Hi all
I want to know how I can change a module name in kernel mode(I mean ImageName)?
Is there any API(including undocumented ones) for doing this?
I think about ZwSetSystemInformation,but it is too risky for use.I think use it in this way:
1-Get process information using ZwQuerySystemInformation.
2-Make necessary changes.
3-Set this changes using ZwSetSystemInformation.
But as you know,this easily makes crash,because It is possible that computer new modules
generated between these sequence and all modules go another place.
Is there any proper API for this reason?or any better way?

sincerely yours

Hi Hero,

It sounds like you might be wanting to change the EPROCESS.ImageFileName field (+174h) for some poor hapless program... All active processes and their EPROCESS structures are kept as doubly linked lists. You could traverse the linked lists, find the process you want, and directly change the module name there.

This is just a take-off of rootkit technology to hide processes by unlinking them from the ActiveProcessLinks linked-list chain. There are plenty of examples around, for example
http://www.security.org.sg/code/kproccheck.html

Whether this would totally solve the problem you're working on I'm not certain, you may also have to look at other structures such as RTL_USER_PROCESS_PARAMETERS which contain path information for the process.

Cheers,
Kayaker

Hi Kayaker
This is a very great article for this problem,thanks so much.
I was also known that EPROCESS.ImageFilename is the image(for example
PsGetProcessImageFilaName is exactly this code),But my main problem is
how to find my proper EPROCESS.In addition EPROCESS.ImageFileName is
any 16 bytes length array,then I don't think it is be able to get full name
of image all the time.
But Thanks you,perhaps this can solve my problem.

sincerely yours

What is it you're trying to do? Changing EPROCESS.ImageFileName should be straightforward, follow the linked list of processes and search for the proper name string to change. If you also want to hide the references in RTL_USER_PROCESS_PARAMETERS, then there would be a context issue in your driver in order to access the 3 UNICODE_STRING pointers to the relevant path names.

The PEB is a user context structure and will be paged out in your driver. One possible exception to this is if your driver is called, possibly loaded, *from* the process. The user stack *may* be accessible and valid in this case and you might be able to modify the RTL_USER_PROCESS_PARAMETERS memory, or perhaps page the memory back into context. (Softice ADDR command works admirably on the PEB).

Or, after the process is loaded and about to start (or at which point the PEB structure is fully filled in), you could use KeAttachProcess, or better I think KeStackAttachProcess (check proper name), to attach to the process. I haven't checked, but in theory the correct PEB context should be available.

Regards,
Kayaker