Thanks!
I believe it can be even reduced to 14?! Like Output[14] = ‘\0’;
I have tried it with a process 0123456789abcdefghi.exe and only “0123456789abcd” remained.
- március 30. 0:38 napon Robert Ammerman írta:
> Should this:
>
> > Output[16] = ‘\0’;
> > memcpy(Output, tmp, 16); // decrease ref counter because
>
> Be this:
>
> > Output[15] = ‘\0’;
> > memcpy(Output, tmp, 15); // decrease ref counter because
>
> * Bob
>
>
> Bob Ammerman
> xxxxx@ramsystems.biz
> 716.864.8337
>
> 138 Liston St
> Buffalo, NY 14223
> www.ramsystems.biz
>
>
> > -----Original Message-----
> > From: xxxxx@lists.osr.com [mailto:bounce-628462-
> > xxxxx@lists.osr.com] On Behalf Of puzzle
> > Sent: Wednesday, March 29, 2017 6:09 PM
> > To: Windows System Software Devs Interest List
> > Subject: [ntdev] RE:[ntdev] DbgPrint not always prints out
> >
> > I did it this way:
> >
> > VOID GetProcessNameFromPid(HANDLE Pid, PCHAR Output) {
> > LPSTR tmp;
> > PEPROCESS Process;
> >
> > if (PsLookupProcessByProcessId(Pid, &Process) != STATUS_SUCCESS) {
> > strcpy(Output, “N/A”);
> > return;
> > }
> >
> > tmp = (LPSTR)PsGetProcessImageFileName(Process);
> > Output[16] = ‘\0’;
> > memcpy(Output, tmp, 16); // decrease ref counter because
> > ObDereferenceObject(Process); // PsLookupProcessByProcessId
> > incremented it
> > }
> >
> >
> >
> >
> > 2017. március 27. 16:18 napon xxxxx@gmail.com írta:
> >
> > > PsGetProcessImageFileName is present in NTOSKRNL.LIB. So you just need
> > the prototype.
> > >
> > > NTSYSAPI PUCHAR NTAPI PsGetProcessImageFileName(In PEPROCESS
> > > Process);
> > >
> > > But be careful, the returned pointer is the address of a UCHAR[15] array that
> > belongs to the _EPROCESS structure.
> > >
> > > kd> dt nt!_EPROCESS
> > > +0x000 Pcb : _KPROCESS
> > > …
> > > +0x450 ImageFileName : [15] UChar
> > > …
> > >
> > > This is confirmed by the disassembly:
> > >
> > > kd> uf nt!PsGetProcessImageFileName
> > > nt!PsGetProcessImageFileName:
> > > fffff803b6969b30 488d8150040000 lea rax,[rcx+450h] // 0x450 is<br>> > ImageFileName's offset<br>> > > fffff803
b6969b37 c3 ret
> > >
> > > So the access should be read-only and the EPROCESS object should be
> > referenced before it is used and dereferenced after it is used. Of course when
> > you deal with an undocumented function, everything may vanish at any time.
> > >
> > > You can monitor process creation/termination with
> > PsSetCreateProcessNotifyRoutineEx and get much more reliable informations.
> > >
> > >
> > > —
> > > NTDEV is sponsored by OSR
> > >
> > > Visit the list online at:
> > > http:
> > >
> > > MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> > software drivers!
> > > Details at http:
> > >
> > > To unsubscribe, visit the List Server section of OSR Online at
> > > http:
> > >
> >
> >
> > —
> > NTDEV is sponsored by OSR
> >
> > Visit the list online at: http:
> >
> > MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> > software drivers!
> > Details at http:
> >
> > To unsubscribe, visit the List Server section of OSR Online at
> > http:
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: http:
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at http:</http:></http:></http:></http:></http:></http:></http:></http:></http:>