Retrieve process path

This is from a XP SP3:

kd> !process 0 0
**** NT ACTIVE PROCESS DUMP ****
PROCESS 823c8830  SessionId: none  Cid: 0004    Peb: 00000000  ParentCid: 0000
    DirBase: 00319000  ObjectTable: e1000cc0  HandleCount: 298.
    Image: System

… …

PROCESS 822c9550  SessionId: 0  Cid: 08e4    Peb: 7ffdd000  ParentCid: 0070
    DirBase: 08fc0320  ObjectTable: e1e468a8  HandleCount:  39.
    Image: notepad.exe

kd> .process /i 822c9550
You need to continue execution (press ‘g’ <enter>) for the context
to be switched. When the debugger breaks in again, you will be in
the new process context.
kd> g
Break instruction exception – code 80000003 (first chance)
nt!RtlpBreakWithStatusInstruction:
80527bf4 cc              int     3
kd> !process -1 0
PROCESS 822c9550  SessionId: 0  Cid: 08e4    Peb: 7ffdd000  ParentCid: 0070
    DirBase: 08fc0320  ObjectTable: e1e468a8  HandleCount:  39.
    Image: notepad.exe

kd> dt /t nt!_EPROCESS 822c9550
   +0x000 Pcb              : _KPROCESS
   … … 
   +0x1f4 SeAuditProcessCreationInfo : _SE_AUDIT_PROCESS_CREATION_INFO
   …
   +0x258 Cookie           : 0x989727bd
kd> dt /r /t nt!_SE_AUDIT_PROCESS_CREATION_INFO 822c9550+1f4
   +0x000 ImageFileName    : 0x8210d498 _OBJECT_NAME_INFORMATION
      +0x000 Name             : _UNICODE_STRING “\Device\HarddiskVolume1\WINDOWS\system32\notepad.exe”
         +0x000 Length           : 0x68
         +0x002 MaximumLength    : 0x6a
         +0x004 Buffer           : 0x8210d4a0  “\Device\HarddiskVolume1\WINDOWS\system32\notepad.exe”

Or

kd> !process 0 0
**** NT ACTIVE PROCESS DUMP ****
PROCESS 823c8830  SessionId: none  Cid: 0004    Peb: 00000000  ParentCid: 0000
    DirBase: 00319000  ObjectTable: e1000cc0  HandleCount: 298.
    Image: System

… …

PROCESS 822c9550  SessionId: 0  Cid: 08e4    Peb: 7ffdd000  ParentCid: 0070
    DirBase: 08fc0320  ObjectTable: e1e468a8  HandleCount:  39.
    Image: notepad.exe

kd> dt /t nt!_PEB 7ffdd000
   +0x000 InheritedAddressSpace : 0 ”
   … …
   +0x010 ProcessParameters : 0x00020000 _RTL_USER_PROCESS_PARAMETERS
   … …

kd> dt /t nt!_RTL_USER_PROCESS_PARAMETERS 0x00020000
   +0x000 MaximumLength    : 0x1000
   … …
   +0x024 CurrentDirectory : _CURDIR
   +0x030 DllPath          : _UNICODE_STRING “C:\WINDOWS\system32;C:\WINDOWS\system32;C:\WINDOWS\system;C:\WINDOWS;.;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem”
   +0x038 ImagePathName    : _UNICODE_STRING “C:\WINDOWS\system32\notepad.exe”
   +0x040 CommandLine      : _UNICODE_STRING “”C:\WINDOWS\system32\notepad.exe” “
   … …

Programmatically, here are the steps of how to get full path by process id:

  1. call ZwOpenProcess to get a handle to the process;
  2. allocate enough buffer and call ZwQueryInformationProcess with class of ProcessImageFileName to get full device path;
  3. call ZwOpenFile with device path to open the file; if this step failed (e.g. because of access denied”), call ZwClose on process handle got in step 1 and jump to step 10;
  4. call ObReferenceObjectByHandle using handle from step 3 to get pointer to FILE_OBJECT of the handle;
  5. call IoQueryFileDosDeviceName to get full DOS path of the process;
  6. call ExFreePool to free memory returned from IoQueryFileDosDeviceName;
  7. call ObDereferenceObject to dereference the FILE_OBJECT got in step 4;
  8. call ZwClose to the file handle got in step 3 and process handle got in step 1.
  9. Job is done.
  10. call ObReferenceObjectByHandle to get pointer to EPROCESS of the process handle got in step 1;
  11. call KeStackAttachProcess to switch current thread into the context of the process specified by pid;
  12. call ZwOpenProcess again using pid to get a new process handle since the process handle got in step 1 is not valid in current process;
  13. call ZwQueryInformationProcess with class of ProcessBasicInformation to get process basic information, and full dos path is located in PROCESS_BASIC_INFORMATION.PebBaseAddress->ProcessParameters->ImagePathName;
  14. call ZwClose on process handle got in step 12;
  15. call KeUnstackDetachProcess to switch back process context;
  16. call ObReferenceObject to dereference pointer to EPROCESS got in step 10;
  17. call ZwClose on process handle got in step 1;
  18. Job is done.
Advertisements

Posted on April 26, 2011, in Uncategorized. Bookmark the permalink. Leave a comment.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: