[utsav.0202]

Hi,
I get the name of the current process in kernel mode using "PsGetProcessImageFileName" but how to get the full path name?

Thanks
Utsav

[rkhunter]

PEB-extracted way, that is documented only for Win32.

[feryno]

documented only for Win32

Never had problems obtaining the full path name under x64 using ring3 ntdll.NtQueryInformationProcess

Didn't deeper analysis before, just now wandered why my ring3 method includes path+name but ring0 PsGetProcessImageFileName only name without path.
Seems that kernel in my case calls SeLocateProcessImageName which gets all from Process->SeAuditProcessCreationInfo.ImageFileName

The PsGetProcessImageFileName gets the name from different location:

UCHAR *
PsGetProcessImageFileName(
__in PEPROCESS Process
)
{
return Process->ImageFileName;
}

[R00tKit]

find PFILE_OBJECT from PEPROCESS ( parse PEPROCESS with correct offset for each windows )

this is for windows xp

//Windows XP
PEPROCESS_TO_PSECTION_OBJECT = 0x138;
PSECTION_OBJECT_TO_PSEGMENT = 20;
PSEGMENT_TO_PCONTROL_AREA = 0;
PCONTROL_AREA_TO_PFILE_OBJECT = 36;

and then use ObQueryNameString ,that return full process path

[xqrzd]

IoQueryFileDosDeviceName works well on XP+
edit: oops nevermind, I forgot it takes a file object not a process. But you could still get a file object from the process.

[EP_X0FF]

You can try semi-documented way.

ZwQueryInformationProces with ProcessImageFileName flag to get name in native format and ProcessImageFileNameWin32 (Vista+) to get name in DOS-format.
Also take a look on PsReferenceProcessFilePointer (Vista+)