In the driver (sys), how does one obtain the complete path and process name of the current process?

Source: Internet
Author: User

First, use the psgetcurrentprocess or iogetcurrentprocess function to obtain the current process handle. This handle is a pointer to the _ eprocess structure. The structure of _ eprocess is as follows:

Typedef struct _ eprocess
{
Kprocess PCB;
Ntstatus exitstatus;
Kevent lockevent;
DWORD lockcount;
Qword createtime;
Qword exittime;
Pvoid lockowner;
DWORD uniqueprocessid;
Qword activeprocesslinks;
DWORD quotapeakpoolusage [2]; // NP, P
DWORD quotapoolusage [2]; // NP, P
DWORD pagefileusage;
DWORD commitcharge;
DWORD peakpagefileusage;
DWORD peakvirtualsize;
Qword virtualsize;
Dword vm [12];
DWORD lastprotoptefault;
DWORD debugport;
DWORD predictionport;
DWORD objecttable;
DWORD token;
DWORD workingsetlock [8];
DWORD workingsetpage;
Boolean processoutswapenabled;
Boolean processoutswapped;
Boolean addressspaceinitialized;
Boolean addressspacedeleted;
DWORD addresscreationlock [9];
DWORD forkinprogress;
DWORD vmoperation;
DWORD vmoperationevent;
DWORD pagedirectorypte;
Qword lastfaultcount;
Pvoid vadroot;
DWORD vadhint;
DWORD cloneroot;
DWORD numberofprivatepages;
DWORD numberoflockedpages;
Word w184;
Boolean exitprocesscalled;
Boolean createprocessreported;
Handle sectionhandle;
Struct _ peb * peb; // offset 0x1b0
Pvoid sectionbaseaddress;
Pvoid quotablock;
Ntstatus lastthreadexitstatus;
Process_ws_watch_information workingsetwatch;
DWORD inheritedfromuniqueprocessid;
Access_mask grantedaccess;
DWORD defaultharderrorprocessing;
DWORD ldtinformation;
DWORD vadfreehint;
DWORD vdmobjects;
Kmutant processmutant;
Byte imagefilename [16]; // offset 0x1fc
DWORD vmtrimfaultvalue [2];
Pvoid win32process;
DWORD d1f8;
DWORD d1fc;
}
Eprocess,
* Peprocess,
** Ppeprocess;

The above structure shows that the process name is imagefilename. You only need to use the base address of _ eprocess and the offset address 0x1fc to get the address of the process name. The Code is as follows:

Char * processname = (char *) psgetcurrentprocess () + 0x1fc;
Kdprint ("current process name: % s/n", processname ));

To obtain the complete path, use the _ peb structure pointer in the _ eprocess structure to obtain the processparameters address. Processparameters stores the complete path of the process. You can use the windbg tool that comes with DDK to open an executable program and then use it! The peb command is used to display the structure information of _ peb. As follows:

---------------------------------------
>! Peb
Debugger extension Library [F:/winnt/system32/ntsdexts] loaded
Peb at 7ffdf000
Inheritedaddressspace: No
Readimagefileexecoptions: No
Beingdebugged: Yes
Imagebaseaddress: 00400000
LDR. initialized: Yes
LDR. ininitializationordermodulelist: g0f88. 132998
LDR. inloadordermodulelist: specified ee0. 132988
LDR. inmemoryordermodulelist: created ee8. 132990
00400000 D:/ntsysinfo.exe
77f80000 F:/winnt/system32/NTDLL. dll
77e60000 F:/winnt/system32/kernel32.dll
77df0000 F:/winnt/system32/user32.dll
77f40000 F:/winnt/system32/gdi32.dll
76af0000 F:/winnt/system32/comdlg32.dll
70bd0000 F:/winnt/system32/shlwapi. dll
77d90000 F:/winnt/system32/advapi32.dll
77d20000 F:/winnt/system32/rpcrt4.dll
71700000 F:/winnt/system32/comctl32.dll
77560000 F:/winnt/system32/shell32.dll
78000000 F:/winnt/system32/msvcrt. dll
777c0000 F:/winnt/system32/winspool. DRV
Subsystemdata: 0
Processheap: 130000
Processparameters: 20000
Windowtitle: 'd:/ntsysinfo.exe'
Imagefile: 'd:/ntsysinfo.exe'
CommandLine: '"D:/ntsysinfo.exe "'
Dllpath: 'd :/;.; f:/winnt/system32; F:/winnt/system; F:/winnt/system32; F:/winnt/system32/WBEM; j:/windows; J:/Windows/command; E:/Windows/system/WBEM; J:/windows; J:/Windows/command; E: /Windows/system/WBEM; J:/windows; J:/Windows/
Command'
Environment: 0x10000

From the peb structure information output by windbg, we can see that the processparameters address is 0x20000, And the imagefile field is the complete path of the process. So what is the address of porcessparamters saved in the _ peb structure? The base address of the _ peb structure is 0x7ffdf000. The "DB 0x7ffdf000" command of windbg shows the address 0x7ffdf000. We can find that the address of processparameters is saved at the 0x10 offset of the _ peb structure, the content is 0x20000.
Continue to use the "DB 0x20000" command to display the content of processparameters address. The offset is 0x3c to save the complete path address. If the content of 0x3c is: 0x20670, the complete path can be displayed using "DB 0x20670. The full path is saved in unicode format.
We can use the program to simulate the above steps to obtain the complete path of the current process. The Code is as follows:

Pcwstr getcurrentprocessfilename ()
{
DWORD dwaddress = (DWORD) psgetcurrentprocess ();
If (dwaddress = 0 | dwaddress = 0 xffffffff)
Return NULL;
Dwaddress + = 0x1b0;
If (dwaddress = * (DWORD *) dwaddress) = 0) return 0;
Dwaddress + = 0x10;
If (dwaddress = * (DWORD *) dwaddress) = 0) return 0;
Dwaddress + = 0x3c;
If (dwaddress = * (DWORD *) dwaddress) = 0) return 0;
Kdprint ("current process full path name: % WS/N", (pcwstr) dwaddress ));
Return (pcwstr) dwaddress;
}

The _ eprocess structure of Windows NT and Windows 2000 is slightly different, so the offset address is also different. Therefore, the above program cannot run normally on Windows NT. To obtain the process name and complete path in Windows NT, you can use a similar method to get the correct offset address, and then compile the correct program.

If you want to learn about how to get the process name and complete path of the current process in the driver (VxD) of Windows 9x, or if you want to learn more, visit the site of the Phil security lab: http://www.xfilt.com.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.