Re: Process image file path
- From: "Ivan Brugiolo [MSFT]" <Ivan.Brugiolo@xxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 24 May 2006 10:40:39 -0700
The image name is gotten from the path of the FILE_OBJECT associated
with the SECTION that was passed to NtCreateProcessEx,
and cached in the Audit-Info strucutre for a process.
Using this would be relaying upon an undocumented behavior, though.
--
--
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of any included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
"Maxim S. Shatskih" <maxim@xxxxxxxxxxxxxxxx> wrote in message
news:ehfLPayfGHA.2032@xxxxxxxxxxxxxxxxxxxxxxx
In the WXP ntddk.h file there is an enum value, ProcessImageFileName.
Using this value with ZwQueryInformationProcess returns the path +
filename successfully.
The path? I'm really amazed.
XP SP2's Windows Firewall has the rules based on EXE pathname. To match
the app
against these rules, IPNATHLP.DLL (which is the user-mode part of Windows
Firewall) uses good old psapi!GetModuleFileNameEx, which just reads the
target's PEB using ReadProcessMemory and gets the pathname string in the
PEB's
child structure of RTL_USER_PROCESS_PARAMETERS.
I would be very much surprised that XP's kernel has a call to get the
_Unicode
full pathname_ of the process's EXE.
--
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
maxim@xxxxxxxxxxxxxxxx
http://www.storagecraft.com
.
- References:
- Process image file path
- From: Patrik Moberg
- Re: Process image file path
- From: Maxim S. Shatskih
- Process image file path
- Prev by Date: Re: How come NDISPROT simply compiles to 32 bit or 64 bit ?
- Next by Date: Re: Mirror Display Driver and Direct X.
- Previous by thread: Re: Process image file path
- Next by thread: Re: Process image file path
- Index(es):
Relevant Pages
|
