The function I’m going to talk about is nothing new. The annoying thing is that you can’t find it in the WDK. Sometimes you want to know the name of the calling process (suppose its image name is enough). But it can’t be used for security, because you can create a ‘logon.exe’ and run it from the desktop directory, and it will be seen as ‘logon.exe’. Therefore it’s mostly useful for debugging or something.
So once you get a PEPROCESS and you wish to get its image name, you can call PsGetProcessImageFileName. We all know those hacks that scan the current PEPROCESS for ‘system’ when the DriverEntry is being called and store the <i>offset</i> for later use. But it’s not really needed anymore.
extern "C" {
extern char* PsGetProcessImageFileName(PRPROCESS p);
}
...
DbgPrint("Calling process name is: %s\n", PsGetProcessImageFileName(PsGetCurrentProcess()));
Retrieving the full path name of a process from kernel can be a b1tch. And I don’t know a good way to do it. Though I think the best way would be to get the ControlArea of the mapped image of that process, but IIRC it needs a KeAttachProcess which sucks… There are many forums which talk about it anyway…