puzzle wrote:
I did it this way:
VOID GetProcessNameFromPid(HANDLE Pid, PCHAR Output)
{
LPSTR tmp;
PEPROCESS Process;if (PsLookupProcessByProcessId(Pid, &Process) != STATUS_SUCCESS) {
strcpy(Output, “N/A”);
return;
}tmp = (LPSTR)PsGetProcessImageFileName(Process);
Output[16] = ‘\0’;
memcpy(Output, tmp, 16); // decrease ref counter because
ObDereferenceObject(Process); // PsLookupProcessByProcessId incremented it
}
And this is exactly why types like ANSI_STRING were created. How do you
know that the buffer you were passed can actually hold 17 bytes? What
if you change the buffer later, or you decide to return more than that?
Very dangerous coding.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.