如何在筛选器驱动中获取当前进程映像文件的全名？

编程入门行业动态更新时间:2024-10-24 23:26:47

本文介绍了如何在筛选器驱动中获取当前进程映像文件的全名？的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！问题描述

在过滤驱动中，可以调用IoGetCurrentProcess获取PEPROCESS结构，然后调用PsGetProcessImageFileName获取文件名。

我的问题是如何获取进程图像文件的完整名称？

推荐答案

here我找到了类似@Martin drab代码的完整代码

编辑：新增修复代码

NTSTATUS GetProcessImageName( PEPROCESS eProcess, PUNICODE_STRING* ProcessImageName ) { NTSTATUS status = STATUS_UNSUCCESSFUL; ULONG returnedLength; HANDLE hProcess = NULL; PAGED_CODE(); // this eliminates the possibility of the IDLE Thread/Process if (eProcess == NULL) { return STATUS_INVALID_PARAMETER_1; } status = ObOpenObjectByPointer(eProcess, 0, NULL, 0, 0, KernelMode, &hProcess); if (!NT_SUCCESS(status)) { DbgPrint("ObOpenObjectByPointer Failed: %08x ", status); return status; } if (ZwQueryInformationProcess == NULL) { UNICODE_STRING routineName = RTL_CONSTANT_STRING(L"ZwQueryInformationProcess"); ZwQueryInformationProcess = (QUERY_INFO_PROCESS)MmGetSystemRoutineAddress(&routineName); if (ZwQueryInformationProcess == NULL) { DbgPrint("Cannot resolve ZwQueryInformationProcess "); status = STATUS_UNSUCCESSFUL; goto cleanUp; } } /* Query the actual size of the process path */ status = ZwQueryInformationProcess(hProcess, ProcessImageFileName, NULL, // buffer 0, // buffer size &returnedLength); if (STATUS_INFO_LENGTH_MISMATCH != status) { DbgPrint("ZwQueryInformationProcess status = %x ", status); goto cleanUp; } *ProcessImageName = kmalloc(returnedLength); if (ProcessImageName == NULL) { status = STATUS_INSUFFICIENT_RESOURCES; goto cleanUp; } /* Retrieve the process path from the handle to the process */ status = ZwQueryInformationProcess(hProcess, ProcessImageFileName, *ProcessImageName, returnedLength, &returnedLength); if (!NT_SUCCESS(status)) kfree(*ProcessImageName); cleanUp: ZwClose(hProcess); return status; } FLT_POSTOP_CALLBACK_STATUS PostCreate( _Inout_ PFLT_CALLBACK_DATA Data, _In_ PCFLT_RELATED_OBJECTS FltObjects, _In_opt_ PVOID CompletionContext, _In_ FLT_POST_OPERATION_FLAGS Flags ) { PUNICODE_STRING pni = NULL; NTSTATUS status = STATUS_UNSUCCESSFUL; status = GetProcessImageName(IoThreadToProcess(Data->Thread), &pni); if (NT_SUCCESS(status)) { DbgPrint("ProcessName = %ws ", pni->Buffer); kfree(pni); } else { DbgPrint("GetProcessImageName status = %x ", status); } // ... }