[Vol-users] Determining the image path of a process

Hallo all, According to a hint from Andreas Schuster (THX!!) I have tried to access the _SE_AUDIT_PROCESS_CREATION_INFO-structure which is referenced in _EPROCESS. SeAuditProcessCreationInfo: ... if proc.UniqueProcessId in (172, 528, 1560): ... print "SeAuditProcessCreationInfo: {0:#x}".format(proc.SeAuditProcessCreationInfo) ... SeAuditProcessCreationInfo: 0x82014964 SeAuditProcessCreationInfo: 0x81c8e6ac SeAuditProcessCreationInfo: 0x81cc1214 So I have displayed the pointers to the _SE_AUDIT_PROCESS_CREATION_INFO-structure. I hoped to find a Unicode-string somewhere containing the path to the imagefile. Sadly a hexdump seems to be useless:: 0x82014964 d0 b8 fe 81 40 b3 27 ff e7 d2 c9 01 00 00 01 00 ....@.'......... 0x82014974 5e 03 00 00 00 03 00 00 00 03 00 00 32 00 00 00 ^...........2... 0x82014984 59 01 00 00 00 30 88 c0 64 3c 22 82 c4 95 ff 81 Y....0..d<"..... 0x82014994 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ ... But that's OK, because there should be a only another pointer again: '_SE_AUDIT_PROCESS_CREATION_INFO' (4 bytes) 0x0 : ImageFileName ['pointer', ['_OBJECT_NAME_INFORMATION']] How can I access this structure via object.method? CU Mic