Accessing File Object structure of Parent process

Sn1p3r · Oct 2, 2021

Hi
I have some problem to solve some problem
In the Process notification callback routine i have some condition that i must access Parent process file object
I Found some solution but i do not understand some cases yet
in file object struct i have ParentProcessId that not really handle and just a process id
so i must to passing this value to PsLookupProcessByProcessId to get EPROCESS struct (am i correct?)
first issue is here
so how can get process name and commandline from Eprocess
and the next step:
i must do :
ZwDuplicateObject
ObReferenceObjectByHandle

please guide me if i am in wrong way

Sn1p3r · Oct 12, 2021

This link was very useful to me at least
Terminus Project

you should look EPROCESS struct

Search

Search

Accessing File Object structure of Parent process

Sn1p3r

Member

Sn1p3r

Member