DbgPrint not always prints out

P_P · March 26, 2017, 3:23pm

I made a simple 64 bit driver which adds a notify routine calling PsSetCreateThreadNotifyRoutine().

In the notification routine I call DbgPrint to print out the pid:

DbgPrint(“%.4x”, ProcessId); // GetProcessNameFromPid(ProcessId)

it works as expected. In Dbgview I can see the result. The problem comes when I also want to print out the process name using %s format specifier:

DbgPrint(“%.4x %s”, ProcessId, GetProcessNameFromPid(ProcessId));

This does not print out anything at all. With windbg I verified that the pointer returned by GetProcessNameFromPid() is indeed correct and points to a null terminated string representation of process name. But I dont understand why I cannot see it in DbgView. I am doing these tests on Windows 7 64 bit.

Tim_Roberts · March 26, 2017, 11:48pm

On Mar 26, 2017, at 12:24 PM, xxxxx@lajt.hu wrote:

I made a simple 64 bit driver which adds a notify routine calling PsSetCreateThreadNotifyRoutine().

In the notification routine I call DbgPrint to print out the pid:

DbgPrint(“%.4x”, ProcessId); // GetProcessNameFromPid(ProcessId)

it works as expected. In Dbgview I can see the result. The problem comes when I also want to print out the process name using %s format specifier:

DbgPrint(“%.4x %s”, ProcessId, GetProcessNameFromPid(ProcessId));

This does not print out anything at all.

What type is ProcessId? %4x sucks up a 32-bit thing. If ProcessId is a 64-bit type (like a void *, say), that leaves the high half of the value on the stack to be sucked up by the %s. If that’s the case, use %4I64x (percent four eye sixty-four ex) or %4llx (ell ell ex).
—
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

P_P · March 27, 2017, 4:11am

Thanks, with your hint I figured it out. Apparently PsGetProcessImageFileName() is not defined nowhere in my header files. My compiler did not complain about it neither my linker, but the latter took it as its return value was DWORD.