Discussion:
Image Name from Process Handle in Kernel mode
(too old to reply)
KernelSanders
2004-12-02 00:49:07 UTC
Permalink
Hello,

I have a kernel driver (for W2K), and it gets a process handle. I would
like to get the image file name (full path to the executable that's running)
from the process handle. Is that possible to obtain?

Thanks!
Gary
--
- Kernel Sanders Kentucky Fried Drivers
Don Burn
2004-12-02 02:01:11 UTC
Permalink
The only documented and safe way of doing this is to use
PsSetLoadImageNotify to capture the path to the executable as the process is
loaded. Using PsSetCreateProcessNotify will allow you to delete paths as
the processes end. There is supposed to be an undocumented call in XP and
later to get the executable path from the process.

Alternatively, pass the pid to a helper service and the service can
determine the process path from user space, and return it to the driver.

Note, it has been discussed many times that trying to use the process path
as a "security feature" is a bad idea (there are too many ways to fake
things). I don't know what you want the name for, but don't try it for
security.
--
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply
Post by KernelSanders
Hello,
I have a kernel driver (for W2K), and it gets a process handle. I would
like to get the image file name (full path to the executable that's running)
from the process handle. Is that possible to obtain?
Thanks!
Gary
--
- Kernel Sanders Kentucky Fried Drivers
KernelSanders
2004-12-02 04:19:02 UTC
Permalink
Thanks! I'm aware of the other options (helper service and
PsSetCreateProcessNotify), but I was hoping there was some way to get the
image without having to leave kernel mode (or track anything with the create
process notification callback). Bummer!

I'm a newbie, is there a way to get the PID from the Process Handle (while
in kernel mode)?

Also, can you suggest any books, etc for learning more about the process of
loading an image and creating a process? I already have "Inside MS Windows
2000," and it's a great book! But I'm looking for more detailed information.


And lastly, the purpose of the question is for a tool that I'm working on
for learning more about the internals of Windows - strictly for my own
edification and certainly not for nefarious purposes.

Many Thanks,
Gary
Post by Don Burn
The only documented and safe way of doing this is to use
PsSetLoadImageNotify to capture the path to the executable as the process is
loaded. Using PsSetCreateProcessNotify will allow you to delete paths as
the processes end. There is supposed to be an undocumented call in XP and
later to get the executable path from the process.
Alternatively, pass the pid to a helper service and the service can
determine the process path from user space, and return it to the driver.
Note, it has been discussed many times that trying to use the process path
as a "security feature" is a bad idea (there are too many ways to fake
things). I don't know what you want the name for, but don't try it for
security.
--
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply
Post by KernelSanders
Hello,
I have a kernel driver (for W2K), and it gets a process handle. I would
like to get the image file name (full path to the executable that's
running)
Post by KernelSanders
from the process handle. Is that possible to obtain?
Thanks!
Gary
--
- Kernel Sanders Kentucky Fried Drivers
James Brown
2004-12-02 08:30:27 UTC
Permalink
ZwQueryProcessInformation
--
James
---
www.catch22.net
Free win32 software, sourcecode and tutorials
-----
Please de-spam my email address before replying.
Post by KernelSanders
Thanks! I'm aware of the other options (helper service and
PsSetCreateProcessNotify), but I was hoping there was some way to get the
image without having to leave kernel mode (or track anything with the create
process notification callback). Bummer!
I'm a newbie, is there a way to get the PID from the Process Handle (while
in kernel mode)?
Also, can you suggest any books, etc for learning more about the process of
loading an image and creating a process? I already have "Inside MS Windows
2000," and it's a great book! But I'm looking for more detailed information.
And lastly, the purpose of the question is for a tool that I'm working on
for learning more about the internals of Windows - strictly for my own
edification and certainly not for nefarious purposes.
Many Thanks,
Gary
Post by Don Burn
The only documented and safe way of doing this is to use
PsSetLoadImageNotify to capture the path to the executable as the process is
loaded. Using PsSetCreateProcessNotify will allow you to delete paths as
the processes end. There is supposed to be an undocumented call in XP and
later to get the executable path from the process.
Alternatively, pass the pid to a helper service and the service can
determine the process path from user space, and return it to the driver.
Note, it has been discussed many times that trying to use the process path
as a "security feature" is a bad idea (there are too many ways to fake
things). I don't know what you want the name for, but don't try it for
security.
--
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply
Post by KernelSanders
Hello,
I have a kernel driver (for W2K), and it gets a process handle. I would
like to get the image file name (full path to the executable that's
running)
Post by KernelSanders
from the process handle. Is that possible to obtain?
Thanks!
Gary
--
- Kernel Sanders Kentucky Fried Drivers
Don Burn
2004-12-02 14:39:59 UTC
Permalink
ZwQueryProcessInformation will return the PID from the handle.

For the exeutable name there is PsGetProcessImageFileName() in Windows XP
and later systems that is an undocumented funtion that returns the pathname
to the executable. Unfortunately, Microsoft doesn't document this, or back
port it to Windows 2000.

