Process or Image Name

Hi,

How to get processname in kernel mode,PsLookupProcessByProcessId takes a process ID and returns an PEPROCESS structure, but it seems that its undocumented,I searched in ddk header files but no actual definition for that struct, from LiveKd I can see that _EPROCESS has the following definition and it has ImageFileName as a member:

0: kd> dt _EPROCESS
nt!_EPROCESS
+0x000 Pcb : _KPROCESS
+0x160 ProcessLock : _EX_PUSH_LOCK
+0x168 CreateTime : _LARGE_INTEGER
+0x170 ExitTime : _LARGE_INTEGER
+0x178 RundownProtect : _EX_RUNDOWN_REF
+0x180 UniqueProcessId : Ptr64 Void
+0x188 ActiveProcessLinks : _LIST_ENTRY
+0x198 ProcessQuotaUsage : [2] Uint8B
+0x1a8 ProcessQuotaPeak : [2] Uint8B
+0x1b8 CommitCharge : Uint8B
+0x1c0 QuotaBlock : Ptr64 _EPROCESS_QUOTA_BLOCK
+0x1c8 CpuQuotaBlock : Ptr64 _PS_CPU_QUOTA_BLOCK
+0x1d0 PeakVirtualSize : Uint8B
+0x1d8 VirtualSize : Uint8B
+0x1e0 SessionProcessLinks : _LIST_ENTRY
+0x1f0 DebugPort : Ptr64 Void
+0x1f8 ExceptionPortData : Ptr64 Void
+0x1f8 ExceptionPortValue : Uint8B
+0x1f8 ExceptionPortState : Pos 0, 3 Bits
+0x200 ObjectTable : Ptr64 _HANDLE_TABLE
+0x208 Token : _EX_FAST_REF
+0x210 WorkingSetPage : Uint8B
+0x218 AddressCreationLock : _EX_PUSH_LOCK
+0x220 RotateInProgress : Ptr64 _ETHREAD
+0x228 ForkInProgress : Ptr64 _ETHREAD
+0x230 HardwareTrigger : Uint8B
+0x238 PhysicalVadRoot : Ptr64 _MM_AVL_TABLE
+0x240 CloneRoot : Ptr64 Void
+0x248 NumberOfPrivatePages : Uint8B
+0x250 NumberOfLockedPages : Uint8B
+0x258 Win32Process : Ptr64 Void
+0x260 Job : Ptr64 _EJOB
+0x268 SectionObject : Ptr64 Void
+0x270 SectionBaseAddress : Ptr64 Void
+0x278 Cookie : Uint4B
+0x27c UmsScheduledThreads : Uint4B
+0x280 WorkingSetWatch : Ptr64 _PAGEFAULT_HISTORY
+0x288 Win32WindowStation : Ptr64 Void
+0x290 InheritedFromUniqueProcessId : Ptr64 Void
+0x298 LdtInformation : Ptr64 Void
+0x2a0 Spare : Ptr64 Void
+0x2a8 ConsoleHostProcess : Uint8B
+0x2b0 DeviceMap : Ptr64 Void
+0x2b8 EtwDataSource : Ptr64 Void
+0x2c0 FreeTebHint : Ptr64 Void
+0x2c8 FreeUmsTebHint : Ptr64 Void
+0x2d0 PageDirectoryPte : _HARDWARE_PTE
+0x2d0 Filler : Uint8B
+0x2d8 Session : Ptr64 Void
+0x2e0 ImageFileName : [15] UChar
+0x2ef PriorityClass : UChar
+0x2f0 JobLinks : _LIST_ENTRY
+0x300 LockedPagesList : Ptr64 Void
+0x308 ThreadListHead : _LIST_ENTRY
+0x318 SecurityPort : Ptr64 Void
+0x320 Wow64Process : Ptr64 Void
+0x328 ActiveThreads : Uint4B
+0x32c ImagePathHash : Uint4B
+0x330 DefaultHardErrorProcessing : Uint4B
+0x334 LastThreadExitStatus : Int4B
+0x338 Peb : Ptr64 _PEB
+0x340 PrefetchTrace : _EX_FAST_REF
+0x348 ReadOperationCount : _LARGE_INTEGER
+0x350 WriteOperationCount : _LARGE_INTEGER
+0x358 OtherOperationCount : _LARGE_INTEGER
+0x360 ReadTransferCount : _LARGE_INTEGER
