Re: Get SectionHandle from PEPROCESS?

Tech-Archive recommends: Speed Up your PC by fixing your registry

From: Don Burn (burn_at_stopspam.acm.org)
Date: 05/15/04 

Date: Sat, 15 May 2004 07:46:40 -0400

Load your driver at boot time, build your own mapping table use the
PsSetLoadImageNotifyRoutine's callback (first image loaded for a process is
its executable) to populate the table, and PsSetCreateProcessNotifyRoutine's
callback to free entries in the table. This is 100% approved safe and
legal. Note I have never encountered any complaints of hitting the limit on
these calls that was in some versions of the OS. 

-- 
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply
"afei" <afei@sbcglobal.net> wrote in message
news:68000f4f.0405131123.2392871e@posting.google.com...
> Hi George & Don, thanks for the response.
>
> Yes, I tried the offset 0x1d4 on WinXp and it works. I will use it
> before find a better way.
>
> To get the path name from Section, the idea is to find out the related
> FileObject then ObQueryNameString() to get the file name. In the
> SectionObject, offset +0x14 is a pointer pointed to some structure
> which contain the FileObject at offset +0x24. It's lucky that these
> didn't changed on Win2000, WinXP and Win2003, so I can use it before a
> documented method was found.
> ObReferenceObjectByHandle( ...SectionHandle... pSectionPointer ... )
>             mov     eax, pSectionPointer
>             mov     ecx, [eax+14h]
>             mov     eax, [ecx]
>             mov     ecx, [eax+24h]
>             mov     pFileObj, ecx
> ObQueryNameString( ... pFileObj ... )
>
> As Don said, this is not a good solution, but what can we do without a
> better choice.
>
> Rgds.

Relevant Pages

  • [PATCH 1/5] call i2c_probe from i2c core
    ... If you want to write a `sensors' driver, ... Whenever a new adapter is inserted, or for all adapters if the driver is ... the callback attach_adapteris called. ... -contains -1 for a probed detection, 0 for a forced detection, or a positive ...
    (Linux-Kernel)
  • Re: NAND Flash drive in CE 6.0
    ... I implemented it direcly in the driver ... didn't think I'd have much success trying the other byte offset method. ... theNANDFlashif you have the auto-format option enabled in the ... code expects is that Byte offset 5 in the spare area is used as the ...
    (microsoft.public.windowsce.platbuilder)
  • Re: V4L2: switch to register_chrdev_region: needs testing/review of release() handling
    ... In addition it allows us to intercept the release callback when the ... drivers do the refcounting in varying degrees of competency (from 'not' ... closes as well will the release be called and the driver can do the ... reconnect the webcam even while some application is still using the old ...
    (Linux-Kernel)
  • Re: Cross Process Callbacks
    ... If you have the help of a wrapper API in the application space, ... application calls a function, CallMeBackWithData(Callback fcn, DWORD ... DeviceIoControl(driver, set up callback, event) ... Driver -> handles buffer cleanup and continues in device.exe context ...
    (microsoft.public.windowsce.platbuilder)
  • Re: Delay inside a worker thread
    ... Create invisible windows and use PostMessage to communicate between the threads ... >>hardware interupt which is signalled to your callback function in real ... >>by the device driver, you should simply have to call an API with an On Off ... >>the operation has completed with a callback. ...
    (microsoft.public.vc.mfc)