Re: [Vol-users] Determining the image path of a process

Hallo all, According to a hint from Andreas Schuster (THX!!) I have tried to access the _SE_AUDIT_PROCESS_CREATION_INFO-structure which is referenced in _EPROCESS. SeAuditProcessCreationInfo: ...  if proc.UniqueProcessId in (172, 528, 1560): ...   print "SeAuditProcessCreationInfo: {0:#x}".format(proc.SeAuditProcessCreationInfo) ... SeAuditProcessCreationInfo: 0x82014964 SeAuditProcessCreationInfo: 0x81c8e6ac SeAuditProcessCreationInfo: 0x81cc1214 So I have displayed the pointers to the _SE_AUDIT_PROCESS_CREATION_INFO-structure. I hoped to find a Unicode-string somewhere containing the path to the imagefile. Sadly a hexdump seems to be useless:: 0x82014964  d0 b8 fe 81 40 b3 27 ff e7 d2 c9 01 00 00 01 00 ....@.'......... 0x82014974  5e 03 00 00 00 03 00 00 00 03 00 00 32 00 00 00 ^...........2... 0x82014984  59 01 00 00 00 30 88 c0 64 3c 22 82 c4 95 ff 81 Y....0..d<"..... 0x82014994  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ ... But that's OK, because there should be a only another pointer again: '_SE_AUDIT_PROCESS_CREATION_INFO' (4 bytes) 0x0   : ImageFileName                  ['pointer', ['_OBJECT_NAME_INFORMATION']] How can I access this structure via object.method? CU Mic _______________________________________________ Vol-users mailing list Vol-users(a)volatilityfoundation.org http://lists.volatilityfoundation.org/mailman/listinfo/vol-users