[Xearinox]

Hello.

How to get PID from process name in kernel mode?

Maybe simply answer, but how to get all PIDs, if application has multiple instances, so multiple PIDs exists.

How to get all ?

Thanks.

[reverser]

http://msdn.microsoft.com/en-us/library ... p/ms686701

[r2nwcnydc]

You could use ZwQueryInformationProcess with ProcessImageFileName to get the process' image name and path:
http://msdn.microsoft.com/en-us/library ... s.85).aspx

You can use ZwQuerySystemInformation with SystemProcessInformation to enumerate all process:
http://msdn.microsoft.com/en-us/library ... s.85).aspx

Then you'll just loop over each process in the list, open the process, get its file name, and compare it to the name you want to enumerate. There will be a race condition with this approach, so you'll need to handle that if that concerns you.

[darklich]

well as r2nwcnydc say, enum the running process and compare the process name with the name you have, then return its PID...

and here is some code:

Code: Select all

DWORD GetProcessIdByName(TCHAR *pName)
{
	TCHAR szProcessName[MAX_PATH] = TEXT("<unknown>");
	TCHAR szProcessPath[MAX_PATH * 2] = TEXT("<unknown>");
	
	DWORD aProcesses[1024], cbNeeded, cProcesses;
    unsigned int i;
	int err=0;

	if(!EnumProcesses( aProcesses, sizeof(aProcesses), &cbNeeded ) )
	{
		err=GetLastError();
		printf("Error list running process, code: %d\n",err);
		return -1;
	}

  cProcesses = cbNeeded / sizeof(DWORD);
	 

	for(i=1;i<cProcesses;i++)
	{
		if(aProcesses[i] != 4)
		{
		
			HANDLE hProcess = OpenProcess( PROCESS_ALL_ACCESS,FALSE, aProcesses[i] );
			if (NULL != hProcess )
			{
				HMODULE hMod;
				DWORD cbNeeded;

				if ( EnumProcessModules( hProcess, &hMod, sizeof(hMod),&cbNeeded) )
				{
					GetModuleBaseName( hProcess, hMod, szProcessName, sizeof(szProcessName)/sizeof(TCHAR) );
					if(_tcscmp(pName,szProcessName) == 0)
					{
						CloseHandle(hProcess);
						return aProcesses[i];
					}
				}

				CloseHandle(hProcess);
			}


			hProcess = NULL;
		}
	}

	printf(" process %s not found!\n",pName);
	return -1;
				
}

Hope it helps :)

[EP_X0FF]

How to get PID from process name in kernel mode?

How does all this Tool Help and PSAPI can help in kernel mode?

[Brock]

As mentioned already, usermode TLHELP and PSAPI libs will not help you in kernel land. Using Zw* APIs will though (r2nwcnydc mentions this) ZwQuerySystemInformation and ZwQueryInformationProcess is all you need to do what you ask :lol:

[reverser]

How to get PID from process name in kernel mode?

How does all this Tool Help and PSAPI can help in kernel mode?

Sorry, missed that part.

[FileSystem_Driver]

hi ,
You can use the following function to get the handle of the process : :ugeek:

Code: Select all

NTSTATUS NTAPI ObOpenObjectByName 	( 	IN POBJECT_ATTRIBUTES  	ObjectAttributes,
		IN POBJECT_TYPE  	ObjectType,
		IN KPROCESSOR_MODE  	AccessMode,
		IN PACCESS_STATE  	PassedAccessState,
		IN ACCESS_MASK  	DesiredAccess,
		IN OUT PVOID  	ParseContext,
		OUT PHANDLE  	Handle 
	) 	

and then , enter the following code into kernel mode can easily do , :)

DWORD WINAPI GetProcessIDbyProcessHandle(HANDLE hProcess)
{
    if (hProcess == NULL)    return 0xffffffff;
    PTHREAD_START_ROUTINE lpStartAddress = (PTHREAD_START_ROUTINE)
        GetProcAddress(GetModuleHandle(TEXT("Kernel32")), "GetCurrentProcessId");
    if (lpStartAddress == NULL) return 0xffffffff;
 
    HANDLE hProcessAccAdj;
    BOOL bRes = DuplicateHandle(GetCurrentProcess(), 
                                hProcess, GetCurrentProcess(), &hProcessAccAdj, 
                                PROCESS_QUERY_INFORMATION|PROCESS_CREATE_THREAD|
                                PROCESS_VM_OPERATION|PROCESS_VM_WRITE, 
                                FALSE, 0);
    if (!bRes || hProcessAccAdj == NULL)
    {
        UINT unError = GetLastError();
        return 0xffffffff;
    }
 
    DWORD dwThreadID;
    HANDLE hRemoteThread = CreateRemoteThread(hProcessAccAdj, NULL, 
        0, lpStartAddress, 0, 0, &dwThreadID);
    CloseHandle(hProcessAccAdj);
    if (hRemoteThread == NULL) return 0xffffffff;

 
    WaitForSingleObject(hRemoteThread, INFINITE);
    DWORD dwExitCode;
    if (GetExitCodeThread(hRemoteThread, &dwExitCode) == 0)    dwExitCode = 0xffffffff;
    CloseHandle(hRemoteThread);
    return dwExitCode;
}

[EP_X0FF]

Use [ code ] [ / code] tags and stay away from posting in dead 9 months old thread.
Necroposting, closed.