Search code examples
windowsdevice-driverwdkwdm

Convert ProcessID to Process Handle

i am trying write basic driver for monitor process and get process path.
i create PsSetCreateProcessNotifyRoutine and retrieve Process information using ZwQueryInformationProcess
but in my ProcessCallback function when i try to get current process HANDLE using NtCurrentProcess, it give me current process that run another process .

For Example:

i try to run myProgram.exe in c:\,when i go to C:\ using windows explorer and run myProgram.exe my driver give me explorer.exe path because myProgram.exe run inside explorer.exe

i have processID in my ProcessCallback header 

void ProcessCallback(
    IN HANDLE  hParentId, 
    IN HANDLE  hProcessId, 
    IN BOOLEAN bCreate
    )

.can i convert it to process handle?

Solution

  • thanks all of you for helpful comment finally i solve my problem with below code

    HANDLE proc = NULL;
OBJECT_ATTRIBUTES obj_attr;
CLIENT_ID cid;

cid.UniqueProcess= hProcessId; //PsGetCurrentProcessId();
cid.UniqueThread= NULL ; //(HANDLE)0;
InitializeObjectAttributes(&obj_attr,NULL, 0, NULL, NULL);
ZwOpenProcess(&proc, PROCESS_ALL_ACCESS, &obj_attr, &cid);