i am trying to write simple driver for get full path of Image when Process executed
based on Steve Townsend Answer i write below code for my ProcessCallback that call from PsSetCreateProcessNotifyRoutine in DriverEntry of my driver:
void ProcessCallback(
IN HANDLE hParentId,
IN HANDLE hProcessId,
IN BOOLEAN bCreate
)
{
if(bCreate)
{
PEPROCESS proc = PsGetCurrentProcess();
WCHAR strBuffer[(sizeof(UNICODE_STRING) / sizeof(WCHAR)) + 260];
UNICODE_STRING str;
str =(UNICODE_STRING*)&strBuffer;
//initialize
str.Buffer = &strBuffer[sizeof(UNICODE_STRING) / sizeof(WCHAR)];
str.Length = 0x0;
str.MaximumLength = 260 * sizeof(WCHAR);
//note that the seconds arg (27) is ProcessImageFileName
ZwQueryInformationProcess(proc, 27, &strBuffer, sizeof(strBuffer), NULL);
DbgPrint("Start @ %wZ\n", str.Buffer);
}
else
DbgPrint("PID %i Terminated",hProcessId );
}
but when i try to build my code i get below error for str =(UNICODE_STRING*)&strBuffer;
:
error cannot convert for UNICODE_STRING * To UNICODE_STRING
what's wrong??
Change UNICODE_STRING str to UNICODE_STRING *str that should work. Then pass str to the ZwQueryInformationProcess