VIJAY:
This is what I think might be going on:
- The code below will fail if the current process is either the system
process or the idle process, as neither has a PEB.
- The PEB and it’s nested structures/pointers are user mode accessible
and thus always potentially paged out. In addition to ensuring the
EPROCESS::PEB is != NULL (from above), you need to probe it fully, and
guard it with SEH. It is quite possible that the OS takes care of this
automatically, but unless you know that it does, I would do this.
- Are you looking for process name/filename or full image path? If
you seek process name, you need to look at EPROCESS::ImageFileName.
This is where “System” and “Idle” are stored for the PEB less
processes.
- The length of ImagePath is not necessarily 255 wide characters
(memcpy(wBuff, (char*)(offset2+offset3), 255 * sizeof(WCHAR))). Nor,
strictly speaking, is it necessarily null terminated. You are almost
certainy copying garbage, which, given that this is occuring on an IA32
in the very small FS segment, might cause an access violation by
overunning the segment. The length to copy is a member of
UNICODE_STRING.
FOR WHAT IT IS WORTH:
I would strongly advise you throw out this routine and start over. My
guess is that you copied this routine from somewhere. As noted in other
postings, this whole operation is inherently version specific, under the
best of circumstances, unless you go the reflection to a user mode
service or image load notify routine routes. What you have below,
however, in addition to being filled with constraints under which it
will work, is almost incomprehensible, basically for two reasons. The
first is, of course, the lack of structure definitions - hard coded
offsets. Your basic question is a very reasonable one (image
filenames), and is easily one of the most common one on these lists; yet
very few seem to have responded to you. This is why. The second
follows from the first - with structure definitions (even incomplete
ones with only the salient fields and dummy fields for the rest), all of
the offset variables (and the memcpy()) go away. In particular the last
really sketchy 16 bit copy to offset3.
ALL OF THIS:
ptr = (PCHAR)curproc + 0x1b0; // 0x1b0 :
position of _PEB in _EPROCESS
structure
memcpy(&offset1, ptr, 4);
ptr = (PCHAR)(offset1 + 0x10); // 0x10 :
position of
ProcessParameters
in _PEB structure
memcpy(&offset2, ptr, 4);
ptr = (PCHAR)(offset2 + 0x3c); // 0x3c :
position of
fullpath(ImagePath) in ProcessParameters
memcpy(&offset3, ptr, 2);
memcpy(wBuff, (char*)(offset2+offset3), 255 * sizeof(WCHAR));
// DbgPrint((“offset1:[%X], offset2:[%X], offset3:[%X],
ImagePath:[%ws]\n”,
offset1, offset2, offset3, wBuff));
wcscpy(Name, wBuff);
BECOMES THIS:
memcpy(Name, NtCurrentPeb()->ProcessParameters->ImagePath.Buffer,
(NtCurrentPeb()->ProcessParameters->ImagePath.Length + 1) *
sizeof(wchar_t));
I mention this not to criticize, but to give you some ideas for ways to
improve the likelhood of getting answers to your questions.
I hope this helps,
MM
>> xxxxx@yahoo.co.in 2006-07-21 11:20 >>>
Hi ,
I got fullpath of process name from Kernel Mode
through the position of _PEB in _EPROCESS Structure.
but some times for some Process which name length is grater than 16
it works but some times its gives message like
“Only part of a ReadProcessMemory or WriteProcessMemory request was
completed .”
i m working on WinXP.
This error becz that time offset2 value is 0.
and this error for this line
memcpy(&offset3, ptr, 2);
I tried following, but can’t get address that points fullpath.
when offset2 is 0 i set the value for
offset2 = 0x2000
offset3 = 0x7c4
but it gives same error for the line
memcpy(wBuff, (char*)(offset2+offset3), 255 * sizeof(WCHAR));
I tried following, but can’t get address that points fullpath
I would appreciate any comment , wht i have to do it will work for
all cases.
Thanks.
//----------------------------------------------------------------------
// GetProcessName
//----------------------------------------------------------------------
void GetProcessName(PWCHAR Name)
{
PEPROCESS curproc;
char* ptr;
int offset1, offset2;
short offset3;
WCHAR wBuff[255];
curproc = PsGetCurrentProcess();
ptr = (PCHAR)curproc + 0x1b0; // 0x1b0 :
position of _PEB in _EPROCESS
structure
memcpy(&offset1, ptr, 4);
ptr = (PCHAR)(offset1 + 0x10); // 0x10 :
position of
ProcessParameters
in _PEB structure
memcpy(&offset2, ptr, 4);
ptr = (PCHAR)(offset2 + 0x3c); // 0x3c :
position of
fullpath(ImagePath) in ProcessParameters
memcpy(&offset3, ptr, 2);
memcpy(wBuff, (char*)(offset2+offset3), 255 * sizeof(WCHAR));
// DbgPrint((“offset1:[%X], offset2:[%X], offset3:[%X],
ImagePath:[%ws]\n”,
offset1, offset2, offset3, wBuff));
wcscpy(Name, wBuff);
return Name;
}
Find out what India is talking about on Yahoo! Answers India.
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: xxxxx@evitechnology.com
To unsubscribe send a blank email to xxxxx@lists.osr.com