars (including our new fs mini-filter seminar) visit: http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
—
NTFSD is sponsored by OSR
For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
Sigh. I think I must have wasted my time.
http://www.osronline.com/article.cfm?article=472
This article describes how to do this (on XP and more recent) and even
went through a review process with the filter manager team folks at the
time. Please never use undocumented fields in the EPROCESS.
Tony
OSR
>>The process name offset can be founded form peprocess but you should write a simple code.
Why not do it straight,
windbg kernel debugging
dt _EPROCESS, see ImageFileName
This method will NOT give the complete executable name as the name field is just 16 bytes long, So you’ll miss characters if the name is more than 16 char long.
Why can’t you do it from user mode?
Aditya
No, it will give the process name not the executable name, it just turns out
by default that Windows makes this the same, but it can be set differently!
As far as using it for the offset, that works for exactly that version of
the kernel, so the guys driver is still broken.
–
Don Burn (MVP, Windows DDK)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
wrote in message news:xxxxx@ntfsd…
>>>The process name offset can be founded form peprocess but you should
>>>write a simple code.
>
> Why not do it straight,
>
> windbg kernel debugging
>
> dt _EPROCESS, see ImageFileName
>
> This method will NOT give the complete executable name as the name field
> is just 16 bytes long, So you’ll miss characters if the name is more than
> 16 char long.
>
> Why can’t you do it from user mode?
>
> Aditya
>
>
> Information from ESET NOD32 Antivirus, version of virus
> signature database 4115 (20090529)
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
>
Information from ESET NOD32 Antivirus, version of virus signature database 4115 (20090529)
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
>>No, it will give the process name not the executable name, it just turns out by default that Windows makes this the same, but it can be set differently!
Got it, actually OP states that “process name from PE”, but what you said is yes, exactly correct.
>As far as using it for the offset, that works for exactly that version of the kernel, so the guys driver is still broken.
I understand this, we relied on this for a product and ended up with conditional compilation for each OS, it did not trouble us a lot because we were anyhow needing a lot of kernel specific information and had to develop our application tightly coupled with the OS version as it was a requirement.
but again the app was intended for a specific research community inside the organization and was not a commercial product. So what you said is perfectly sensible for any other driver.
Thanks
Aditya
> >>The process name offset can be founded form peprocess but
you should write a simple code.
Why not do it straight,
windbg kernel debugging
dt _EPROCESS, see ImageFileName
Because you can do it on the fly on the running system, and not have to
have conditional compilation for different kernel versions. I’m not
proposing that the OP actually does this, just pointing out that it’s
possible. Of course it assumes that the name of the “System” process
remains constant.
~Eric
And this is a piece of crap since in the past depending on the system the
entry in the EPROCESS structure was either a UNICODE_STRING or a
PUNICODE_STRING. Using this type of garbage code just destabilizes
systems, it is unfortunate that way too many people took Russinovich’s code
which was for experiment only, and started using techniques from it in
production drivers. For those who have stated they use this technique in
their products, I ask the standard please let us know what these products
are so we can avoid them and get out customers to do the same.
–
Don Burn (MVP, Windows DDK)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
“Eric Diven” wrote in message news:xxxxx@ntfsd…
> >>The process name offset can be founded form peprocess but
> you should write a simple code.
>
> Why not do it straight,
>
> windbg kernel debugging
>
> dt _EPROCESS, see ImageFileName
>
Because you can do it on the fly on the running system, and not have to
have conditional compilation for different kernel versions. I’m not
proposing that the OP actually does this, just pointing out that it’s
possible. Of course it assumes that the name of the “System” process
remains constant.
~Eric
Information from ESET NOD32 Antivirus, version of virus signature
database 4115 (20090529)
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
Information from ESET NOD32 Antivirus, version of virus signature database 4115 (20090529)
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
Of course it’s a piece of crap and shouldn’t be used in production code.
At this point Tony has posted the correct solution, and we’re just
discussing the merits (or lack thereof) of the various wrong ways to do
it.
Also, in Tony’s article, he calls out the undocumented
PsGetProcessImageFileName function, which would also be a questionable
approach, but at least presumably knows the internals of the EPROCESS
struct well enough to not go traipsing through memory looking for a
non-existant string until it causes an access violation.
Incidentally, the code in the article uses NtCurrentProcess instead of
ZwCurrentProcess. Is there a reason for that?
~Eric
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Don Burn
Sent: Friday, May 29, 2009 10:22 AM
To: Windows File Systems Devs Interest List
Subject: Re:[ntfsd] Processname from PEProcessAnd this is a piece of crap since in the past depending on
the system the entry in the EPROCESS structure was either a
UNICODE_STRING or a
PUNICODE_STRING. Using this type of garbage code just destabilizes
systems, it is unfortunate that way too many people took
Russinovich’s code which was for experiment only, and started
using techniques from it in production drivers. For those
who have stated they use this technique in their products, I
ask the standard please let us know what these products are
so we can avoid them and get out customers to do the same.–
Don Burn (MVP, Windows DDK)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr“Eric Diven” wrote in message
> news:xxxxx@ntfsd…
> > >>The process name offset can be founded form peprocess but
> > you should write a simple code.
