获得进程映像文件 (下)

来源：互联网发布：修改为21端口编辑：程序博客网时间：2024/04/30 12:26

//根据 SECTION_OBJECT 获取全路径.BOOLEAN GetFullPathBySection(PVOID SectionObject,PCHAR szOutPutPath){ ULONG ProcObj = 0; ULONG pOffset = 0; PFILE_OBJECT pFile = NULL; /* BOOLEAN bRel = FALSE;*/ WCHAR wszDrvSym[MAX_PATH]; ULONG nLen = 0; UNICODE_STRING VolName; NTSTATUS nStatus; if (!SectionObject) return FALSE; else if (!szOutPutPath) return FALSE; pOffset = (ULONG)SectionObject; pOffset = *(PULONG)(pOffset + SEGMENT_OFFSET); // Segment Offset if (!pOffset) return FALSE; pOffset = *(PULONG)(pOffset + CTLAREA_OFFSET); // ControlArea Offset if (!pOffset) return FALSE; pOffset = *(PULONG)(pOffset + FILE_OBJ_OFFSET); // File Object Offset if (!pOffset) return FALSE; pFile = (PFILE_OBJECT)pOffset; /* __asm int 3*/ nLen = pFile->FileName.Length; nLen >>= 1; nLen += 2; if (nLen >= MAX_PATH) nLen = MAX_PATH - 1; RtlInitUnicodeString(&VolName,wszDrvSym); nStatus = RtlVolumeDeviceToDosName (pFile->DeviceObject,&VolName); VolName.MaximumLength = MAX_PATH*sizeof(WCHAR); /* bRel = GetObjectName((PVOID)pFile->DeviceObject,szDrvSym);*/ if (NT_SUCCESS(nStatus)) { RtlUnicodeStringCatUnicodeString(&VolName,&pFile->FileName); nLen = VolName.Length; nLen >>= 1; if (nLen >= MAX_PATH) nLen = MAX_PATH -1; wcstombs(szOutPutPath,VolName.Buffer,nLen); szOutPutPath[nLen] = 0; } else { wcstombs(szOutPutPath,pFile->FileName.Buffer,nLen); szOutPutPath[nLen] = 0; } return TRUE;}

EPROCESS 有个SectionObject 成员,可以根据它来获取进程全路径.
但 SectionObject 只在 XP 以上有, 在 WIN2K 中可以在EPROCESS 结构中找到 SectionHandle
通过 ObReferenceObjectByHandle 或查句柄表( ObReferenceObjectByHandle 很方便,我一般选择查句柄表, 恨透 HOOK 了!) 来获取 SectionObject .
实际上在WIN2K 中 SectionHandle 是恒等于 4 的,用 (HANDLE)4 来替代会很方便的, 记得以前的程序自删除就是利用这原理.