Getting process path from process environment block (PEB)

Discussion in 'Windows Vista Drivers' started by jens, Feb 12, 2004.

  1. jens

    jens Guest

    I have to read in a kernel driver under Win XP the process path of starting apps. Th
    problem is the driver displays the path of the parent process. When I'm connecting to th
    process with WinDbg, the command !peb shows the right path

    The structure of code is as follows

    DriverEntr

    PsSetCreateProcessNotifyRoutine(ProcessCreateMon)


    ProcessCreateMo

    PROCESS_BASIC_INFORMATION ProcInfo
    PPEB Peb

    InitializeObjectAttribute
    ZwOpenProces
    ZwQueryInformationProcess(&ProcInfo
    Peb = ProcInfo.PebBaseAddress;
    DbgPrint .
    ZwClos


    Is there a book for this theme apart from "Windows 2000 System Internals" which is currentl
    out of stock
     
    jens, Feb 12, 2004
    #1

    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.
Similar Threads

  1. Windows Vista forgets my PATH environment variable on reboot

  2. Path Environment Variable - Vista 64-bit

  3. Structure of process environment block (PEB)

  4. getting child process path and filename

  5. Suggestion for DIFxApp: Path-to-lib environment variable

  6. IE7 managed website block list / cookie block list

  7. block unblock block

  8. path environment acting strangly

Loading...