> >
> > Why not do it straight,
> >
> > windbg kernel debugging
> >
> > dt _EPROCESS, see ImageFileName
> >
>
> Because you can do it on the fly on the running system, and
> not have to
> have conditional compilation for different kernel versions. I’m not
> proposing that the OP actually does this, just pointing out that it’s
> possible. Of course it assumes that the name of the “System” process
> remains constant.
>
> ~Eric
>
>
> Information from ESET NOD32 Antivirus, version of
> virus signature
> database 4115 (20090529)
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
>
>
>
> Information from ESET NOD32 Antivirus, version of
> virus signature database 4115 (20090529)
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
>
>
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule of debugging and file system seminars
> (including our new fs mini-filter seminar) visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online
> at http://www.osronline.com/page.cfm?name=ListServer
>
That article predates the information about MmGetSystemRoutineAddress() on certain platforms. Frankly, I don’t remember the details of the implications of MMGSRA() on the affected platforms, so the check for NULL be all you need to prevent crashing in the degenerate cases, which may not even include ‘ZwQueryInformationProcess()’ anyway; I don’t know.
Just thought I’d mention it.
mm
Following a Guru’s path, who is beaten down, worn out, weathered almost all
odds is as pragmatic as one could get, IMHO. I just looked at the article,
and already covered a lot of gottaches, so enhancing along that road to
support couple version of OSes should not be that much of a problem…
-pro
On Fri, May 29, 2009 at 7:34 AM, Eric Diven wrote:
> Of course it’s a piece of crap and shouldn’t be used in production code.
> At this point Tony has posted the correct solution, and we’re just
> discussing the merits (or lack thereof) of the various wrong ways to do
> it.
>
> Also, in Tony’s article, he calls out the undocumented
> PsGetProcessImageFileName function, which would also be a questionable
> approach, but at least presumably knows the internals of the EPROCESS
> struct well enough to not go traipsing through memory looking for a
> non-existant string until it causes an access violation.
>
> Incidentally, the code in the article uses NtCurrentProcess instead of
> ZwCurrentProcess. Is there a reason for that?
>
> ~Eric
>
> > -----Original Message-----
> > From: xxxxx@lists.osr.com
> > [mailto:xxxxx@lists.osr.com] On Behalf Of Don Burn
> > Sent: Friday, May 29, 2009 10:22 AM
> > To: Windows File Systems Devs Interest List
> > Subject: Re:[ntfsd] Processname from PEProcess
> >
> > And this is a piece of crap since in the past depending on
> > the system the entry in the EPROCESS structure was either a
> > UNICODE_STRING or a
> > PUNICODE_STRING. Using this type of garbage code just destabilizes
> > systems, it is unfortunate that way too many people took
> > Russinovich’s code which was for experiment only, and started
> > using techniques from it in production drivers. For those
> > who have stated they use this technique in their products, I
> > ask the standard please let us know what these products are
> > so we can avoid them and get out customers to do the same.
> >
> >
> > –
> > Don Burn (MVP, Windows DDK)
> > Windows Filesystem and Driver Consulting
> > Website: http://www.windrvr.com
> > Blog: http://msmvps.com/blogs/WinDrvr
> >
> >
> >
> > “Eric Diven” wrote in message
> > news:xxxxx@ntfsd…
> > > >>The process name offset can be founded form peprocess but
> > > you should write a simple code.
> > >
> > > Why not do it straight,
> > >
> > > windbg kernel debugging
> > >
> > > dt _EPROCESS, see ImageFileName
> > >
> >
> > Because you can do it on the fly on the running system, and
> > not have to
> > have conditional compilation for different kernel versions. I’m not
> > proposing that the OP actually does this, just pointing out that it’s
> > possible. Of course it assumes that the name of the “System” process
> > remains constant.
> >
> > ~Eric
> >
> >
> > Information from ESET NOD32 Antivirus, version of
> > virus signature
> > database 4115 (20090529)
> >
> > The message was checked by ESET NOD32 Antivirus.
> >
> > http://www.eset.com
> >
> >
> >
> >
> >
> > Information from ESET NOD32 Antivirus, version of
> > virus signature database 4115 (20090529)
> >
> > The message was checked by ESET NOD32 Antivirus.
> >
> > http://www.eset.com
> >
> >
> >
> >
> >
> > —
> > NTFSD is sponsored by OSR
> >
> > For our schedule of debugging and file system seminars
> > (including our new fs mini-filter seminar) visit:
> > http://www.osr.com/seminars
> >
> > To unsubscribe, visit the List Server section of OSR Online
> > at http://www.osronline.com/page.cfm?name=ListServer
> >
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule of debugging and file system seminars
> (including our new fs mini-filter seminar) visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>Incidentally, the code in the article uses NtCurrentProcess instead of
ZwCurrentProcess. Is there a reason for that?
#define NtCurrentProcess() ( (HANDLE)(LONG_PTR) -1 )
#define ZwCurrentProcess() NtCurrentProcess()
#define NtCurrentThread() ( (HANDLE)(LONG_PTR) -2 )
#define ZwCurrentThread() NtCurrentThread()
The Zw ones are a relatively new addition (S03 maybe?) and pretty amusing.
