typedef NTSTATUS (*QUERY_INFO_PROCESS) (
__in HANDLE ProcessHandle,
__in PROCESSINFOCLASS ProcessInformationClass,
__out_bcount(ProcessInformationLength) PVOID ProcessInformation,
__in ULONG ProcessInformationLength,
__out_opt PULONG ReturnLength
);
QUERY_INFO_PROCESS ZwQueryInformationProcess;
NTSTATUS GetProcessImageName(HANDLE processId, PUNICODE_STRING ProcessImageName);
NTSTATUS GetProcessImageName(HANDLE processId, PUNICODE_STRING ProcessImageName)
{
NTSTATUS status;
ULONG returnedLength;
ULONG bufferLength;
HANDLE hProcess;
PVOID buffer;
PEPROCESS eProcess;
PUNICODE_STRING imageName;
PAGED_CODE(); // this eliminates the possibility of the IDLE Thread/Process
status = PsLookupProcessByProcessId(processId, &eProcess);
if(NT_SUCCESS(status))
{
status = ObOpen ByPointer(eProcess,0, NULL, 0,0,KernelMode,&hProcess);
if(NT_SUCCESS(status))
{
} else {
DbgPrint(\"ObOpen ByPointer Failed: %08x\\n\", status);
}
ObDereference (eProcess);
} else {
DbgPrint(\"PsLookupProcessByProcessId Failed: %08x\\n\", status);
}
if (NULL == ZwQueryInformationProcess) {
UNICODE_STRING routineName;
RtlInitUnicodeString(&routineName, L\"ZwQueryInformationProcess\");
ZwQueryInformationProcess =
(QUERY_INFO_PROCESS) MmGetSystemRoutineAddress(&routineName);
if (NULL == ZwQueryInformationProcess) {
DbgPrint(\"Cannot resolve ZwQueryInformationProcess\\n\");
}
}
/* Query the actual size of the process path */
status = ZwQueryInformationProcess( hProcess,
ProcessImageFileName,
NULL, // buffer
0, // buffer size
&returnedLength);
if (STATUS_INFO_LENGTH_MISMATCH != status) {
return status;
}
/* Check there is enough space to store the actual process
path when it is found. If not return an error with the
required size */
bufferLength = returnedLength - sizeof(UNICODE_STRING);
if (ProcessImageName->MaximumLength < bufferLength)
{
ProcessImageName->MaximumLength = (USHORT) bufferLength;
return STATUS_BUFFER_OVERFLOW;
}
/* Allocate a temporary buffer to store the path name */
buffer = ExAllocatePoolWithTag(NonPagedPool, returnedLength, \'uLT1\');
if (NULL == buffer)
{
return STATUS_INSUFFICIENT_RESOURCES;
}
/* Retrieve the process path from the handle to the process */
status = ZwQueryInformationProcess( hProcess,
ProcessImageFileName,
buffer,
returnedLength,
&returnedLength);
if (NT_SUCCESS(status))
{
/* Copy the path name */
imageName = (PUNICODE_STRING) buffer;
RtlCopyUnicodeString(ProcessImageName, imageName);
}
/* Free the temp buffer which stored the path */
ExFreePoolWithTag(buffer, \'uLT1\');
return status;
}
以下是怎么使用这个函数的
PEPROCESS obProcess = NULL;
HANDLE hProcess;
UNICODE_STRING fullPath;
obProcess = IoThreadToProcess(Data->Thread);
hProcess = PsGetProcessId(obProcess);
fullPath.Length = 0;
fullPath.MaximumLength = 520;
fullPath.Buffer = (PWSTR)ExAllocatePoolWithTag(NonPagedPool,520,PROCESS_FULLPATH);
if (fullPath.Buffer == NULL)
{
return STATUS_UNSUCCESSFUL;
}
status = GetProcessImageName(hProcess,&fullPath);
if (!NT_SUCCESS(status))
{
return STATUS_UNSUCCESSFUL;
}
继续阅读与本文标签相同的文章
上一篇 :
Vue基础系列:路由的基本使用
下一篇 :
阿里巴巴收购中兴软创,城市交通大脑快马加鞭!
-
开发者必读 · 周报 | 002期
2026-05-19栏目: 教程
-
斩获2019中国金融科技创新大赛金奖,蚂蚁金服mPaaS助力打造超级App生态
2026-05-19栏目: 教程
-
有呀!互联网icp许可证除申请以外有转让的吗?飞起
2026-05-19栏目: 教程
-
Apache Zepplin使用Hive Interpreter查询
2026-05-19栏目: 教程
-
大宗货运如何实现“重去重回”?
2026-05-19栏目: 教程