如何在筛选器驱动中获取当前进程映像文件的全名？ [英] How get current process image file full name in filter driver?

查看：113 发布时间：2022/3/24 22:50:45 c++ c process driver filter-driver

本文介绍了如何在筛选器驱动中获取当前进程映像文件的全名？的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！

问题描述

在过滤驱动中，可以调用IoGetCurrentProcess获取PEPROCESS结构，然后调用PsGetProcessImageFileName获取文件名。

我的问题是如何获取进程图像文件的完整名称？

推荐答案

here我找到了类似@Martin drab代码的完整代码

编辑：新增修复代码

NTSTATUS
GetProcessImageName(
    PEPROCESS eProcess,
    PUNICODE_STRING* ProcessImageName
    )
{
    NTSTATUS status = STATUS_UNSUCCESSFUL;
    ULONG returnedLength;
    HANDLE hProcess = NULL;

    PAGED_CODE(); // this eliminates the possibility of the IDLE Thread/Process

    if (eProcess == NULL)
    {
        return STATUS_INVALID_PARAMETER_1;
    }

    status = ObOpenObjectByPointer(eProcess,
        0, NULL, 0, 0, KernelMode, &hProcess);
    if (!NT_SUCCESS(status))
    {
        DbgPrint("ObOpenObjectByPointer Failed: %08x
", status);
        return status;
    }

    if (ZwQueryInformationProcess == NULL)
    {
        UNICODE_STRING routineName = RTL_CONSTANT_STRING(L"ZwQueryInformationProcess");

        ZwQueryInformationProcess =
            (QUERY_INFO_PROCESS)MmGetSystemRoutineAddress(&routineName);

        if (ZwQueryInformationProcess == NULL)
        {
            DbgPrint("Cannot resolve ZwQueryInformationProcess
");
            status = STATUS_UNSUCCESSFUL;
            goto cleanUp;
        }
    }

    /* Query the actual size of the process path */
    status = ZwQueryInformationProcess(hProcess,
        ProcessImageFileName,
        NULL, // buffer
        0,    // buffer size
        &returnedLength);

    if (STATUS_INFO_LENGTH_MISMATCH != status) {
        DbgPrint("ZwQueryInformationProcess status = %x
", status);
        goto cleanUp;
    }

    *ProcessImageName = kmalloc(returnedLength);

    if (ProcessImageName == NULL)
    {
        status = STATUS_INSUFFICIENT_RESOURCES;
        goto cleanUp;
    }

    /* Retrieve the process path from the handle to the process */
    status = ZwQueryInformationProcess(hProcess,
        ProcessImageFileName,
        *ProcessImageName,
        returnedLength,
        &returnedLength);

    if (!NT_SUCCESS(status)) kfree(*ProcessImageName);

cleanUp:

    ZwClose(hProcess);

    return status;
}

FLT_POSTOP_CALLBACK_STATUS
PostCreate(
    _Inout_ PFLT_CALLBACK_DATA Data,
    _In_ PCFLT_RELATED_OBJECTS FltObjects,
    _In_opt_ PVOID CompletionContext,
    _In_ FLT_POST_OPERATION_FLAGS Flags
    )
{
    PUNICODE_STRING pni = NULL;
    NTSTATUS status = STATUS_UNSUCCESSFUL;

    status = GetProcessImageName(IoThreadToProcess(Data->Thread), &pni);
    if (NT_SUCCESS(status))
    {
        DbgPrint("ProcessName = %ws
", pni->Buffer);
        kfree(pni);
    }
    else
    {
        DbgPrint("GetProcessImageName status = %x
", status);
    }

    // ...
}

这篇关于如何在筛选器驱动中获取当前进程映像文件的全名？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！

查看全文

如何在筛选器驱动中获取当前进程映像文件的全名？ [英] How get current process image file full name in filter driver?

问题描述

推荐答案

相关文章

C/C++开发最新文章

热门教程

热门工具

登录关闭

如何在筛选器驱动中获取当前进程映像文件的全名？ [英] How get current process image file full name in filter driver?

问题描述

推荐答案

相关文章

C/C++开发最新文章

热门教程

热门工具

登录 关闭

登录关闭