Really beating that, “don’t call NtXxx APIs in kernel mode” drum.
-scott
–
Scott Noone
Consulting Associate
OSR Open Systems Resources, Inc.
http://www.osronline.com
“Eric Diven” wrote in message news:xxxxx@ntfsd…
Of course it’s a piece of crap and shouldn’t be used in production code.
At this point Tony has posted the correct solution, and we’re just
discussing the merits (or lack thereof) of the various wrong ways to do
it.
Also, in Tony’s article, he calls out the undocumented
PsGetProcessImageFileName function, which would also be a questionable
approach, but at least presumably knows the internals of the EPROCESS
struct well enough to not go traipsing through memory looking for a
non-existant string until it causes an access violation.
Incidentally, the code in the article uses NtCurrentProcess instead of
ZwCurrentProcess. Is there a reason for that?
~Eric
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Don Burn
> Sent: Friday, May 29, 2009 10:22 AM
> To: Windows File Systems Devs Interest List
> Subject: Re:[ntfsd] Processname from PEProcess
>
> And this is a piece of crap since in the past depending on
> the system the entry in the EPROCESS structure was either a
> UNICODE_STRING or a
> PUNICODE_STRING. Using this type of garbage code just destabilizes
> systems, it is unfortunate that way too many people took
> Russinovich’s code which was for experiment only, and started
> using techniques from it in production drivers. For those
> who have stated they use this technique in their products, I
> ask the standard please let us know what these products are
> so we can avoid them and get out customers to do the same.
>
>
> –
> Don Burn (MVP, Windows DDK)
> Windows Filesystem and Driver Consulting
> Website: http://www.windrvr.com
> Blog: http://msmvps.com/blogs/WinDrvr
>
>
>
> “Eric Diven” wrote in message
> news:xxxxx@ntfsd…
> > >>The process name offset can be founded form peprocess but
> > you should write a simple code.
> >
> > Why not do it straight,
> >
> > windbg kernel debugging
> >
> > dt _EPROCESS, see ImageFileName
> >
>
> Because you can do it on the fly on the running system, and
> not have to
> have conditional compilation for different kernel versions. I’m not
> proposing that the OP actually does this, just pointing out that it’s
> possible. Of course it assumes that the name of the “System” process
> remains constant.
>
> ~Eric
>
>
> Information from ESET NOD32 Antivirus, version of
> virus signature
> database 4115 (20090529)
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
>
>
>
> Information from ESET NOD32 Antivirus, version of
> virus signature database 4115 (20090529)
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
>
>
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule of debugging and file system seminars
> (including our new fs mini-filter seminar) visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online
> at http://www.osronline.com/page.cfm?name=ListServer
>
To answer Eric’s question: I’m old. A long time ago the only thing
defined was NtCurrentProcess.
Now we have both variants. Lest you think any of this matters:
#define NtCurrentProcess() ( (HANDLE)(LONG_PTR) -1 )
#define ZwCurrentProcess() NtCurrentProcess()
#define NtCurrentThread() ( (HANDLE)(LONG_PTR) -2 )
#define ZwCurrentThread() NtCurrentThread()
(from my 6001 WDK.)
Tony
Which is, on its face, a very poor guideline.
The actual guideline should be “Understand well the difference between the Zw and Nt variant of the system service, and call the one you actually need… and if you don’t know any better, use the Zw version.”
If nothing in kernel-mode ever needed to call the Nt variant, it wouldn’t be necessary to include it in the operating system.
(Sorry, I just HATE overly simplistic rules)
Peter
OSR
(WOW… 3 OSR posts in a row)
Can you provide a concrete example of when you would need to use an Nt varians? Are you just trying to shave a few cycles off of a tight system call loop in a system thread?
These are of course included with the OS as the underlying implementation lives there today.
- S
-----Original Message-----
From: xxxxx@osr.com
Sent: Friday, May 29, 2009 15:20
To: Windows File Systems Devs Interest List
Subject: RE:[ntfsd] Processname from PEProcess
Which is, on its face, a very poor guideline.
The actual guideline should be “Understand well the difference between the Zw and Nt variant of the system service, and call the one you actually need… and if you don’t know any better, use the Zw version.”
If nothing in kernel-mode ever needed to call the Nt variant, it wouldn’t be necessary to include it in the operating system.
(Sorry, I just HATE overly simplistic rules)
Peter
OSR
(WOW… 3 OSR posts in a row)
—
NTFSD is sponsored by OSR
For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
Concrete example: some file system APIs require they be invoked from
UserMode; a kernel mode invocation fails. Thus, if you call the Zw
variant, the call fails. The first time I saw this I recall that it was
a bit painful (we ended up allocating user address space buffers so we
could pass them into the call.)
More general case: Sometimes I am performing operations using user
provided buffers and/or parameters. If I call the Zw variant, I have to
do all the buffer handling. If I call the Nt variant, I can live
comfortably knowing the correct parameter checking is being done.
Tony
OSR