Hello. I have some question in Local host Monitor

Home Forums Discussions Support Portal Hello. I have some question in Local host Monitor

This topic contains 1 reply, has 2 voices, and was last updated by  Vadim Smirnov 13 years, 8 months ago.

Viewing 2 posts - 1 through 2 (of 2 total)
  • Author
    Posts
  • #4898

    machun
    Participant

    Hello.

    I have some question. in Local host Monitor.

    at now LHMon get only process name in code.

    but i want to get full process path.

    what should i do ?

    please tell me some code for understand that.

    thanks.

    #5687

    Vadim Smirnov
    Moderator

    There is no proof and easy way to get full process path. This topic was discussed (in russian) in Windows Internals forum. Two ways were proposed (first is easier but second is more reliable):

    I)
    ZwQueryInformationProcess ( NtCurrentProcess(), ProcessBasicInformation, &ProcInfo, sizeof(ProcInfo), 0);

    ProcInfo.PebBaseAddress->ProcessParameters->ApplicationName

    II)
    1. Get EPROCESS using IoGetCurrentProcess().
    2. For NT 4.0 and 5.0 get SectionHandle using ObReferenceObjectByHandle() get SectionObject; for NT 5.1 just get SectionObject from EPROCESS.
    3. From SectionObject get SegmentObject.
    4. From SegmentObject get ControlArea.
    5. From ControlArea get FilePointer (FileObjec pointert).
    6. Using ObQueryNameString() get full path for the process.

Viewing 2 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.