1

I want to write a driver in windows and cannot use GetFileVersionInfo.

How can I get VersionInfo for an file in kernel mode, What's the equivalent of GetFileVersionInfo?

codeDom
  • 1,623
  • 18
  • 54
  • 2
    Can you specify this a bit more or make it easier for others to understand what you are trying to do: If I had to guess you want to write a driver in windows and cannot use `GetFileVersionInfo`. But that is all just guessing. Please be a bit more specific (framework, OS, what you want to accomplish). I like it when people keep it short but some minimum information should at least be there. – Hayt Sep 09 '16 at 07:53
  • 1
    Well, the version info is stored (if it exists) in the resource section of the PE file. So, you can utilize the manual approach – load the PE file into memory (as Windows PE loader does) and parse it. I can share a code that does the mapping, however, I have no code parsing the resource section in my bag. If you decide to get the information inside Load Image Notify routine (`PsSetLoadImageNotifyRoutine`), the PE file is already mapped, so you need just to parse it. – Martin Drab Sep 09 '16 at 14:29
  • **a**. To parse resource section I found [this](https://gist.github.com/djhaskin987/d1860a7d98193913bcfa) code. **b**. I need get the version in `PostCreate` event, so I not sure if `PsSetLoadImageNotifyRoutine` can help me. **c**. What bettered to parse version from the file, read with `ZwReadFile`, or map the file to memory? If map I'd really appreciate if you could share the code you mentioned. – codeDom Sep 10 '16 at 19:38

0 Answers0