On Vista and above there is an information class for NtQuerySystemInformation which I call SystemProcessImageNameInformation (88). (Note that I reverse-engineered this, so it is probably not the correct name for the information class.) The structure definition is below:
typedef struct _SYSTEM_PROCESS_IMAGE_NAME_INFORMATION
{
HANDLE ProcessId;
UNICODE_STRING ImageName;
} SYSTEM_PROCESS_IMAGE_NAME_INFORMATION, *PSYSTEM_PROCESS_IMAGE_NAME_INFORMATION;
This information class allows you to get the image file name of any process, regardless of your user, privileges, or access to the process. Usage:
NTSTATUS status;
PVOID buffer;
SYSTEM_PROCESS_IMAGE_NAME_INFORMATION info;
buffer = malloc(0x100);
info.ProcessId = WhateverTheProcessIdIs;
info.ImageName.Length = 0;
info.ImageName.MaximumLength = (USHORT)0x100;
info.ImageName.Buffer = buffer;
status = NtQuerySystemInformation(88, &info, sizeof(info), NULL);
if (status == STATUS_INFO_LENGTH_MISMATCH)
{
// Our buffer was too small. The required buffer length is stored in MaximumLength.
free(buffer);
buffer = malloc(info.ImageName.MaximumLength);
info.ImageName.Buffer = buffer;
status = NtQuerySystemInformation(88, &info, sizeof(info), NULL);
}
if (NT_SUCCESS(status))
{
wprintf(L"File name: %.*s\n", info.ImageName.Length / 2, info.ImageName.Buffer);
}
free(buffer);
Nice research, not working on xp / 2003 ?
Yes, I mention “Vista and above” in both the title and introduction…
wj32,
The correct name of structure is SystemProcessIdInformation.
Here are the rest as well:
enum _SYSTEM_INFORMATION_CLASS {
SystemBasicInformation = 0×0,
SystemProcessorInformation = 0×1,
SystemPerformanceInformation = 0×2,
SystemTimeOfDayInformation = 0×3,
SystemPathInformation = 0×4,
SystemProcessInformation = 0×5,
SystemCallCountInformation = 0×6,
SystemDeviceInformation = 0×7,
SystemProcessorPerformanceInformation = 0×8,
SystemFlagsInformation = 0×9,
SystemCallTimeInformation = 0xa,
SystemModuleInformation = 0xb,
SystemLocksInformation = 0xc,
SystemStackTraceInformation = 0xd,
SystemPagedPoolInformation = 0xe,
SystemNonPagedPoolInformation = 0xf,
SystemHandleInformation = 0×10,
SystemObjectInformation = 0×11,
SystemPageFileInformation = 0×12,
SystemVdmInstemulInformation = 0×13,
SystemVdmBopInformation = 0×14,
SystemFileCacheInformation = 0×15,
SystemPoolTagInformation = 0×16,
SystemInterruptInformation = 0×17,
SystemDpcBehaviorInformation = 0×18,
SystemFullMemoryInformation = 0×19,
SystemLoadGdiDriverInformation = 0x1a,
SystemUnloadGdiDriverInformation = 0x1b,
SystemTimeAdjustmentInformation = 0x1c,
SystemSummaryMemoryInformation = 0x1d,
SystemMirrorMemoryInformation = 0x1e,
SystemPerformanceTraceInformation = 0x1f,
SystemObsolete0 = 0×20,
SystemExceptionInformation = 0×21,
SystemCrashDumpStateInformation = 0×22,
SystemKernelDebuggerInformation = 0×23,
SystemContextSwitchInformation = 0×24,
SystemRegistryQuotaInformation = 0×25,
SystemExtendServiceTableInformation = 0×26,
SystemPrioritySeperation = 0×27,
SystemVerifierAddDriverInformation = 0×28,
SystemVerifierRemoveDriverInformation = 0×29,
SystemProcessorIdleInformation = 0x2a,
SystemLegacyDriverInformation = 0x2b,
SystemCurrentTimeZoneInformation = 0x2c,
SystemLookasideInformation = 0x2d,
SystemTimeSlipNotification = 0x2e,
SystemSessionCreate = 0x2f,
SystemSessionDetach = 0×30,
SystemSessionInformation = 0×31,
SystemRangeStartInformation = 0×32,
SystemVerifierInformation = 0×33,
SystemVerifierThunkExtend = 0×34,
SystemSessionProcessInformation = 0×35,
SystemLoadGdiDriverInSystemSpace = 0×36,
SystemNumaProcessorMap = 0×37,
SystemPrefetcherInformation = 0×38,
SystemExtendedProcessInformation = 0×39,
SystemRecommendedSharedDataAlignment = 0x3a,
SystemComPlusPackage = 0x3b,
SystemNumaAvailableMemory = 0x3c,
SystemProcessorPowerInformation = 0x3d,
SystemEmulationBasicInformation = 0x3e,
SystemEmulationProcessorInformation = 0x3f,
SystemExtendedHandleInformation = 0×40,
SystemLostDelayedWriteInformation = 0×41,
SystemBigPoolInformation = 0×42,
SystemSessionPoolTagInformation = 0×43,
SystemSessionMappedViewInformation = 0×44,
SystemHotpatchInformation = 0×45,
SystemObjectSecurityMode = 0×46,
SystemWatchdogTimerHandler = 0×47,
SystemWatchdogTimerInformation = 0×48,
SystemLogicalProcessorInformation = 0×49,
SystemWow64SharedInformationObsolete = 0x4a,
SystemRegisterFirmwareTableInformationHandler = 0x4b,
SystemFirmwareTableInformation = 0x4c,
SystemModuleInformationEx = 0x4d,
SystemVerifierTriageInformation = 0x4e,
SystemSuperfetchInformation = 0x4f,
SystemMemoryListInformation = 0×50,
SystemFileCacheInformationEx = 0×51,
SystemThreadPriorityClientIdInformation = 0×52,
SystemProcessorIdleCycleTimeInformation = 0×53,
SystemVerifierCancellationInformation = 0×54,
SystemProcessorPowerInformationEx = 0×55,
SystemRefTraceInformation = 0×56,
SystemSpecialPoolInformation = 0×57,
SystemProcessIdInformation = 0×58,
SystemErrorPortInformation = 0×59,
SystemBootEnvironmentInformation = 0x5a,
SystemHypervisorInformation = 0x5b,
SystemVerifierInformationEx = 0x5c,
SystemTimeZoneInformation = 0x5d,
SystemImageFileExecutionOptionsInformation = 0x5e,
SystemCoverageInformation = 0x5f,
SystemPrefetchPatchInformation = 0×60,
SystemVerifierFaultsInformation = 0×61,
SystemSystemPartitionInformation = 0×62,
SystemSystemDiskInformation = 0×63,
SystemProcessorPerformanceDistribution = 0×64,
SystemNumaProximityNodeInformation = 0×65,
SystemDynamicTimeZoneInformation = 0×66,
SystemCodeIntegrityInformation = 0×67,
SystemProcessorMicrocodeUpdateInformation = 0×68,
SystemProcessorBrandString = 0×69,
SystemVirtualAddressInformation = 0x6a,
MaxSystemInfoClass = 0x6b,
};
So I presume you’ve had access to the Vista kernel source code to verify the “correct name”?