-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathGetProcessImageName.c
More file actions
102 lines (82 loc) · 2.37 KB
/
GetProcessImageName.c
File metadata and controls
102 lines (82 loc) · 2.37 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
/*
//=================usaging sample====================
UNICODE_STRING ProcessImageName;
WCHAR *sourceProcessImageName;
sourceProcessImageName = ExAllocatePoolWithTag(NonPagedPool, 2048, 0);
ProcessImageName.Buffer = sourceProcessImageName;
ProcessImageName.Length = 0x0;
ProcessImageName.MaximumLength = sizeof(sourceProcessImageName);
GetProcessImageName(&ProcessImageName);
*/
NTSTATUS GetProcessImageName(_In_ PFLT_CALLBACK_DATA Data, _Inout_ PUNICODE_STRING ProcessImageName)
{
NTSTATUS status;
ULONG returnedLength;
ULONG bufferLength;
PVOID buffer;
PUNICODE_STRING imageName;
PAGED_CODE(); // this eliminates the possibility of the IDLE Thread/Process
if (NULL == ZwQueryInformationProcess) {
UNICODE_STRING routineName;
RtlInitUnicodeString(&routineName, L"ZwQueryInformationProcess");
ZwQueryInformationProcess =
(QUERY_INFO_PROCESS)MmGetSystemRoutineAddress(&routineName);
if (NULL == ZwQueryInformationProcess) {
DbgPrint("Cannot resolve ZwQueryInformationProcess\n");
}
}
//
// Step one - get the size we need
//
status = ZwQueryInformationProcess(NtCurrentProcess(),
ProcessImageFileName,
NULL, // buffer
0, // buffer size
&returnedLength);
if (STATUS_INFO_LENGTH_MISMATCH != status) {
DbgPrint("STATUS_INFO_LENGTH_MISMATCH\n");
return status;
}
//
// Is the passed-in buffer going to be big enough for us?
// This function returns a single contguous buffer model...
//
bufferLength = returnedLength - sizeof(UNICODE_STRING);
if (ProcessImageName->MaximumLength < bufferLength) {
ProcessImageName->Length = (USHORT)bufferLength;
DbgPrint("STATUS_BUFFER_OVERFLOW\n");
return STATUS_BUFFER_OVERFLOW;
}
//
// If we get here, the buffer IS going to be big enough for us, so
// let's allocate some storage.
//
buffer = ExAllocatePoolWithTag(PagedPool, returnedLength, 'ipgD');
if (NULL == buffer) {
DbgPrint("STATUS_INSUFFICIENT_RESOURCES\n");
return STATUS_INSUFFICIENT_RESOURCES;
}
//
// Now lets go get the data
//
status = ZwQueryInformationProcess(NtCurrentProcess(),
ProcessImageFileName,
buffer,
returnedLength,
&returnedLength);
if (NT_SUCCESS(status)) {
//
// Ah, we got what we needed
//
imageName = (PUNICODE_STRING)buffer;
RtlCopyUnicodeString(ProcessImageName, imageName);
}
//
// free our buffer
//
ExFreePool(buffer);
//
// And tell the caller what happened.
//
return status;
}