How to use ZwQueryInformationProcess to get ProcessImageFileName in a kernel driver?

Question

I\'m writing a simple kernel driver for my application (think of a very simple anti-malware application.)

I\'ve hooked ZwOpenFile() and used PsGetCurr

Answer 1

ZwQueryInformationProcess needs a HANDLE, not a PROCESS! You need to use ObOpenObjectByPointer to get the handle first.