The only other approach is to use the old somewhat dirty trick from
SysInternals of calling into the driver with a process of a known name, then
searching the PEPROCESS structure for a matching string (basically get the
pointer to the systems PEPROCESS structure using PsGetCurrentProcess during
driver entry, then search for the string "System" in the next 12KB. This
will give you the process name which is typically but not guaranteed to be
the filename.
--
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply
Post by James Brown
ZwQueryProcessInformation
--
James
---
www.catch22.net
Free win32 software, sourcecode and tutorials
-----
Please de-spam my email address before replying.
Post by KernelSanders
Thanks! I'm aware of the other options (helper service and
PsSetCreateProcessNotify), but I was hoping there was some way to get the
image without having to leave kernel mode (or track anything with the create
process notification callback). Bummer!
I'm a newbie, is there a way to get the PID from the Process Handle (while
in kernel mode)?
Also, can you suggest any books, etc for learning more about the process of
loading an image and creating a process? I already have "Inside MS Windows
2000," and it's a great book! But I'm looking for more detailed information.
And lastly, the purpose of the question is for a tool that I'm working on
for learning more about the internals of Windows - strictly for my own
edification and certainly not for nefarious purposes.
Many Thanks,
Gary
Post by Don Burn
The only documented and safe way of doing this is to use
PsSetLoadImageNotify to capture the path to the executable as the
process
Post by James Brown
Post by KernelSanders
Post by Don Burn
is
loaded. Using PsSetCreateProcessNotify will allow you to delete paths as
the processes end. There is supposed to be an undocumented call in XP and
later to get the executable path from the process.
Alternatively, pass the pid to a helper service and the service can
determine the process path from user space, and return it to the driver.
Note, it has been discussed many times that trying to use the process path
as a "security feature" is a bad idea (there are too many ways to fake
things). I don't know what you want the name for, but don't try it for
security.
--
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply
Post by KernelSanders
Hello,
I have a kernel driver (for W2K), and it gets a process handle. I would
like to get the image file name (full path to the executable that's
running)
Post by KernelSanders
from the process handle. Is that possible to obtain?
Thanks!
Gary
--
- Kernel Sanders Kentucky Fried Drivers
KernelSanders
2004-12-02 19:01:01 UTC
Permalink
MANY THANKS to everyone for the help!!!

And BTW... Happy Holidays!!

Gary
Post by Don Burn
ZwQueryProcessInformation will return the PID from the handle.
For the exeutable name there is PsGetProcessImageFileName() in Windows XP
and later systems that is an undocumented funtion that returns the pathname
to the executable. Unfortunately, Microsoft doesn't document this, or back
port it to Windows 2000.
The only other approach is to use the old somewhat dirty trick from
SysInternals of calling into the driver with a process of a known name, then
searching the PEPROCESS structure for a matching string (basically get the
pointer to the systems PEPROCESS structure using PsGetCurrentProcess during
driver entry, then search for the string "System" in the next 12KB. This
will give you the process name which is typically but not guaranteed to be
the filename.
--
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply
Post by James Brown
ZwQueryProcessInformation
--
James
---
www.catch22.net
Free win32 software, sourcecode and tutorials
-----
Please de-spam my email address before replying.
Post by KernelSanders
Thanks! I'm aware of the other options (helper service and
PsSetCreateProcessNotify), but I was hoping there was some way to get
the
Post by James Brown
Post by KernelSanders
image without having to leave kernel mode (or track anything with the create
process notification callback). Bummer!
I'm a newbie, is there a way to get the PID from the Process Handle
(while
Post by James Brown
Post by KernelSanders
in kernel mode)?
Also, can you suggest any books, etc for learning more about the process of
loading an image and creating a process? I already have "Inside MS Windows
2000," and it's a great book! But I'm looking for more detailed information.
And lastly, the purpose of the question is for a tool that I'm working
on
Post by James Brown
Post by KernelSanders
for learning more about the internals of Windows - strictly for my own
edification and certainly not for nefarious purposes.
Many Thanks,
Gary
Post by Don Burn
The only documented and safe way of doing this is to use
PsSetLoadImageNotify to capture the path to the executable as the
process
Post by James Brown
Post by KernelSanders
Post by Don Burn
is
loaded. Using PsSetCreateProcessNotify will allow you to delete paths
as
Post by James Brown
Post by KernelSanders
Post by Don Burn
the processes end. There is supposed to be an undocumented call in XP and
later to get the executable path from the process.
Alternatively, pass the pid to a helper service and the service can
determine the process path from user space, and return it to the
driver.
Post by James Brown
Post by KernelSanders
Post by Don Burn
Note, it has been discussed many times that trying to use the process path
as a "security feature" is a bad idea (there are too many ways to fake
things). I don't know what you want the name for, but don't try it for
security.
--
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply
Post by KernelSanders
Hello,
I have a kernel driver (for W2K), and it gets a process handle. I would
like to get the image file name (full path to the executable that's
running)
Post by KernelSanders
from the process handle. Is that possible to obtain?
Thanks!
Gary
--
- Kernel Sanders Kentucky Fried Drivers
qfel
2004-12-02 13:20:01 UTC
Permalink
Look at http://undocumented.ntinternals.net/
Most of those Nt* functions are avalible in kernel mode (you just have to
change preffix from 'Nt' to 'Zw')
Chuck Chopp
2004-12-02 17:13:44 UTC
Permalink
Post by qfel
Look at http://undocumented.ntinternals.net/
Most of those Nt* functions are avalible in kernel mode (you just have to
change preffix from 'Nt' to 'Zw')
Or get Gary Nebbett's book "Windows NT/2000 Native API Reference", which
discusses the Zw*() kernel mode API functions, documents their signatures,
enumerated data types, structure definitions, etc... I've found it to be
invaluable in gaining access to underlying Zw*() functions that don't have
corresponding Win32 API function wrappers around them.
--
Chuck Chopp

ChuckChopp (at) rtfmcsi (dot) com http://www.rtfmcsi.com

RTFM Consulting Services Inc. 864 801 2795 voice & voicemail
103 Autumn Hill Road 864 801 2774 fax
Greer, SC 29651

Do not send me unsolicited commercial email.
Loading...