Reply To: retrieving full process image path name in kernel mode

Home Forums Discussions General Discussion retrieving full process image path name in kernel mode Reply To: retrieving full process image path name in kernel mode

#5880

Vadim Smirnov
Moderator

I have started to use SerpentFly’s suggestions, thus:
PEPROCESS pEprocess = PsGetCurrentProcess();
HANDLE SectionHandle = pEprocess->SectionHandle;

I guess you are going to create a driver which supports all NT operating systems, so first of all you have to determine operating system version and then depending of it use the matching EPROCESS definition (from one post above). An example for Windows 2000 it would be as the following:

PEPROCESS_W2K pEprocess = (PEPROCESS_W2K)PsGetCurrentProcess();
HANDLE SectionHandle = pEprocess->SectionHandle;