2012/10/4 Thomas Faber thfabba@gmx.de
On 2012-10-04 13:07, Christian Costa wrote:
2012/10/4 Paul Chitescu paulc@voip.null.ro
AFAIK the structure differs for each major version of Windows and some
SP
too.
I was expecting something like this. :(
At the minimum I saw some drivers expecting that at the returned pointer to be a "System" C-style string.
Which windows version it is ? In Vista definition the first basic element can be either an UCHAR or an ULONG. Not a char buffer.
What all versions have in common is that processes are dispatcher objects. Thus the EPROCESS/KPROCESS structure starts with a DISPATCHER_HEADER.
I known. And in DISPATCHER_HEADER, the first type can be either an UCHAR or an ULONG.
That said I found why your patch works for you :
The process name offset can be founded form peprocess but you should
write a simple code.
First of all call PsGetCurrentProcess() to achieve the address of
peprocess of current process then search for the string "System"
in the increasing offsets form peprocess. If you find "System " string ,
the related offset is the name offset.
Found at http://www.osronline.com/showthread.cfm?link=157240
So "system" should be elsewhere in the structure. Probably ImageFileName.