+0x368 WriteTransferCount : _LARGE_INTEGER
+0x370 OtherTransferCount : _LARGE_INTEGER
+0x378 CommitChargeLimit : Uint8B
+0x380 CommitChargePeak : Uint8B
+0x388 AweInfo : Ptr64 Void
+0x390 SeAuditProcessCreationInfo : _SE_AUDIT_PROCESS_CREATION_INFO
+0x398 Vm : _MMSUPPORT
+0x420 MmProcessLinks : _LIST_ENTRY
+0x430 HighestUserAddress : Ptr64 Void
+0x438 ModifiedPageCount : Uint4B
+0x43c Flags2 : Uint4B
+0x43c JobNotReallyActive : Pos 0, 1 Bit
+0x43c AccountingFolded : Pos 1, 1 Bit
+0x43c NewProcessReported : Pos 2, 1 Bit
+0x43c ExitProcessReported : Pos 3, 1 Bit
+0x43c ReportCommitChanges : Pos 4, 1 Bit
+0x43c LastReportMemory : Pos 5, 1 Bit
+0x43c ReportPhysicalPageChanges : Pos 6, 1 Bit
+0x43c HandleTableRundown : Pos 7, 1 Bit
+0x43c NeedsHandleRundown : Pos 8, 1 Bit
+0x43c RefTraceEnabled : Pos 9, 1 Bit
+0x43c NumaAware : Pos 10, 1 Bit
+0x43c ProtectedProcess : Pos 11, 1 Bit
+0x43c DefaultPagePriority : Pos 12, 3 Bits
+0x43c PrimaryTokenFrozen : Pos 15, 1 Bit
+0x43c ProcessVerifierTarget : Pos 16, 1 Bit
+0x43c StackRandomizationDisabled : Pos 17, 1 Bit
+0x43c AffinityPermanent : Pos 18, 1 Bit
+0x43c AffinityUpdateEnable : Pos 19, 1 Bit
+0x43c PropagateNode : Pos 20, 1 Bit
+0x43c ExplicitAffinity : Pos 21, 1 Bit
+0x440 Flags : Uint4B
+0x440 CreateReported : Pos 0, 1 Bit
+0x440 NoDebugInherit : Pos 1, 1 Bit
+0x440 ProcessExiting : Pos 2, 1 Bit
+0x440 ProcessDelete : Pos 3, 1 Bit
+0x440 Wow64SplitPages : Pos 4, 1 Bit
+0x440 VmDeleted : Pos 5, 1 Bit
+0x440 OutswapEnabled : Pos 6, 1 Bit
+0x440 Outswapped : Pos 7, 1 Bit
+0x440 ForkFailed : Pos 8, 1 Bit
+0x440 Wow64VaSpace4Gb : Pos 9, 1 Bit
+0x440 AddressSpaceInitialized : Pos 10, 2 Bits
+0x440 SetTimerResolution : Pos 12, 1 Bit
+0x440 BreakOnTermination : Pos 13, 1 Bit
+0x440 DeprioritizeViews : Pos 14, 1 Bit
+0x440 WriteWatch : Pos 15, 1 Bit
+0x440 ProcessInSession : Pos 16, 1 Bit
+0x440 OverrideAddressSpace : Pos 17, 1 Bit
+0x440 HasAddressSpace : Pos 18, 1 Bit
+0x440 LaunchPrefetched : Pos 19, 1 Bit
+0x440 InjectInpageErrors : Pos 20, 1 Bit
+0x440 VmTopDown : Pos 21, 1 Bit
+0x440 ImageNotifyDone : Pos 22, 1 Bit
+0x440 PdeUpdateNeeded : Pos 23, 1 Bit
+0x440 VdmAllowed : Pos 24, 1 Bit
+0x440 CrossSessionCreate : Pos 25, 1 Bit
+0x440 ProcessInserted : Pos 26, 1 Bit
+0x440 DefaultIoPriority : Pos 27, 3 Bits
+0x440 ProcessSelfDelete : Pos 30, 1 Bit
+0x440 SetTimerResolutionLink : Pos 31, 1 Bit
+0x444 ExitStatus : Int4B
+0x448 VadRoot : _MM_AVL_TABLE
+0x488 AlpcContext : _ALPC_PROCESS_CONTEXT
+0x4a8 TimerResolutionLink : _LIST_ENTRY
+0x4b8 RequestedTimerResolution : Uint4B
+0x4bc ActiveThreadsHighWatermark : Uint4B
+0x4c0 SmallestTimerResolution : Uint4B
+0x4c8 TimerResolutionStackRecord : Ptr64 _PO_DIAG_STACK_RECORD

Thanks

Ahmad Hamad

Don’t go mucking with _EPROCESS it changes depending on the rev of the
OS and also you have no ability to synchronize accesses to it with the
OS. See http://www.osronline.com/article.cfm?article=472 for some
ideas.

Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

“xxxxx@hotmail.com” wrote in
message news:xxxxx@ntdev:

> Hi,
>
> How to get processname in kernel mode,PsLookupProcessByProcessId takes a process ID and returns an PEPROCESS structure, but it seems that its undocumented,I searched in ddk header files but no actual definition for that struct, from LiveKd I can see that _EPROCESS has the following definition and it has ImageFileName as a member:
>
> 0: kd> dt _EPROCESS
> nt!_EPROCESS
> +0x000 Pcb : _KPROCESS
> +0x160 ProcessLock : _EX_PUSH_LOCK
> +0x168 CreateTime : _LARGE_INTEGER
> +0x170 ExitTime : _LARGE_INTEGER
> +0x178 RundownProtect : _EX_RUNDOWN_REF
> +0x180 UniqueProcessId : Ptr64 Void
> +0x188 ActiveProcessLinks : _LIST_ENTRY
> +0x198 ProcessQuotaUsage : [2] Uint8B
> +0x1a8 ProcessQuotaPeak : [2] Uint8B
> +0x1b8 CommitCharge : Uint8B
> +0x1c0 QuotaBlock : Ptr64 _EPROCESS_QUOTA_BLOCK
> +0x1c8 CpuQuotaBlock : Ptr64 _PS_CPU_QUOTA_BLOCK
> +0x1d0 PeakVirtualSize : Uint8B
> +0x1d8 VirtualSize : Uint8B
> +0x1e0 SessionProcessLinks : _LIST_ENTRY
> +0x1f0 DebugPort : Ptr64 Void
> +0x1f8 ExceptionPortData : Ptr64 Void
> +0x1f8 ExceptionPortValue : Uint8B
> +0x1f8 ExceptionPortState : Pos 0, 3 Bits
> +0x200 ObjectTable : Ptr64 _HANDLE_TABLE
> +0x208 Token : _EX_FAST_REF
> +0x210 WorkingSetPage : Uint8B
> +0x218 AddressCreationLock : _EX_PUSH_LOCK
> +0x220 RotateInProgress : Ptr64 _ETHREAD
> +0x228 ForkInProgress : Ptr64 _ETHREAD
> +0x230 HardwareTrigger : Uint8B
> +0x238 PhysicalVadRoot : Ptr64 _MM_AVL_TABLE
> +0x240 CloneRoot : Ptr64 Void
> +0x248 NumberOfPrivatePages : Uint8B
> +0x250 NumberOfLockedPages : Uint8B
> +0x258 Win32Process : Ptr64 Void
> +0x260 Job : Ptr64 _EJOB
> +0x268 SectionObject : Ptr64 Void
> +0x270 SectionBaseAddress : Ptr64 Void
> +0x278 Cookie : Uint4B
> +0x27c UmsScheduledThreads : Uint4B
> +0x280 WorkingSetWatch : Ptr64 _PAGEFAULT_HISTORY
> +0x288 Win32WindowStation : Ptr64 Void
> +0x290 InheritedFromUniqueProcessId : Ptr64 Void
> +0x298 LdtInformation : Ptr64 Void
> +0x2a0 Spare : Ptr64 Void
> +0x2a8 ConsoleHostProcess : Uint8B
> +0x2b0 DeviceMap : Ptr64 Void
> +0x2b8 EtwDataSource : Ptr64 Void
> +0x2c0 FreeTebHint : Ptr64 Void
> +0x2c8 FreeUmsTebHint : Ptr64 Void
> +0x2d0 PageDirectoryPte : _HARDWARE_PTE
> +0x2d0 Filler : Uint8B
> +0x2d8 Session : Ptr64 Void
> +0x2e0 ImageFileName : [15] UChar
> +0x2ef PriorityClass : UChar
> +0x2f0 JobLinks : _LIST_ENTRY
> +0x300 LockedPagesList : Ptr64 Void
> +0x308 ThreadListHead : _LIST_ENTRY
> +0x318 SecurityPort : Ptr64 Void
> +0x320 Wow64Process : Ptr64 Void
> +0x328 ActiveThreads : Uint4B
> +0x32c ImagePathHash : Uint4B
> +0x330 DefaultHardErrorProcessing : Uint4B
> +0x334 LastThreadExitStatus : Int4B
> +0x338 Peb : Ptr64 _PEB
> +0x340 PrefetchTrace : _EX_FAST_REF
