如何使用ZwQueryInformationProcess在内核驱动程序中获取ProcessImageFileName? [英] How to use ZwQueryInformationProcess to get ProcessImageFileName in a kernel driver?
问题描述
我为我的应用程序编写了一个简单的内核驱动程序(想想一个非常简单的反恶意软件应用程序。)
I'm writing a simple kernel driver for my application (think of a very simple anti-malware application.)
我挂了 ZwOpenFile()
并使用 PsGetCurrentProcess()
获取调用者进程的句柄。
I've hooked ZwOpenFile()
and used PsGetCurrentProcess()
to get a handle to the caller process.
它返回一个PEPROCESS结构:
It returns a PEPROCESS structure:
PEPROCESS proc = PsGetCurrentProcess();
我使用 ZwQueryInformationProcess()
得到 PID
和 ImageFileName
:
DbgPrint("ZwOpenFile Called...\n");
DbgPrint("PID: %d\n", PsGetProcessId(proc));
DbgPrint("ImageFileName: %.16s\n", PsGetProcessImageFileName(proc));
并尝试取得 FullPath
(但我得到BSOD):
and trying to get the process FullPath
this way (but I get BSOD):
WCHAR strBuffer[260];
UNICODE_STRING str;
//initialize
str.Buffer = strBuffer;
str.Length = 0x0;
str.MaximumLength = sizeof(strBuffer);
//note that the seconds arg (27) is ProcessImageFileName
ZwQueryInformationProcess(proc, 27, &str, sizeof(str), NULL);
DbgPrint("FullPath: %wZ\n", str.Buffer);
正如你看到的 str.Buffer
是空的或填充垃圾。在填充 str
通过 ZwQueryInformationProcess()
时触发BSOD可能会出现缓冲区溢出。
As you see str.Buffer
is empty or filled with garbage. Perhaps a buffer overflow while filling the str
via ZwQueryInformationProcess()
triggers the BSOD.
推荐答案
此API的MSDN文档表明
The MSDN docs for this API indicate that
当ProcessInformationClass
参数是ProcessImageFileName时,
ProcessInformation参数指向的
缓冲区应该是
,足够容纳一个UNICODE_STRING
结构以及字符串
本身。存储在
Buffer成员中的字符串是图像
file.file的名称。
When the ProcessInformationClass parameter is ProcessImageFileName, the buffer pointed to by the ProcessInformation parameter should be large enough to hold a UNICODE_STRING structure as well as the string itself. The string stored in the Buffer member is the name of the image file.file.
请注意,我建议您尝试修改您的缓冲结构,如下所示:
With this in mind, I suggest you try modifying your buffer structure like this:
WCHAR strBuffer[(sizeof(UNICODE_STRING) / sizeof(WCHAR)) + 260];
UNICODE_STRING str;
str = (UNICODE_STRING*)&strBuffer;
//initialize
str.Buffer = &strBuffer[sizeof(UNICODE_STRING) / sizeof(WCHAR)];
str.Length = 0x0;
str.MaximumLength = 260 * sizeof(WCHAR);
//note that the seconds arg (27) is ProcessImageFileName
ZwQueryInformationProcess(proc, 27, &strBuffer, sizeof(strBuffer), NULL);
此外,您的代码需要检查并处理文档中所述的错误。这可能是为什么你错过了BSOD触发器情况。
Additionally, your code needs to check and handle the error case described in the docs here. This may be why you missed the BSOD trigger case.
如果缓冲区太小,
函数失败,
STATUS_INFO_LENGTH_MISMATCH错误代码
,并且ReturnLength参数将
设置为所需的缓冲区大小。
If the buffer is too small, the function fails with the STATUS_INFO_LENGTH_MISMATCH error code and the ReturnLength parameter is set to the required buffer size.
这篇关于如何使用ZwQueryInformationProcess在内核驱动程序中获取ProcessImageFileName?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!