[Ryu]

Hello,

I also needing a way to get the full image path, however the problem I’m facing is that I cannot open some processes with only PROCESS_QUERY_INFORMATION access.

@SerpentFly wrote:

1. Obtain EPROCESS pointer through IoGetCurrentProcess().
2. For NT 4.0 and 5.0 take section handle from EPROCESS(SectionHandle) and using ObReferenceObjectByHandle() we obtain SectionObject; for NT 5.1 we can take SectionObject from EPROCESS directly.

I’m not sure where you get SectionHandle from in EPROCESS, or perhaps my EPROCESS structure is lacking some fields. Also isn’t IoGetCurrentProcess() is a kernel routine not user mode? And can show me your EPROCESS structure?

[Author]

Posts