none
Kernel WDF driver access User Process information like ImageFilePathName and process privileges RRS feed

  • General discussion

  • Hi,

    I have a Kernel WDF driver from which I like to access a certain process information. I am able to get the Process ID in the driver, but unable to find any API that provide process Image File Path and process privileges information. Can you help point me to such API?

    I need to access the process info in the driver running on Windows 7 x64 system.

    Thanks, Vani 


    • Edited by vaniy Friday, November 17, 2017 11:22 PM
    Friday, November 17, 2017 11:20 PM

All replies

  • You need to spend some quality time with the Windows Internals books. What you seek is in the EPROCESS structure

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Friday, November 17, 2017 11:30 PM
    Moderator
  • Take a look at ZwQueryInformationProcess https://msdn.microsoft.com/en-us/library/windows/desktop/ms687420(v=vs.85).aspxThe traditional way to do this was to use a user space process since that gives you access to the most data.   The other "safe" way to do this is to use PsSetCreateProcessNotifyRoutineEx and build your own database of process paths.  ZwQueryInformationProcess can do it, but Microsoft does warn the call could change.

      

    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    Saturday, November 18, 2017 12:27 AM