ProcessIdToFileName MCH 2.x

c++ / delphi package - dll injection and api hooking
Post Reply
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

ProcessIdToFileName MCH 2.x

Post by iconic »

Hi Mathias,

I was wondering why you can't retrieve the full filename of a process in Windows NT with madCodeHook v2.x? I've no problem whatsoever with my own code for both 32-bit (WOW64) and 64-bit processes <-> vice versa. Of course, I am using mostly undocumented "stuff" and using native APIs and a PEB offset that's held true (the same) since Windows 2k/XP - Windows 8 however. I guess I am just curious as to why ProcessIdToFileName doesn't return a fully-qualified/absolute path to the main executable or your reasoning behind this. I just saw your documentation/notes about the function limitations in MCH 2.x and ended up having to write my own implementation for a client due to said limitation which isn't a big deal, curious at best (although I could have used madDisasm to see for myself ParseFunction(@madCodeHook.ProcessIdToFileName, strOutput) ;)

Best Regards,
--Iconic
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: ProcessIdToFileName MCH 2.x

Post by madshi »

I don't really remember if this was different in madCodeHook 2.x compared to madCodeHook 3.x, and I don't plan on updating madCodeHook 2.x. Does the same problem apply to madCodeHook 3.x?
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

Re: ProcessIdToFileName MCH 2.x

Post by iconic »

It's not really a "problem" since it's perfectly explained in your documentation
// madCodeHook 3.0
// You get the full path in all OSs, provided you have enough privileges
function ProcessIdToFileNameW (processId: dword; fileName: PWideChar; bufLenInChars: word) : bool; stdcall;
function ProcessIdToFileNameA (processId: dword; fileName: PAnsiChar; bufLenInChars: word) : bool; stdcall;

// madCodeHook 2.x
// The "fileName" buffer is supposed to have a size of MAX_PATH characters.
// In win9x you get the full path, in winNT you only get the file name.
function ProcessIdToFileName (processId: dword; fileName: PAnsiChar) : bool; stdcall;
I was merely wondering why MCH 2.x doesn't return the full path as opposed to MCH 3.x

--Iconic
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: ProcessIdToFileName MCH 2.x

Post by madshi »

I think madCodeHook 2.x used different code compared to madCodeHook 3.x. But I'm not 100% sure, and since madCodeHook 2.x is really outdated, I don't really feel like digging in old source code to find out. I'm not going to fix it, anyway, I'm sorry...
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

Re: ProcessIdToFileName MCH 2.x

Post by iconic »

No worries, thanks for the response!

--Iconic
Post Reply