获取进程路径

//获取进程路径,理论上至少支持XP;进程句柄需要PROCESS_QUERY_INFORMATION和PROCESS_VM_READ权限...实现方法和GetModuleFileNameEx类似....//DESP: get process image pathBOOL process_get_path(HANDLE hProcess, LPTSTR szImagePath, DWORD dwSize){NTSTATUS ntStatus;ULONG uLength;DWORD dwBufferSize;LPWSTR pBuffer;UNICODE_STRING usImagePath;PROCESS_BASIC_INFORMATION BasicInformation;PRTL_USER_PROCESS_PARAMETERS pProcessParameters;//DO: query PEB addressntStatus = NtQueryInformationProcess(hProcess,ProcessBasicInformation,&BasicInformation,sizeof(PROCESS_BASIC_INFORMATION),&uLength);if(!NT_SUCCESS(ntStatus))return FALSE;//DO: read ProcessParameters pointerntStatus = NtReadVirtualMemory(hProcess,&BasicInformation.PebBaseAddress->ProcessParameters,&pProcessParameters,sizeof(PRTL_USER_PROCESS_PARAMETERS),&uLength);if(NT_SUCCESS(ntStatus)) {//DO: read ImagePathName UNICODE_STRINGntStatus = NtReadVirtualMemory(hProcess,&pProcessParameters->ImagePathName,&usImagePath,sizeof(UNICODE_STRING),&uLength);if(NT_SUCCESS(ntStatus)) {//DO: read image path#ifndef UNICODEdwBufferSize = dwSize * sizeof(WCHAR);pBuffer = (LPWSTR)RtlAllocateHeap(RtlProcessHeap(), 0, dwBufferSize);if(!pBuffer)return FALSE;#else//UNICODEdwBufferSize = dwSize;pBuffer = szImagePath;#endifif(dwBufferSize > (DWORD)usImagePath.Length + sizeof(WCHAR))dwBufferSize = usImagePath.Length;elsedwBufferSize -= 2;ntStatus = NtReadVirtualMemory(hProcess,usImagePath.Buffer,pBuffer,dwBufferSize,&uLength);if(NT_SUCCESS(ntStatus))pBuffer[dwBufferSize / sizeof(WCHAR)] = L'\0';#ifndef UNICODE//DO: Convert buffer to ansiWideCharToMultiByte(CP_ACP,0,pBuffer,dwBufferSize,szImagePath,dwSize,NULL,NULL);RtlFreeHeap(RtlProcessHeap(), 0, pBuffer);#endifreturn NT_SUCCESS(ntStatus);}}return FALSE;}