[PATCH 1/2] ntoskrnl.exe: Implement IoGetCurrentProcess and KeGetCurrentThread.
titan.costa at gmail.com
Thu Oct 4 06:39:58 CDT 2012
2012/10/4 Thomas Faber <thfabba at gmx.de>
> On 2012-10-04 13:07, Christian Costa wrote:
> > 2012/10/4 Paul Chitescu <paulc at voip.null.ro>
> >> AFAIK the structure differs for each major version of Windows and some
> >> too.
> > I was expecting something like this. :(
> >> At the minimum I saw some drivers expecting that at the returned pointer
> >> to be
> >> a "System" C-style string.
> > Which windows version it is ? In Vista definition the first basic element
> > can be either an UCHAR or an ULONG. Not a char buffer.
> What all versions have in common is that processes are dispatcher
> objects. Thus the EPROCESS/KPROCESS structure starts with a
I known. And in DISPATCHER_HEADER, the first type can be either an UCHAR or
That said I found why your patch works for you :
> The process name offset can be founded form peprocess but you should
write a simple code.
> First of all call PsGetCurrentProcess() to achieve the address of
peprocess of current process then search for the string "System"
> in the increasing offsets form peprocess. If you find "System " string ,
the related offset is the name offset.
Found at http://www.osronline.com/showthread.cfm?link=157240
So "system" should be elsewhere in the structure. Probably ImageFileName.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the wine-devel