> +0x348 ReadOperationCount : _LARGE_INTEGER
> +0x350 WriteOperationCount : _LARGE_INTEGER
> +0x358 OtherOperationCount : _LARGE_INTEGER
> +0x360 ReadTransferCount : _LARGE_INTEGER
> +0x368 WriteTransferCount : _LARGE_INTEGER
> +0x370 OtherTransferCount : _LARGE_INTEGER
> +0x378 CommitChargeLimit : Uint8B
> +0x380 CommitChargePeak : Uint8B
> +0x388 AweInfo : Ptr64 Void
> +0x390 SeAuditProcessCreationInfo : _SE_AUDIT_PROCESS_CREATION_INFO
> +0x398 Vm : _MMSUPPORT
> +0x420 MmProcessLinks : _LIST_ENTRY
> +0x430 HighestUserAddress : Ptr64 Void
> +0x438 ModifiedPageCount : Uint4B
> +0x43c Flags2 : Uint4B
> +0x43c JobNotReallyActive : Pos 0, 1 Bit
> +0x43c AccountingFolded : Pos 1, 1 Bit
> +0x43c NewProcessReported : Pos 2, 1 Bit
> +0x43c ExitProcessReported : Pos 3, 1 Bit
> +0x43c ReportCommitChanges : Pos 4, 1 Bit
> +0x43c LastReportMemory : Pos 5, 1 Bit
> +0x43c ReportPhysicalPageChanges : Pos 6, 1 Bit
> +0x43c HandleTableRundown : Pos 7, 1 Bit
> +0x43c NeedsHandleRundown : Pos 8, 1 Bit
> +0x43c RefTraceEnabled : Pos 9, 1 Bit
> +0x43c NumaAware : Pos 10, 1 Bit
> +0x43c ProtectedProcess : Pos 11, 1 Bit
> +0x43c DefaultPagePriority : Pos 12, 3 Bits
> +0x43c PrimaryTokenFrozen : Pos 15, 1 Bit
> +0x43c ProcessVerifierTarget : Pos 16, 1 Bit
> +0x43c StackRandomizationDisabled : Pos 17, 1 Bit
> +0x43c AffinityPermanent : Pos 18, 1 Bit
> +0x43c AffinityUpdateEnable : Pos 19, 1 Bit
> +0x43c PropagateNode : Pos 20, 1 Bit
> +0x43c ExplicitAffinity : Pos 21, 1 Bit
> +0x440 Flags : Uint4B
> +0x440 CreateReported : Pos 0, 1 Bit
> +0x440 NoDebugInherit : Pos 1, 1 Bit
> +0x440 ProcessExiting : Pos 2, 1 Bit
> +0x440 ProcessDelete : Pos 3, 1 Bit
> +0x440 Wow64SplitPages : Pos 4, 1 Bit
> +0x440 VmDeleted : Pos 5, 1 Bit
> +0x440 OutswapEnabled : Pos 6, 1 Bit
> +0x440 Outswapped : Pos 7, 1 Bit
> +0x440 ForkFailed : Pos 8, 1 Bit
> +0x440 Wow64VaSpace4Gb : Pos 9, 1 Bit
> +0x440 AddressSpaceInitialized : Pos 10, 2 Bits
> +0x440 SetTimerResolution : Pos 12, 1 Bit
> +0x440 BreakOnTermination : Pos 13, 1 Bit
> +0x440 DeprioritizeViews : Pos 14, 1 Bit
> +0x440 WriteWatch : Pos 15, 1 Bit
> +0x440 ProcessInSession : Pos 16, 1 Bit
> +0x440 OverrideAddressSpace : Pos 17, 1 Bit
> +0x440 HasAddressSpace : Pos 18, 1 Bit
> +0x440 LaunchPrefetched : Pos 19, 1 Bit
> +0x440 InjectInpageErrors : Pos 20, 1 Bit
> +0x440 VmTopDown : Pos 21, 1 Bit
> +0x440 ImageNotifyDone : Pos 22, 1 Bit
> +0x440 PdeUpdateNeeded : Pos 23, 1 Bit
> +0x440 VdmAllowed : Pos 24, 1 Bit
> +0x440 CrossSessionCreate : Pos 25, 1 Bit
> +0x440 ProcessInserted : Pos 26, 1 Bit
> +0x440 DefaultIoPriority : Pos 27, 3 Bits
> +0x440 ProcessSelfDelete : Pos 30, 1 Bit
> +0x440 SetTimerResolutionLink : Pos 31, 1 Bit
> +0x444 ExitStatus : Int4B
> +0x448 VadRoot : _MM_AVL_TABLE
> +0x488 AlpcContext : _ALPC_PROCESS_CONTEXT
> +0x4a8 TimerResolutionLink : _LIST_ENTRY
> +0x4b8 RequestedTimerResolution : Uint4B
> +0x4bc ActiveThreadsHighWatermark : Uint4B
> +0x4c0 SmallestTimerResolution : Uint4B
> +0x4c8 TimerResolutionStackRecord : Ptr64 _PO_DIAG_STACK_RECORD
>
> Thanks
>
> Ahmad Hamad

