I call PsGetCurrentProcess to get an PEPROCESS structure, how I can read PE header of the my process in kernel mode, something like this code which do that in user mode?
My goal is to get version info from the PE header.
Asked
Active
Viewed 677 times
1 Answers
1
I recommend to obtain this information when the process is created. You can use PsSetCreateProcessNotifyRoutine(Ex) to be notified when a new process is created. PsSetLoadImageNotifyRoutine informs you when a PE file (including process' main executable) is mapped to the virtual address space.
It is a bad idea to read the version information from process' memory when the process is fully initialized and running. The process has full control over its PE file mapping, so it can fake the version info. What's more, you can access usermode memory only at low IRQL (PASSIVE_LEVEL). Minifilter callbacks may be called at APC_LEVEL/DISPATCH_LEVEL too.
Martin Drab
- 667
- 4
- 6
-
1Thank you very much, if so how can I get the version information? I've asked this question [here](http://stackoverflow.com/questions/39406393/whats-the-equivalent-of-getfileversioninfo-in-driver), and still did not get an answer, I would be grateful if you could help. – codeDom Sep 09 '16 at 11:59