You are absolutely correct serpent that this would work….
But Problems in my case are following—
1.)I have to support for 2000, XP and 2003.
2.)I have to get the Full Image Path name of each process running in system (not just Current Process) .
On XP and 2003 I don’t have to open the handle as I am directly getting the Address of SECTION_OBJECT. But on 2000 I have only SectionHandle and that handle is valid in the HANDLE_TABLE of corresponding process not in process in the context of which my driver is getting called.
I have integrated the machanism u mentioned in my code and it is working fine on XP and 2k3.I m able to read FullImagePathname of all the processes.
But on 2000 I have only SectionHandle and not the pointer to SectionObject.
To get it working I will have to search another process handle table and i think that would be very tedious task.
So my only worry is with Win2000.
Also I don’t wanna use ZwQuerySystemInformation and ZwOpenProcess bcoz these API’s have got chances of being Hooked.
I think you got all my doubts.
Kind Regards
Deepak Gupta