I want to get current process path in my mini-filter kernel driver.I can get current process with PEPROCESS peProcess = IoGetCurrentProcess() and can get process full filename(that include path) with ZwQueryInformationProcess.
But i want just get path (without filename).
I use visualstudio 2019 & latest SDK/WDK.
Maybe something like this:
ZwCreateFile(DesiredAccess=FILE_READ_ATTRIBUTES) → file HANDLE
https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-ntcreatefile
ZwQueryInformationFile(FileInformationClass=FileNameInformation) → FILE_NAME_INFORMATION structure
https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-ntqueryinformationfile
"If the full path and file name are returned, the string will begin with a single backslash, regardless of its location. Thus the file C:\dir1\dir2\filename.ext will appear as
\dir1\dir2\filename.ext"
(Then you strip off the leaf filename by finding the last backslash.)
ZwClose(the HANDLE)
https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/nf-wdm-zwclose