KernelMode.info

A forum for reverse engineering, OS internals and malware analysis
https://www.kernelmode.info/forum/

Get ImageFileName(Dos) from EPROCESS

https://www.kernelmode.info/forum/viewtopic.php?f=10&t=1496

Page 1 of 1

Get ImageFileName(Dos) from EPROCESS

PostPosted:Sun Feb 26, 2012 12:54 pm
by Hippey
Hi all!

Can anybody give me a code, which would extract ImageFileName of EPROCESS in Dos format(like C:\\) for kernel driver?

Thanks!

Re: Get ImageFileName(Dos) from EPROCESS

PostPosted:Sun Feb 26, 2012 1:14 pm
by rkhunter
How do you imagine that? ImageFileName holds only ImageName, "explorer.exe", for example. Look PsGetProcessImageFileName for that. Other information is stored in PEB and you can access it through NtQueryInformationProcess.

Re: Get ImageFileName(Dos) from EPROCESS

PostPosted:Mon Feb 27, 2012 1:53 pm
by EP_X0FF
Hippey wrote:Hi all!

Can anybody give me a code, which would extract ImageFileName of EPROCESS in Dos format(like C:\\) for kernel driver?

Thanks!
http://www.kernelmode.info/forum/viewto ... 03&p=10941

Closed as duplicate. Author gets achievement - creation of three closed topics.
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/