几个有用内核函数封装（进程、注册表路径）

来源：互联网发布：淘宝直通车调价技巧编辑：程序博客网时间：2024/05/22 07:44
/*引自 http://www.tdcqjslt.com/read.php?tid-297-fpage-8.html ，未试之！*///依据EPROCESS得到进程全路径extern VOID GetFullPathByEprocess( ULONG eprocess,PCHAR ProcessImageName );//得到当前调用函数的进程信息extern VOID GetCurrentProcess(PULONG pid, PCHAR name, PCHAR path);//路径解析出子进程名extern VOID GetSonName( PCHAR ProcessPath, PCHAR ProcessName );//根据SectionHandle得到进程全路径extern VOID GetFullPathBySectionHandle( HANDLE SectionHandle, PCHAR ProcessImageName);//根据ProcessHandle得到进程全路径extern VOID GetFullPathByProcessHandle( HANDLE ProcessHandle, PCHAR ProcessImageName , PULONG pid );//FileObject得到进程全路径extern VOID GetFullPathByFileObject( PFILE_OBJECT FileObject, PCHAR ProcessImageName);//KeyHandle得到注册表全路径extern BOOLEAN GetRegKeyNameByHandle(HANDLE handle, char *realpath);//extern VOID UnicodeTochar(PUNICODE_STRING dst , char *src);//extern VOID WcharToChar(PWCHAR src,PCHAR dst);代码:extern POBJECT_TYPE *PsProcessType;NTKERNELAPIUCHAR *PsGetProcessImageFileName(              PEPROCESS Process);NTKERNELAPI NTSTATUSObQueryNameString(          IN  PVOID Object,          OUT POBJECT_NAME_INFORMATION ObjectNameInfo,          IN  ULONG Length,          OUT PULONG ReturnLength);//路径解析出子进程名VOID  GetSonName( char *ProcessPath, char *ProcessName ){  ULONG n = strlen( ProcessPath) - 1;  ULONG i = n;  //KdPrint(("%d",n));  while( ProcessPath[i] != '\\')  {    i = i-1;  }  strncpy( ProcessName,ProcessPath+i+1,n-i);}//依据EPROCESS得到进程全路径VOID GetFullPathByEprocess( ULONG eprocess,PCHAR ProcessImageName ){  //原理Eprocess->sectionobject(0x138)->Segment(0x014)->ControlAera(0x000)->FilePointer(0x024)->(FileObject->FileName,FileObject->DeviceObject)  ULONG object;  PFILE_OBJECT FileObject;  UNICODE_STRING FilePath;   UNICODE_STRING DosName;   STRING AnsiString;   FileObject = NULL;   FilePath.Buffer = NULL;   FilePath.Length = 0;   *ProcessImageName = 0;      if(MmIsAddressValid((PULONG)(eprocess+0x138)))//Eprocess->sectionobject(0x138)  {    object=(*(PULONG)(eprocess+0x138));        //KdPrint(("[GetProcessFileName] sectionobject :0x%x\n",object));    if(MmIsAddressValid((PULONG)((ULONG)object+0x014)))    {      object=*(PULONG)((ULONG)object+0x014);      //KdPrint(("[GetProcessFileName] Segment :0x%x\n",object));      if(MmIsAddressValid((PULONG)((ULONG)object+0x0)))      {        object=*(PULONG)((ULONG_PTR)object+0x0);        //KdPrint(("[GetProcessFileName] ControlAera :0x%x\n",object));        if(MmIsAddressValid((PULONG)((ULONG)object+0x024)))        {          object=*(PULONG)((ULONG)object+0x024);          //KdPrint(("[GetProcessFileName] FilePointer :0x%x\n",object));        }        else          return ;      }      else        return ;    }    else      return ;  }  else    return ;    FileObject=(PFILE_OBJECT)object;  FilePath.Buffer = ExAllocatePool(PagedPool,0x200);  FilePath.MaximumLength = 0x200;     //KdPrint(("[GetProcessFileName] FilePointer :%wZ\n",&FilePointer->FileName));  ObReferenceObjectByPointer((PVOID)FileObject,0,NULL,KernelMode);//引用计数+1，操作对象    RtlVolumeDeviceToDosName(FileObject-> DeviceObject, &DosName);   RtlCopyUnicodeString(&FilePath, &DosName);   RtlAppendUnicodeStringToString(&FilePath, &FileObject->FileName);   ObDereferenceObject(FileObject);      RtlUnicodeStringToAnsiString(&AnsiString, &FilePath, TRUE);   if ( AnsiString.Length >= 216 )   {     memcpy(ProcessImageName, AnsiString.Buffer, 0x100u);     *(ProcessImageName + 215) = 0;   }   else   {     memcpy(ProcessImageName, AnsiString.Buffer, AnsiString.Length);     