{"id":220,"date":"2010-02-24T07:48:35","date_gmt":"2010-02-24T09:48:35","guid":{"rendered":"http:\/\/www.ragestorm.net\/blogs\/?p=220"},"modified":"2010-02-24T07:52:27","modified_gmt":"2010-02-24T09:52:27","slug":"undocumented-kernel-api-again","status":"publish","type":"post","link":"https:\/\/www.ragestorm.net\/blogs\/?p=220","title":{"rendered":"Undocumented Kernel API Again&#8230;"},"content":{"rendered":"<p>The function I&#8217;m going to talk about is nothing new. The annoying thing is that you can&#8217;t find it in the WDK. Sometimes you want to know the name of the calling process (suppose its image name is enough). But it can&#8217;t be used for security, because you can create a &#8216;logon.exe&#8217; and run it from the desktop directory, and it will be seen as &#8216;logon.exe&#8217;. Therefore it&#8217;s mostly useful for debugging or something.<\/p>\n<p>So once you get a PEPROCESS and you wish to get its image name, you can call PsGetProcessImageFileName. We all know those hacks that scan the current PEPROCESS for &#8216;system&#8217; when the DriverEntry is being called and store the &lt;i&gt;offset&lt;\/i&gt; for later use. But it&#8217;s not really needed anymore.<\/p>\n<pre lang=\"c\">\r\nextern \"C\" {\r\n\r\nextern char* PsGetProcessImageFileName(PRPROCESS p);\r\n\r\n}\r\n\r\n...\r\n\r\nDbgPrint(\"Calling process name is: %s\\n\", PsGetProcessImageFileName(PsGetCurrentProcess()));\r\n<\/pre>\n<p>Retrieving the full path name of a process from kernel can be a b1tch. And I don&#8217;t know a good way to do it. Though I think the best way would be to get the ControlArea of the mapped image of that process, but IIRC it needs a KeAttachProcess which sucks&#8230; There are many forums which talk about it anyway&#8230;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The function I&#8217;m going to talk about is nothing new. The annoying thing is that you can&#8217;t find it in the WDK. Sometimes you want to know the name of the calling process (suppose its image name is enough). But it can&#8217;t be used for security, because you can create a &#8216;logon.exe&#8217; and run it [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","jetpack_publicize_message":""},"categories":[11,13],"tags":[],"jetpack_featured_media_url":"","jetpack_publicize_connections":[],"jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/pbWKd-3y","_links":{"self":[{"href":"https:\/\/www.ragestorm.net\/blogs\/index.php?rest_route=\/wp\/v2\/posts\/220"}],"collection":[{"href":"https:\/\/www.ragestorm.net\/blogs\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ragestorm.net\/blogs\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ragestorm.net\/blogs\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ragestorm.net\/blogs\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=220"}],"version-history":[{"count":4,"href":"https:\/\/www.ragestorm.net\/blogs\/index.php?rest_route=\/wp\/v2\/posts\/220\/revisions"}],"predecessor-version":[{"id":222,"href":"https:\/\/www.ragestorm.net\/blogs\/index.php?rest_route=\/wp\/v2\/posts\/220\/revisions\/222"}],"wp:attachment":[{"href":"https:\/\/www.ragestorm.net\/blogs\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=220"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ragestorm.net\/blogs\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=220"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ragestorm.net\/blogs\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=220"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}