Hi Mathias,
I was wondering why you can't retrieve the full filename of a process in Windows NT with madCodeHook v2.x? I've no problem whatsoever with my own code for both 32-bit (WOW64) and 64-bit processes <-> vice versa. Of course, I am using mostly undocumented "stuff" and using native APIs and a PEB offset that's held true (the same) since Windows 2k/XP - Windows 8 however. I guess I am just curious as to why ProcessIdToFileName doesn't return a fully-qualified/absolute path to the main executable or your reasoning behind this. I just saw your documentation/notes about the function limitations in MCH 2.x and ended up having to write my own implementation for a client due to said limitation which isn't a big deal, curious at best (although I could have used madDisasm to see for myself ParseFunction(@madCodeHook.ProcessIdToFileName, strOutput)
Best Regards,
--Iconic
ProcessIdToFileName MCH 2.x
Re: ProcessIdToFileName MCH 2.x
I don't really remember if this was different in madCodeHook 2.x compared to madCodeHook 3.x, and I don't plan on updating madCodeHook 2.x. Does the same problem apply to madCodeHook 3.x?
Re: ProcessIdToFileName MCH 2.x
It's not really a "problem" since it's perfectly explained in your documentation
--Iconic
I was merely wondering why MCH 2.x doesn't return the full path as opposed to MCH 3.x// madCodeHook 3.0
// You get the full path in all OSs, provided you have enough privileges
function ProcessIdToFileNameW (processId: dword; fileName: PWideChar; bufLenInChars: word) : bool; stdcall;
function ProcessIdToFileNameA (processId: dword; fileName: PAnsiChar; bufLenInChars: word) : bool; stdcall;
// madCodeHook 2.x
// The "fileName" buffer is supposed to have a size of MAX_PATH characters.
// In win9x you get the full path, in winNT you only get the file name.
function ProcessIdToFileName (processId: dword; fileName: PAnsiChar) : bool; stdcall;
--Iconic
Re: ProcessIdToFileName MCH 2.x
I think madCodeHook 2.x used different code compared to madCodeHook 3.x. But I'm not 100% sure, and since madCodeHook 2.x is really outdated, I don't really feel like digging in old source code to find out. I'm not going to fix it, anyway, I'm sorry...
Re: ProcessIdToFileName MCH 2.x
No worries, thanks for the response!
--Iconic
--Iconic