ProcessImageName[AnsiString.Length] = 0;   }   RtlFreeAnsiString(&AnsiString);   ExFreePool(DosName.Buffer);   ExFreePool(FilePath.Buffer); }//VOID GetCurrentProcess(PULONG pid, PCHAR name, PCHAR path){  PEPROCESS Cprocess;  Cprocess = PsGetCurrentProcess();  *pid = *(PULONG)((ULONG)Cprocess+0x84);  strcpy(name ,PsGetProcessImageFileName(Cprocess));  GetFullPathByEprocess((ULONG)Cprocess,path);}//根据SectionHandle得到进程全路径VOID GetFullPathBySectionHandle( HANDLE SectionHandle, PCHAR ProcessImageName ){   PVOID SectionObject;  PFILE_OBJECT FileObject;  UNICODE_STRING FilePath;   UNICODE_STRING DosName;   NTSTATUS Status;  STRING AnsiString;     SectionObject = NULL;   FileObject = NULL;   FilePath.Buffer = NULL;   FilePath.Length = 0;   *ProcessImageName = 0;   Status = ObReferenceObjectByHandle(SectionHandle, 0, NULL, KernelMode, &SectionObject, NULL);     if ( NT_SUCCESS(Status) )   {     FilePath.Buffer = ExAllocatePool(PagedPool,0x200);    FilePath.MaximumLength = 0x200;     FileObject = (PFILE_OBJECT)(*((ULONG *)SectionObject + 5)); // PSEGMENT    FileObject = *(PFILE_OBJECT *)FileObject; // CONTROL_AREA    FileObject = *(PFILE_OBJECT *)((ULONG)FileObject + 36); // FILE_OBJECT    ObReferenceObjectByPointer((PVOID)FileObject, 0, NULL, KernelMode);     RtlVolumeDeviceToDosName(FileObject-> DeviceObject, &DosName);     RtlCopyUnicodeString(&FilePath, &DosName);     RtlAppendUnicodeStringToString(&FilePath, &FileObject->FileName);     ObDereferenceObject(FileObject);     ObDereferenceObject(SectionObject);     RtlUnicodeStringToAnsiString(&AnsiString, &FilePath, TRUE);     if ( AnsiString.Length >= 216 )     {       memcpy(ProcessImageName, AnsiString.Buffer, 0x100u);       *(ProcessImageName + 215) = 0;     }     else     {       memcpy(ProcessImageName, AnsiString.Buffer, AnsiString.Length);       ProcessImageName[AnsiString.Length] = 0;     }     RtlFreeAnsiString(&AnsiString);     ExFreePool(DosName.Buffer);     ExFreePool(FilePath.Buffer);   } } //根据ProcessHandle得到EPROCESS  然后得到进程全路径VOID GetFullPathByProcessHandle( HANDLE ProcessHandle, PCHAR ProcessImageName , PULONG pid ){  NTSTATUS status;  PVOID ProcessObject;  ULONG eprocess;  status = ObReferenceObjectByHandle( ProcessHandle ,0,*PsProcessType,KernelMode, &ProcessObject, NULL);  if(!NT_SUCCESS(status))   //失败  {    DbgPrint("Object Error");    KdPrint(("[GetFullPathByProcessHandle] error status:0x%x\n",status));    return;  }  //KdPrint(("[GetTerminateProcessPath] Eprocess :0x%x\n",(ULONG)ProcessObject));  //Object转换成EPROCESS: object低二位清零  eprocess = ((ULONG)ProcessObject) & 0xFFFFFFFC;  *pid = *(PULONG)((ULONG)eprocess+0x84);   ObDereferenceObject(ProcessObject);  GetFullPathByEprocess( eprocess ,ProcessImageName);}//根据FileObject得到全路径VOID GetFullPathByFileObject( PFILE_OBJECT FileObject, PCHAR ProcessImageName){  UNICODE_STRING FilePath;   UNICODE_STRING DosName;   STRING AnsiString;   FilePath.Buffer = NULL;   FilePath.Length = 0;   *ProcessImageName = 0;    FilePath.Buffer = ExAllocatePool(PagedPool,0x200);  FilePath.MaximumLength = 0x200;     //KdPrint(("[GetProcessFileName] FilePointer :%wZ\n",&FilePointer->FileName));  ObReferenceObjectByPointer((PVOID)FileObject,0,NULL,KernelMode);//引用计数+1，操作对象    RtlVolumeDeviceToDosName(FileObject-> DeviceObject, &DosName);   RtlCopyUnicodeString(&FilePath, &DosName);   RtlAppendUnicodeStringToString(&FilePath, &FileObject->FileName);   ObDereferenceObject(FileObject);      RtlUnicodeStringToAnsiString(&AnsiString, &FilePath, TRUE);   if ( AnsiString.Length >= 216 )   {     memcpy(ProcessImageName, AnsiString.Buffer, 0x100u);     *(ProcessImageName + 215) = 0;   }   else   {     memcpy(ProcessImageName, AnsiString.Buffer, AnsiString.Length);     ProcessImageName[AnsiString.Length] = 0;   }   RtlFreeAnsiString(&AnsiString);   ExFreePool(DosName.Buffer);   ExFreePool(FilePath.Buffer); }//解析注册表路径BOOLEAN StandardPrintHkey(char * path,char *realpath){  int judgeTop;  int judgeSecond;  int judgeThird;  int  i;  int j;  int t;  int k;  int lencur;  char realname[255]={0};  j=0;  k=0;  t=0;  judgeTop=strncmp("\\REGISTRY\\USER",path,14);  if(judgeTop==0)  {          lencur=strlen(path);        for(i=0;i<lencur;i++)        {           if(path[i]=='-')          {            if(path[i+1]=='5')          {              if(path[i+2]=='0')            {                if(path[i+3]=='0')              {  if(path[i+4]=='_')                {                k=i+12;                t=1;                }                  else                {                  j=i+4;                t=1;                }                }            }          }          }        }        DbgPrint("[j]%d\n",j);        DbgPrint("[k]%d\n",k);        if((k==0)&&(t==1))        {        strcpy(realname,"HKEY_CURRENT_USER");        strncat(realname,&path[j],sizeof(path)-j);        DbgPrint("[HKEY_CURRENT_USER]%s",path);        }        if((j==0)&&(t==1))        {        strcpy(realname,"HKEY_CLASSES_ROOT");        strncat(realname,&path[k],sizeof(path)-k);        DbgPrint("[HKEY_CLASSES_ROOT]%s",path);        }        if(t==0)        {        strcpy(realname,"HKEY_USERS");        strncat(realname,&path[14],sizeof(path)-14);        DbgPrint("[HKEY_USER]%s",path);        }  }  else  {    judgeThird=strncmp("\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Hardware Profiles\\0001",path,61);    if(judgeThird==0)    {      strcpy(realname,"HKEY_CURRENT_CONFIG");      strncat(realname,&path[61],sizeof(path)-61);      DbgPrint("[HKEY_CURRENT_CONFIG]%s",path);    }    else    {            strcpy(realname,"HKEY_LOCAL_MACHINE");      strncat(realname,&path[17],sizeof(path)-17);      DbgPrint("[HKEY_LOCAL_MACHINE]%s",path);      }  } strcpy(realpath,realname); return TRUE;} //注册表根据KeyHandle得到键BOOLEAN GetRegKeyNameByHandle(HANDLE handle, char *realpath)  {  ULONG uactLength;  POBJECT_NAME_INFORMATION  pustr;  ANSI_STRING astr;  PVOID pObj;  NTSTATUS ns;  char pch[256]={0};  ns = ObReferenceObjectByHandle( handle, 0, NULL, KernelMode, &pObj, NULL );  if (!NT_SUCCESS(ns))  {    KdPrint(("111!\n"));    KdPrint(("0x%x\n",ns));    return FALSE;  }  pustr = ExAllocatePool(NonPagedPool,1024+4);  if (pObj==NULL||pch==NULL)    return FALSE;  ns = ObQueryNameString(pObj,pustr,512,&uactLength);  if (NT_SUCCESS(ns))  {    RtlUnicodeStringToAnsiString(&astr,(PUNICODE_STRING)pustr,TRUE);    strncpy(pch,astr.Buffer,256);  }  ExFreePool(pustr);  RtlFreeAnsiString( &astr );  if (pObj)  {    ObDereferenceObject(pObj);  }  StandardPrintHkey(pch,realpath);  return TRUE;}//UnicodeTocharVOID UnicodeTochar(PUNICODE_STRING dst , char *src){  ANSI_STRING string;  RtlUnicodeStringToAnsiString(&string,dst, TRUE);   strcpy(src,string.Buffer);  RtlFreeAnsiString(&string); }//wcharTocharVOID WcharToChar(PWCHAR src,PCHAR dst){  UNICODE_STRING uString;  ANSI_STRING aString;  RtlInitUnicodeString(&uString,src);  RtlUnicodeStringToAnsiString(&aString,&uString,TRUE);   strcpy(dst,aString.Buffer);  RtlFreeAnsiString(&aString); }
0 0