Convert ProcessID to Process Handle

Question

i am trying write basic driver for monitor process and get process path.
i create PsSetCreateProcessNotifyRoutine and retrieve Process information using ZwQueryInformationProcess
but in my ProcessCallback function when i try to get current process HANDLE using NtCurrentProcess, it give me current process that run another process .

For Example:

i try to run myProgram.exe in c:\,when i go to C:\ using windows explorer and run myProgram.exe my driver give me explorer.exe path because myProgram.exe run inside explorer.exe

i have processID in my ProcessCallback header

void ProcessCallback(
    IN HANDLE  hParentId, 
    IN HANDLE  hProcessId, 
    IN BOOLEAN bCreate
    )

.can i convert it to process handle?

I'm not certain, but it looks like you should be able to convert a process ID to a process handle using ZwOpenProcess. — Harry Johnston, Aug 27 '14 at 21:28
i am trying ZwOpenProcess but i'm not sure this is work perfectly!my driver crash and not run! — AminM, Aug 28 '14 at 16:57

score 2 · Accepted Answer · answered Sep 09 '14 at 07:35

thanks all of you for helpful comment finally i solve my problem with below code

HANDLE proc = NULL;
OBJECT_ATTRIBUTES obj_attr;
CLIENT_ID cid;

cid.UniqueProcess= hProcessId; //PsGetCurrentProcessId();
cid.UniqueThread= NULL ; //(HANDLE)0;
InitializeObjectAttributes(&obj_attr,NULL, 0, NULL, NULL);
ZwOpenProcess(&proc, PROCESS_ALL_ACCESS, &obj_attr, &cid);

Convert ProcessID to Process Handle

1 Answers1