BOOLEAN getCurProcPath( PEPROCESS curproc, PUNICODE_STRING uni_ImagePathName )
{
/*
wdbg cmd : dt _EPROCESS 0xFFFFFA801AB1D940
0xFFFFFA801AB1D940 == curproc
+0x3e8 Peb : 0x000007f6`f713e000 _PEB
wdbg cmd : dt _PEB 0x000007f6`f713e000
+0x020 ProcessParameters : 0x00000000`001f1210 _RTL_USER_PROCESS_PARAMETERS
wdbg cmd : dt _RTL_USER_PROCESS_PARAMETERS 0x00000000`001f1210
+0x060 ImagePathName : _UNICODE_STRING "C:\Windows\Explorer.EXE"
+0x070 CommandLine : _UNICODE_STRING "C:\Windows\Explorer.EXE"
*/
PPEB curPeb = NULL;
ULONG_PTR ProcessParameters = NULL;
KAPC_STATE ApcState;
curPeb = PsGetProcessPeb( curproc );
KeStackAttachProcess( curproc, &ApcState ); // 切入進程地址空間
ProcessParameters = *( ULONG_PTR* )( ( ULONG_PTR )curPeb + 0x20 );
RtlAppendUnicodeToString( uni_ImagePathName, L"\\??\\" );
RtlAppendUnicodeStringToString( uni_ImagePathName, ( PUNICODE_STRING )( ( ULONG_PTR )ProcessParameters + 0x60 ) );
KeUnstackDetachProcess( &ApcState ); // 切出進程
return TRUE;
}
使用方法如下
PEPROCESS curproc =PsGetCurrentProcess();
UNICODE_STRING uni_ImagePathName = { 0};
uni_ImagePathName.Length = 0;
uni_ImagePathName.MaximumLength = MAX_PATH;
uni_ImagePathName.Buffer = ( PWCH )ExAllocatePoolWithTag( NonPagedPool, MAX_PATH, NULL );
getCurProcPath( curproc, &uni_ImagePathName );
同樣的方法,還可以獲取到很多值,根據註釋裏面的方法,慢慢研究吧,朋友!