Reply To: retrieving full process image path name in kernel mode

Home Forums Discussions General Discussion retrieving full process image path name in kernel mode Reply To: retrieving full process image path name in kernel mode

#5875

bitshaker
Participant

Hi,

I like to get the full image file name that a section is backed up by. I intercept calls to NtMapViewOfSection, and want to retrieve this information from the section handle I get here (as I read from your posts in case of process image, maybe there is even a better way to do this on 2k/XP).

I first reference the Handle with ObReferenceObjByHandle() to get a pointer to the objbody, this seems to work. Also the segment filed of section structure seems to be valid. but the Control area in the segment structure contains no valid pointer, just some small value (0x4C) in some cases.

Hope someone can help,

Thx!