Hello. I have some question in Local host Monitor

Home Forums Discussions Support Hello. I have some question in Local host Monitor

Viewing 2 posts - 1 through 2 (of 2 total)
  • Author
    Posts
  • #4898
    machun
    Participant

      Hello.

      I have some question. in Local host Monitor.

      at now LHMon get only process name in code.

      but i want to get full process path.

      what should i do ?

      please tell me some code for understand that.

      thanks.

      #5687
      Vadim Smirnov
      Keymaster

        There is no proof and easy way to get full process path. This topic was discussed (in russian) in Windows Internals forum. Two ways were proposed (first is easier but second is more reliable):

        I)
        ZwQueryInformationProcess ( NtCurrentProcess(), ProcessBasicInformation, &ProcInfo, sizeof(ProcInfo), 0);

        ProcInfo.PebBaseAddress->ProcessParameters->ApplicationName

        II)
        1. Get EPROCESS using IoGetCurrentProcess().
        2. For NT 4.0 and 5.0 get SectionHandle using ObReferenceObjectByHandle() get SectionObject; for NT 5.1 just get SectionObject from EPROCESS.
        3. From SectionObject get SegmentObject.
        4. From SegmentObject get ControlArea.
        5. From ControlArea get FilePointer (FileObjec pointert).
        6. Using ObQueryNameString() get full path for the process.

      Viewing 2 posts - 1 through 2 (of 2 total)
      • You must be logged in to reply to this topic.