如何在驱动程序（SYS）中得到当前进程的完整路径和进程名？_.net

如何在驱动程序（SYS）中得到当前进程的完整路径和进程名？

发表于：2007-07-01来源：作者：点击数：标签：

首先利用PsGetCurrentProcess或IoGetCurrentProcess函数得到当前进程的句柄，这个句柄是指向_EPROCESS结构的指针，_EPROCESS的结构如下： typedef struct _EPROCESS { KPROCESS Pcb; NTSTATUS ExitStatus; KEVENT LockEvent; DWORD LockCount; QWORD CreateTi

首先利用PsGetCurrentProcess或IoGetCurrentProcess函数得到当前进程的句柄，这个句柄是指向_EPROCESS结构的指针，_EPROCESS的结构如下：

typedef struct _EPROCESS

{

KPROCESS Pcb;

NTSTATUS ExitStatus;

KEVENT LockEvent;

DWORD LockCount;

QWORD CreateTime;

QWORD ExitTime;

PVOID LockOwner;

DWORD UniqueProcessId;

QWORD ActiveProcessLinks;

DWORD QuotaPeakPoolUsage [2]; // NP, P

DWORD QuotaPoolUsage [2]; // NP, P

DWORD PagefileUsage;

DWORD CommitCharge;

DWORD PeakPagefileUsage;

DWORD PeakVirtualSize;

QWORD VirtualSize;

DWORD Vm [12];

DWORD LastProtoPteFault;

DWORD DebugPort;

DWORD ExceptionPort;

DWORD ObjectTable;

DWORD Token;

DWORD WorkingSetLock [8];

DWORD WorkingSetPage;

BOOLEAN ProcessOutswapEnabled;

BOOLEAN ProcessOutswapped;

BOOLEAN AddressSpaceInitialized;

BOOLEAN AddressSpaceDeleted;

DWORD AddressCreationLock [9];

DWORD ForkInProgress;

DWORD VmOperation;

DWORD VmOperationEvent;

DWORD PageDirectoryPte;

QWORD LastFaultCount;

PVOID VadRoot;

DWORD VadHint;

DWORD CloneRoot;

DWORD NumberOfPrivatePages;

DWORD NumberOfLockedPages;

WORD w184;

BOOLEAN ExitProcessCalled;

BOOLEAN CreateProcessReported;

HANDLE SectionHandle;

struct _PEB *Peb; // offset 0x1B0

PVOID SectionBaseAddress;

PVOID QuotaBlock;

NTSTATUS LastThreadExitStatus;

PROCESS_WS_WATCH_INFORMATION WorkingSetWatch;

DWORD InheritedFromUniqueProcessId;

ACCESS_MASK GrantedAclearcase/" target="_blank" >ccess;

DWORD DefaultHardErrorProcessing;

DWORD LdtInformation;

DWORD VadFreeHint;

DWORD VdmObjects;

KMUTANT ProcessMutant;

BYTE ImageFileName [16]; // offset 0x1FC

DWORD VmTrimFaultValue [2];

PVOID Win32Process;

DWORD d1F8;

DWORD d1FC;

}

EPROCESS,

* PEPROCESS,

**PPEPROCESS;

从上面这个结构可以看出，进程名称就是ImageFileName，只要用_EPROCESS的基地址加上偏移地址0x1FC就可以得到进程名称的地址，代码如下：

char *ProcessName = (char*)PsGetCurrentProcess() + 0x1FC;

KdPrint((“Current Process Name: %s\n”, ProcessName));

要得到完整路径还需要利用_EPROCESS结构中的_PEB结构指针来得到ProcessParameters的地址。ProcessParameters保存着进程的完整路径。可以通过DDK附带的WinDbg工具打开一个可执行程序，然后用!peb命令来显示_PEB的结构信息。如下所示：

———————————————————————————————————————

> !peb

Debugger extension library [F:\WINNT\system32\ntsdexts] loaded

PEB at 7FFDF000

InheritedAddressSpace: No

ReadImageFileExecOptions: No

BeingDebugged: Yes

ImageBaseAddress: 00400000

Ldr.Initialized: Yes

Ldr.InInitializationOrderModuleList: 131f88 . 132998

Ldr.InLoadOrderModuleList: 131ee0 . 132988

Ldr.InMemoryOrderModuleList: 131ee8 . 132990

00400000 D:\NtSysInfo.exe

77F80000 F:\WINNT\System32\ntdll.dll

77E60000 F:\WINNT\system32\KERNEL32.dll

77DF0000 F:\WINNT\system32\USER32.dll

77F40000 F:\WINNT\system32\GDI32.DLL

76AF0000 F:\WINNT\system32\comdlg32.dll

70BD0000 F:\WINNT\system32\SHLWAPI.DLL

77D90000 F:\WINNT\system32\ADVAPI32.dll

77D20000 F:\WINNT\system32\RPCRT4.DLL

71700000 F:\WINNT\system32\COMCTL32.DLL

77560000 F:\WINNT\system32\SHELL32.DLL

78000000 F:\WINNT\system32\MSVCRT.DLL

777C0000 F:\WINNT\System32\WINSPOOL.DRV

SubSystemData: 0

ProcessHeap: 130000

ProcessParameters: 20000

WindowTitle: ´D:\NtSysInfo.exe´

ImageFile: ´D:\NtSysInfo.exe´

CommandLine: ´"D:\NtSysInfo.exe" ´

DllPath: ´D:\;.;F:\WINNT\System32;F:\WINNT\system;F:\WINNT;F:\WINNT\system32;F:\WINNT;F:\WINNT\System32\Wbem;J:\WINDOWS;J:\WINDOWS\COMMAND;E:\WINDOWS\SYSTEM\WBEM;J:\WINDOWS;J:\WINDOWS\COMMAND;E:\WINDOWS\SYSTEM\WBEM;J:\WINDOWS;J:\WINDOWS\

COMMAND´

Environment: 0x10000

原文转自：http://www.ltesting.net

软件测试 > 测试开发技术 > 软件测试开发语言 > .net >