Hi
I have some problem to solve some problem
In the Process notification callback routine i have some condition that i must access Parent process file object
I Found some solution but i do not understand some cases yet
in file object struct i have ParentProcessId that not really handle and just a process id
so i must to passing this value to PsLookupProcessByProcessId to get EPROCESS struct (am i correct?)
first issue is here
so how can get process name and commandline from Eprocess
and the next step:
i must do :
ZwDuplicateObject
ObReferenceObjectByHandle
please guide me if i am in wrong way
I have some problem to solve some problem
In the Process notification callback routine i have some condition that i must access Parent process file object
I Found some solution but i do not understand some cases yet
in file object struct i have ParentProcessId that not really handle and just a process id
so i must to passing this value to PsLookupProcessByProcessId to get EPROCESS struct (am i correct?)
first issue is here
so how can get process name and commandline from Eprocess
and the next step:
i must do :
ZwDuplicateObject
ObReferenceObjectByHandle
please guide me if i am in wrong way
