Windows 7 - How to obtain info in _EPROCESS?

Asked By leafbanan on 26-Sep-08 07:41 AM
Currently I use PsGetCurrentProcess to get the _EPROCESS structure of
current process. I can only use pre-defined offset to obtain info in
it, as I can not find the definition of this stucture. But the problem
is that different OS has different _EPROCESS, so my code need to be
updated to fit a new OS in future. I wonder if there is any better
way?

Thanks in advance.




Don Burn replied on 23-Sep-08 08:06 AM
Yes there is a better way do not try to access _EPROCESS at all.  This is a
great way to mess up a system not to do anything useful.  EPROCESS has
changed on hotfixes how will you accommodate that?


--
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
Remove StopSpam to reply
Volodymyr M. Shcherbyna replied on 23-Sep-08 08:25 AM
What exactly are you trying to obtain from EPROCESS?

--
Volodymyr, blog: http://www.shcherbyna.com/
(This posting is provided "AS IS" with no warranties, and confers no
rights)
leafbanan replied on 26-Sep-08 07:41 AM
Currently I want the ProcessId and the image name of the current
process.
leafbanan replied on 26-Sep-08 07:41 AM
I want ProcessId and image name of the current process.
Volodymyr M. Shcherbyna replied on 24-Sep-08 03:35 AM
To obtain process id you can use PsGetCurrentProcessId(...). To obtain
process name you can use ZwQueryInformationProcess with ProcessImageFileName
flag. Be careful with letter as it is marked as "possible to change in
future OS": http://msdn.microsoft.com/en-us/library/ms687420(VS.85).aspx

Functions above are the way much safer than accessing EPROCESS fields
directly.

HTH,

--
Volodymyr, blog: http://www.shcherbyna.com/
(This posting is provided "AS IS" with no warranties, and confers no
rights)
leafbanan replied on 26-Sep-08 07:41 AM
Thanks very much for your reply!

ZwQueryInformationProcess is just a internel function for Windows
itself using and is possibly to be changed in new OS. So I still have
to update my code in future. However, it supplies a safer way to
satisfy my requirement.
Volodymyr M. Shcherbyna replied on 25-Sep-08 04:28 AM
Its subject of change since Windows 2k (if I am not wrong) and its still
present in XP, Vista, Server 2008.

--
Volodymyr, blog: http://www.shcherbyna.com/
(This posting is provided "AS IS" with no warranties, and confers no
rights)