Process Names bigger than 16 get cut off

Question

Process Names bigger than 16 get cut off

LWSS opened this issue 5 years ago · comments

Guess the longer name is somewhere else

Auri · Answer 1 · Mon Dec 16 2019 10:34:18 GMT+0800 (China Standard Time)

Indeed it seems to be the case. I can not do any reverse engineering myself, but look around the windows kernel structures for more information. I am open to pull requests implementing an improved method of getting the names of processes.

Deleted user · Answer 2 · Fri Feb 28 2020 13:43:03 GMT+0800 (China Standard Time)

i got around this with module names instead of process names (A module name is going to have the full name so do memcmp with your 16 bytes of the process name in a look for the modules

as you can see on the left you have names cut off at 16, and on the right names surpassing 16 in length. (newest version of flush(my tool) has it working on both sides this is an old SS)

sorry bad english, from china with virus

LWSS · Answer 3 · Fri Feb 28 2020 15:46:05 GMT+0800 (China Standard Time)

cool thanks for sharing

Auri · Answer 4 · Fri Feb 28 2020 19:50:30 GMT+0800 (China Standard Time)

i got around this with module names instead of process names (A module name is going to have the full name so do memcmp with your 16 bytes of the process name in a look for the modules

as you can see on the left you have names cut off at 16, and on the right names surpassing 16 in length. (newest version of flush(my tool) has it working on both sides this is an old SS)

sorry bad english, from china with virus

Nice tool and a great solution! A way without memcmp would be to find the module with the same base address as the process.

Deleted user · Answer 5 · Sat Feb 29 2020 05:56:18 GMT+0800 (China Standard Time)

smart!

link <--- gunna fix this.

you should add me on discord i like this project alot and use it for many many things!

_xeroxz#7212

Auri · Answer 6 · Wed Mar 18 2020 02:46:45 GMT+0800 (China Standard Time)

Fixed in 3876c24