Thanks Don, I saw this before, but I’m not sure why when I tried to print the process name I got null:

imageName = (PUNICODE_STRING)buffer;  
KdPrint(("Process name: %wZ\n",imageName));  

Sorry, I’m still new to windows kernel development.

Regards,

Ahmad

xxxxx@hotmail.com wrote:

Thanks Don, I saw this before, but I’m not sure why when I tried to print the process name I got null:

imageName = (PUNICODE_STRING)buffer;  
KdPrint(("Process name: %wZ\n",imageName));  

So, you’re just trying random things? Did you even look at the
definition of the ImageFileName field? It’s not a UNICODE_STRING. It’s
not Unicode at all. It’s a plain, ordinary zero-terminated 8-bit string.

KdPrint((“Process name: %s\n”, ep->ImageFileName));

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Thanks Tim, yes I can see this in the structure definition that its an plain zero-terminated string, but from http://www.osronline.com/article.cfm?article=472 I get null when printing imageName on DebugView.

Thanks

Ahmad

xxxxx@hotmail.com wrote:

Thanks Tim, yes I can see this in the structure definition that its an plain zero-terminated string, but from http://www.osronline.com/article.cfm?article=472 I get null when printing imageName on DebugView.

Sorry, that was my mistake for not reading carefully enough. What are
you doing when you call this function? Are you in an ioctl handler?
Remember that the function has to be called in the context of the
process you’re interested in.

Did you check the value of “returnedLength” in both calls to make sure
the values are sensible?

