How do TASKMGR get process name in WINXP

#23102 by fsdhook
Thu Jun 12, 2014 7:19 am

Hi, everyone. I have a strange question.
I try to change process name in TASKMGR. How can I do that?
I try to change information in:
1.EPROCESS->ImageFileName
2.EPROCESS->SeAuditProcessCreationInfo->ImageFileName
3.EPROCESS->SectionObject->Segment->ControlArea->FilePointer->FileName
4.EPROCESS->PEB->ProcessParameters->ImagePathName
5.EPROCESS->PEB->ProcessParameters->CommandLine
6.EPROCESS->PEB->ProcessParameters->WindowTitle
7.EPROCESS->PEB->Ldr->InLoadOrderLinks->FullDllName
8.EPROCESS->PEB->Ldr->InMemoryOrderLinks->FullDllName
But it doesn't work.

Username

fsdhook

Posts

45

Joined

Wed May 14, 2014 8:27 am

Re: How do TASKMGR get process name in WINXP

#23103 by EP_X0FF
Thu Jun 12, 2014 8:07 am

It uses NtQuerySystemInformation.

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: How do TASKMGR get process name in WINXP

#23104 by TETYYSs
Thu Jun 12, 2014 12:37 pm

EP_X0FF wrote:It uses NtQuerySystemInformation.

And what does NtQuerySystemInformation use to get it?

Username

TETYYSs

Posts

98

Joined

Fri Jun 28, 2013 6:51 pm

Re: How do TASKMGR get process name in WINXP

#23106 by EP_X0FF
Thu Jun 12, 2014 1:26 pm

TETYYSs wrote:
EP_X0FF wrote:It uses NtQuerySystemInformation.
And what does NtQuerySystemInformation use to get it?

It uses EPROCESS->ImageFileName (limited to 16 chars) and for long filename (if available) from EPROCESS->SeAuditProcessCreationInfo->ImageFileName (full path to process as UNICODE_STRING).

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: How do TASKMGR get process name in WINXP

#23107 by fsdhook
Fri Jun 13, 2014 6:43 am

EP_X0FF wrote:
TETYYSs wrote:
EP_X0FF wrote:It uses NtQuerySystemInformation.
And what does NtQuerySystemInformation use to get it?
It uses EPROCESS->ImageFileName (limited to 16 chars) and for long filename (if available) from EPROCESS->SeAuditProcessCreationInfo->ImageFileName (full path to process as UNICODE_STRING).

Hi, EP_X0FF, I want to change process name in TASKMGR.
Example: my process name is ABCD.EXE, but I want TASKMGR show my process name is QWER.EXE
How to do it? Do not use hook.
I change name info in this structure, but it doesn't useful.
1.EPROCESS->ImageFileName
2.EPROCESS->SeAuditProcessCreationInfo->ImageFileName
3.EPROCESS->SectionObject->Segment->ControlArea->FilePointer->FileName
4.EPROCESS->PEB->ProcessParameters->ImagePathName
5.EPROCESS->PEB->ProcessParameters->CommandLine
6.EPROCESS->PEB->ProcessParameters->WindowTitle
7.EPROCESS->PEB->Ldr->InLoadOrderLinks->FullDllName
8.EPROCESS->PEB->Ldr->InMemoryOrderLinks->FullDllName

Username

fsdhook

Posts

45

Joined

Wed May 14, 2014 8:27 am

Re: How do TASKMGR get process name in WINXP

#23109 by EP_X0FF
Fri Jun 13, 2014 8:56 am

Show your code, telepaths are not here. You either coded bugged stuff or XP taskmanager magically reads information from non existed fields.

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact