Re: Get SectionHandle from PEPROCESS?
From: Maxim S. Shatskih (maxim_at_storagecraft.com)
Date: 05/13/04
- Next message: Maxim S. Shatskih: "Re: Modem Driver"
- Previous message: Don Burn: "Re: Get SectionHandle from PEPROCESS?"
- In reply to: Don Burn: "Re: Get SectionHandle from PEPROCESS?"
- Next in thread: afei: "Re: Get SectionHandle from PEPROCESS?"
- Messages sorted by: [ date ] [ thread ]
Date: Thu, 13 May 2004 19:47:19 +0400
More exactly - works with NT4 onward. :-) I have a code based on this, the
binary is working from NT4 to w2k3 without rebuilds.
-- Maxim Shatskih, Windows DDK MVP StorageCraft Corporation maxim@storagecraft.com http://www.storagecraft.com "Don Burn" <burn@stopspam.acm.org> wrote in message news:10a75q1mtck6ma3@corp.supernews.com... > Actually, there is a legal but painful way. You have to build your own > table base on first call to the load image notify callback for a given > process, this is the executable name. You can free table entries when the > process terminate from the process create notify callback. Painful but it > is safe and approved and works from Win2k onward. > > > -- > Don Burn (MVP, Windows DDK) > Windows 2k/XP/2k3 Filesystem and Driver Consulting > Remove StopSpam from the email to reply > > "George M. Garner Jr." <gmgarner@erols.com> wrote in message > news:O9NKEAQOEHA.4044@TK2MSFTNGP10.phx.gbl... > > Don, > > > > > I believe I saw this on ntdev from OSR. < > > > > Thanks. I found the discussions to which you were referring. > > PsGetProcessImageFileName returns the ImageFileName member of the EPROCESS > > structure. afei was looking for the full path, however, which is to be > > found elsewhere. If there is a PsGetAuditProcessCreationInfo that > certainly > > would be a function of interest. > > > > > PHIDE breaks enough rules to be considered a virus in my book. < > > > > PHIDE is a virus. The author cautions that the code is proof-of-concept > and > > is not heavily armored. PHIDE patches the active process list to hide an > > arbitrary process based on its pid. I did not say that I recommended > doing > > this. Nevertheless, PHIDE does include some valuable insights into how to > > obtain the full image path for an arbitrary process based on its pid. > > > > This whole conversation started out (and is destined to remain) in > uncharted > > waters given that there is no documented way of doing what the original > > poster is trying to do. I assume that the original poster has some > > legitimate (i.e. lawful) reason for what he is trying to do. The threads > > over at OSR already suggest a few. > > > > Regards, > > > > George. > > > > > >
- Next message: Maxim S. Shatskih: "Re: Modem Driver"
- Previous message: Don Burn: "Re: Get SectionHandle from PEPROCESS?"
- In reply to: Don Burn: "Re: Get SectionHandle from PEPROCESS?"
- Next in thread: afei: "Re: Get SectionHandle from PEPROCESS?"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