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

>>but from http://www.osronline.com/article.cfm?article=472 I get null when printing imageName on DebugView. <<

I guess this method is getting image name from PEB. I encountered several times in past emtpy process name during process initialization phase.

Try to play with load image callbacks, i.e., PsSetLoadImageNotifyRoutine and simular. Never had such problems with them.

Thanks Tim and Volodymyr,
Yes Tim, I check about returnedLength, and I get STATUS_SUCCESS in the second call as I create a buffer to fill in, Actually I call this from a kernel mode thread I create in DriverEntry using PsCreateSystemThread.

when I tried to print it as a zero-terminated string, I get an empty process name as well.

Regards,

Ahmad Hamad

Perhaps what you’re getting in this case is the system process?

Peter
OSR

Thanks Peter, I did run the code several time and everytime I got the same result.

Regards,

Ahmad Hamad

>>I did run the code several time and everytime I got the same
result.<<

Can you make your code look like function

NTSTATUS foo(HANDLE hPid)
{

// your code goes here

}

and post it here.

So that it can be analyzed/compiled and possibly it speed up the answer for you?

Won’t ObQueryNameString(pointer to a process object) return the name?

ZwQueryInformationProcess(handle, ProcessImageFileName…) should return the *file* name: http://msdn.microsoft.com/en-us/library/ms687420(v=VS.85).aspx

Regards,
–pa

it SHOULD, but it can also lead to BSOD and it’s the first call where
you query for buffer size:

status = ZwQueryInformationProcess( hProcess, ProcessImageFileName,
NULL, 0, &returnedLength );

FAULTING_IP:
nt!IopQueryNameInternal+255
8058980e f3a5 rep movs dword ptr es:[edi],dword ptr [esi]

STACK_TEXT:
aa616620 80589876 86e5d420 877ac700 00000000 nt!IopQueryNameInternal+0x255
aa616640 805896a0 86e5d420 877ac700 86eb7cf8 nt!IopQueryName+0x1b
aa616710 8058b07f 86e5d420 86eb7cf8 0000009a nt!ObQueryNameString+0xcd
aa61673c 8058afad 86e5d420 0000009a aa61675c
nt!SeInitializeProcessAuditName+0x90
aa616764 805ad036 86dbada0 aa616940 aa616984
nt!SeLocateProcessImageName+0x46
aa616968 804ddf0f 800006c0 0000001b 00000000
nt!NtQueryInformationProcess+0x85e
aa616968 804e4414 800006c0 0000001b 00000000 nt!KiFastCallEntry+0xfc
aa6169f4 a9cd90c4 800006c0 0000001b 00000000
nt!ZwQueryInformationProcess+0x11
aa616a18 a9cd6bc9 aa616a34 800006c0 e1f13360 aswSP!GetProcessImageName+0x2a

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@fastmail.fm
Sent: Friday, May 06, 2011 2:06 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Process or Image Name

Won’t ObQueryNameString(pointer to a process object) return the name?

ZwQueryInformationProcess(handle, ProcessImageFileName…) should return the
*file* name: http://msdn.microsoft.com/en-us/library/ms687420(v=VS.85).aspx

Regards,
–pa

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Here it is:

#include <ntddk.h>

NTKERNELAPI PVOID MmGetSystemRoutineAddress(IN PUNICODE_STRING SystemRoutine);

NTSTATUS DriverEntry(IN PDRIVER_OBJECT, IN PUNICODE_STRING);
VOID UnloadDriver(IN PDRIVER_OBJECT);

VOID NTAPI MyDriverThread(PVOID pVoid);

/* Typedef for ZwQueryInformationProcess */
typedef NTSTATUS (ZWQUERYINFORMATIONPROCESS)
( in HANDLE ProcessHandle,
in PROCESSINFOCLASS ProcessClassInfo,
PVOID ProcessInformation,
__in ULONG ProcessInformationLength,
PULONG ReturnLenght);

/
*
*/
VOID NTAPI MyDriverThread(PVOID pVoid)
{

PVOID buffer;
PUNICODE_STRING imageName;
WCHAR tFunctionName=L"ZwQueryInformationProcess";
UNICODE_STRING usFunctionName;

