内核中获取进程路径学习
来源:互联网 发布:侯云灏网络空间研究院 编辑:程序博客网 时间:2024/05/22 05:22
NTSTATUS PsGetProcessPathByPid( IN ULONG Pid ,char* FilePath)
{
NTSTATUS status;
char path[256] = {0};
char disk[10] = {0};
STRING ansi_path;
STRING ansi_disk;
UNICODE_STRING uni_path;
UNICODE_STRING uni_disk;
PEPROCESS pEprocess;
PFILE_OBJECT FileObject;
PVOID Object;
status = PsLookupProcessByProcessId(Pid,&pEprocess);
if(!NT_SUCCESS(status))
{
DbgPrint("EPROCESS Error");
return STATUS_UNSUCCESSFUL;
} DbgPrint("EPROCESS 0x%0.8X",pEprocess);
if( !MmIsAddressValid( (PULONG)( (ULONG)pEprocess+0x138 ) ) )//EPROCESS+0x138 -> SectionObject
{ DbgPrint("SectionObject Error");
return STATUS_UNSUCCESSFUL;
} Object = (PVOID)(*(PULONG)((ULONG)pEprocess+0x138));
if( !MmIsAddressValid( (PULONG)( (ULONG)Object+0x014 ) ) )//SectionObject+0x014 -> Segment
{
DbgPrint("Segment Error");
return STATUS_UNSUCCESSFUL;
} Object = (PVOID)(*(PULONG)( (ULONG)Object+0x014 ));
if( !MmIsAddressValid( (PULONG)((ULONG)Object+0x000) ) )//Segment+0x000 -> ControlAera
{
DbgPrint("ControlAera Error");
return STATUS_UNSUCCESSFUL;
} Object = (PVOID)(*(PULONG)( (ULONG)Object+0x000 ));
if( !MmIsAddressValid( (PULONG)( (ULONG)Object+0x024 ) ) )//ControlAera+0x024 -> FilePointer(FileObject)
{
DbgPrint("FilePointer Error");
return STATUS_UNSUCCESSFUL;
} Object = (PVOID)(*(PULONG)( (ULONG)Object+0x024 ));
FileObject = Object;
ObReferenceObjectByPointer((PVOID)FileObject,0,NULL,KernelMode);
RtlInitUnicodeString(&uni_path,FileObject->FileName.Buffer); //获取路径名
RtlVolumeDeviceToDosName(FileObject->DeviceObject,&uni_disk); //获取盘符名
ObDereferenceObject(FileObject);
RtlUnicodeStringToAnsiString(&ansi_path,&uni_path,TRUE);
RtlUnicodeStringToAnsiString(&ansi_disk,&uni_disk,TRUE);
strcat(path,&ansi_path.Buffer[0]);
strcat(disk,&ansi_disk.Buffer[0]);
RtlFreeAnsiString(&ansi_path);
RtlFreeAnsiString(&ansi_disk);
if( strlen(path)+strlen(disk) < 256 )
{
strcat(FilePath,disk);
strcat(FilePath,path);
}
else
{
strcat(FilePath,disk);
memcpy( FilePath,path,256-strlen(disk)-1 );
*(FilePath + 256) = 0;
}
return STATUS_SUCCESS;
}
- 内核中获取进程路径学习
- 内核中获取进程路径学习
- linux内核中得到进程全路径
- linux内核获取进程的全路径3种方法
- 获取NT中系统进程的路径
- 在驱动中获取进程全路径
- 驱动中获取进程完整路径名
- 在驱动中获取进程全路径
- 驱动中获取进程完整路径名
- 驱动中获取进程完整路径名
- MFC中获取进程名、PID及进程所在路径
- 获取进程路径
- 获取进程路径
- 获取进程路径
- 获取进程全路径
- 获取进程全路径
- 在内核中之获取HKEY_CURRENT_USER对应路径
- 【转】在内核中之获取HKEY_CURRENT_USER对应路径
- IOCP模型的总结
- 深圳金鼎福软件-读懂开盘三线 把握操作良机
- jndi.properties文件配置
- #ifdef __cplusplus 倒底是什么意思?
- Qt集成到VS2008中 ( Qt4.5.1 + qt-vs-addin-1.0.0 )
- 内核中获取进程路径学习
- asp.net 2.0中的无刷新回调技术(非AJAX技术)
- 经济企稳回暖时期客户关系管理的作用
- (转)判断一个字符串是否全是数字的多种方法及其性能比较(C#实现
- 最使用CSS+DIV学习合集 从零开始
- TTL电平和CMOS电平的异同对比
- SQL Trigger,indexes,Procedure
- shell编程入门指南
- 模拟机器抽奖选数字
