2012/10/4 Thomas Faber <thfabba@gmx.de>
On 2012-10-04 13:07, Christian Costa wrote:
> 2012/10/4 Paul Chitescu <paulc@voip.null.ro>
>> AFAIK the structure differs for each major version of Windows and some SP
>> too.
>>
>>
> I was expecting something like this. :(
>
>
>> At the minimum I saw some drivers expecting that at the returned pointer
>> to be
>> a "System" C-style string.
>>
>
> Which windows version it is ? In Vista definition the first basic element
> can be either an UCHAR or an ULONG. Not a char buffer.

What all versions have in common is that processes are dispatcher
objects. Thus the EPROCESS/KPROCESS structure starts with a
DISPATCHER_HEADER.

I known. And in DISPATCHER_HEADER, the first type can be either an UCHAR or an ULONG.

That said I found why your patch works for you :

> The process name offset can be founded form peprocess but you should write a simple code.
> First of all call PsGetCurrentProcess() to achieve the address of peprocess of current process then search for the string "System"
> in the increasing offsets form peprocess. If you find "System " string , the related offset is the name offset.

Found at http://www.osronline.com/showthread.cfm?link=157240

So "system" should be elsewhere in the structure. Probably ImageFileName.