[提问]win2012 r2 KMDF 下如何获取进程全路径呢
通过PsSetCreateProcessNotifyRoutine监控进程创建PsLookupProcessByProcessId 获取 PEPROCESS
然后通过各种方式获取路径,都蓝屏
IoQueryFileDosDeviceName 不行
zwqueryinfo**proces这个也蓝屏
PsReferenceProcessFilePointer也蓝屏
实在不知道该如何获取了,不知道大家能不能提供个思路? 搞定了, 目前也不知道原因,四处借鉴来的代码,而且很奇怪, 有时候单独提取到一个方法中,就蓝屏,不知道是不是参数传递时候导致的, 先贴代码, 有用没用,记录一下哈,希望有这个疑惑的朋友能解惑
PEPROCESS Process, ProcessSon;
if (NT_SUCCESS(PsLookupProcessByProcessId(ProcessId, &ProcessSon)))
{
PFILE_OBJECT FilePointer = NULL;
UNICODE_STRING name;//盘符
NTSTATUS status = STATUS_SUCCESS;
UNICODE_STRING uniPath = { 0 };
uniPath.Length = 0;
uniPath.MaximumLength = MAX_PATH;
uniPath.Buffer = (PWSTR)ExAllocatePool(NonPagedPool, uniPath.MaximumLength);
status = PsReferenceProcessFilePointer(ProcessSon, &FilePointer);
if (!NT_SUCCESS(status))
{
KdPrint((" ------------------...\n"));
}
KdPrint((" !!!!!!!!!!!!!!!!!!!!!!!!!\n"));
ObReferenceObjectByPointer(
(PVOID)FilePointer,
0,
NULL,
KernelMode);
RtlVolumeDeviceToDosName((FilePointer)->DeviceObject, &name); //获取盘符名
RtlCopyUnicodeString(&uniPath, &name); //盘符连接
RtlAppendUnicodeStringToString(&uniPath, &(FilePointer)->FileName); //路径连接
ObDereferenceObject(FilePointer); //关闭对象引用
//-------------------------------------------------
//UCHAR* SonName = PsGetProcessImageFileName(ProcessSon);
//KdPrint(("[%s] is created by cmd.exe ...\n" , SonName));
KdPrint(("process path: %wZ\r\n", &uniPath));
}
上面是一个大概的获取进程全路径的方法, 大牛们应该都知道, 反正我还是小白 用PsSetCreateProcessNotifyRoutineEx。
页:
[1]