NTSTATUS status=STATUS_SUCCESS;
ZWQUERYINFORMATIONPROCESS ZwQueryInformationProcess=NULL;

int i=0;
ULONG returnedLength=0;

PAGED_CODE();

DbgPrint(“Entering the thread function\n”);

DbgPrint(“Trying to get the function address\n”);

RtlInitUnicodeString(&usFunctionName, tFunctionName);

ZwQueryInformationProcess = (ZWQUERYINFORMATIONPROCESS)MmGetSystemRoutineAddress(&usFunctionName);

if(!ZwQueryInformationProcess){
DbgPrint(“I’m not able to get function address\n”);
PsTerminateSystemThread(STATUS_UNSUCCESSFUL);
return;
}

status = ZwQueryInformationProcess(NtCurrentProcess(),ProcessImageFileName,NULL,0,&returnedLength);

buffer =ExAllocatePoolWithTag(PagedPool,returnedLength,‘Tag1’);
if(buffer==NULL){
DbgPrint(“Cann’t allocate from the paged pool, after getting the length\n”);
PsTerminateSystemThread(STATUS_UNSUCCESSFUL);
}

status = ZwQueryInformationProcess(NtCurrentProcess(),ProcessImageFileName,buffer,returnedLength,&returnedLength);
if(NT_SUCCESS(status)){
imageName = (PUNICODE_STRING)buffer;
KdPrint((“Process name: %wZ\n”,imageName));
}
ExFreePool(buffer);
}

NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath)
{
NTSTATUS status=STATUS_SUCCESS;

HANDLE hThread=NULL;

DbgPrint(“Loding driver\n”);

DriverObject->DriverUnload = UnloadDriver;

DbgPrint(“Now creating a system thread\n”);

status = PsCreateSystemThread(&hThread,GENERIC_READ,NULL,0,NULL,MyDriverThread,NULL);

if(status!=STATUS_SUCCESS){
DbgPrint(“Unable to create thread\n”);
return status;
}
return STATUS_SUCCESS;
}</ntddk.h>

What’s the output from “?? *imageName” (KD/WinDbg) just before you’re
printing it?

?status = ZwQueryInformationProcess(NtCurrentProcess(),ProcessImageFileName,NULL,0,&returnedLength);
You want to check status here, if it’s different from
STATUS_INFO_LENGTH_MISMATCH you shouldn’t really continue.

?status = PsCreateSystemThread(&hThread,GENERIC_READ,NULL,0,NULL,MyDriverThread,NULL);
You are trying to get a process name of the system process (since you
are executing this code in the system thread) - I’m not sure whether
it’s going to work. Did you try to run your code in the context of
some other process?

Kris

Ah, you are calling this from System context. System is a special beast, a better way will be to check for System pid manually, i.e.:

if (SystemPid(hPid))
{
// copy into path SystemRoot\Sytem yourself
}
else
{
// for normal, i.e. real processes:
// use your code as you do to get process path
}

PIDs for System are wellknown, they are 4 in XP and 8 in Vista and higher. You can use PsGetCurrentProcessId(…) to get “current process pid”.

Yes Volodymyr, thank you so much, I thought this would run on the context arbitrary process.

The PID for System in Vista and higher is not 8. WIN7 is 4 and I am sure
that Vista is also 4.

Bill Wandel

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@shcherbyna.com
Sent: Friday, May 06, 2011 6:37 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Process or Image Name

Ah, you are calling this from System context. System is a special beast, a
better way will be to check for System pid manually, i.e.:

if (SystemPid(hPid))
{
// copy into path SystemRoot\Sytem yourself
}
else
{
// for normal, i.e. real processes:
// use your code as you do to get process path
}

PIDs for System are wellknown, they are 4 in XP and 8 in Vista and higher.
You can use PsGetCurrentProcessId(…) to get “current process pid”.

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Yeah, I meant reverse. 4 for Vista and higher and 8 for Win2k and XP with Server 2003.

Sorry, I am again wrong. 8 for Win2k, and 4 for the rest.