|
|
楼主 |
发表于 2016-9-6 15:31:27
|
显示全部楼层
搞定了, 目前也不知道原因,四处借鉴来的代码,而且很奇怪, 有时候单独提取到一个方法中,就蓝屏,不知道是不是参数传递时候导致的, 先贴代码, 有用没用,记录一下哈,希望有这个疑惑的朋友能解惑
PEPROCESS Process, ProcessSon;
if (NT_SUCCESS(PsLookupProcessByProcessId(ProcessId, &ProcessSon)))
{
PFILE_OBJECT FilePointer = NULL;
UNICODE_STRING name; //盘符
NTSTATUS status = STATUS_SUCCESS;
UNICODE_STRING uniPath = { 0 };
uniPath.Length = 0;
uniPath.MaximumLength = MAX_PATH;
uniPath.Buffer = (PWSTR)ExAllocatePool(NonPagedPool, uniPath.MaximumLength);
status = PsReferenceProcessFilePointer(ProcessSon, &FilePointer);
if (!NT_SUCCESS(status))
{
KdPrint(("[davy] ------------------...\n"));
}
KdPrint(("[davy] !!!!!!!!!!!!!!!!!!!!!!!!!\n"));
ObReferenceObjectByPointer(
(PVOID)FilePointer,
0,
NULL,
KernelMode);
RtlVolumeDeviceToDosName((FilePointer)->DeviceObject, &name); //获取盘符名
RtlCopyUnicodeString(&uniPath, &name); //盘符连接
RtlAppendUnicodeStringToString(&uniPath, &(FilePointer)->FileName); //路径连接
ObDereferenceObject(FilePointer); //关闭对象引用
//-------------------------------------------------
//UCHAR* SonName = PsGetProcessImageFileName(ProcessSon);
//KdPrint(("[%s] is created by cmd.exe ...\n" , SonName));
KdPrint(("process path: %wZ\r\n", &uniPath));
}
上面是一个大概的获取进程全路径的方法, 大牛们应该都知道, 反正我还是小白 |
|
发表于 2016-9-6 10:10:46
发表于 2016-9-6 21:29:15