如何使用ZwQueryInformationProcess在内核驱动程序中获取ProcessImageFileName？ [英] How to use ZwQueryInformationProcess to get ProcessImageFileName in a kernel driver?

问题描述

我为我的应用程序编写了一个简单的内核驱动程序（想想一个非常简单的反恶意软件应用程序。）

I'm writing a simple kernel driver for my application (think of a very simple anti-malware application.)

我挂了 ZwOpenFile（）并使用 PsGetCurrentProcess（）获取调用者进程的句柄。

I've hooked ZwOpenFile() and used PsGetCurrentProcess() to get a handle to the caller process.

它返回一个PEPROCESS结构：

It returns a PEPROCESS structure:

PEPROCESS proc = PsGetCurrentProcess();

我使用 ZwQueryInformationProcess（）得到 PID 和 ImageFileName ：

DbgPrint("ZwOpenFile Called...\n");
DbgPrint("PID: %d\n", PsGetProcessId(proc));
DbgPrint("ImageFileName: %.16s\n", PsGetProcessImageFileName(proc));

并尝试取得 FullPath （但我得到BSOD）：

and trying to get the process FullPath this way (but I get BSOD):

WCHAR strBuffer[260];
UNICODE_STRING str;

//initialize
str.Buffer = strBuffer;
str.Length = 0x0;
str.MaximumLength = sizeof(strBuffer);

//note that the seconds arg (27) is ProcessImageFileName
ZwQueryInformationProcess(proc, 27, &str, sizeof(str), NULL);

DbgPrint("FullPath: %wZ\n", str.Buffer);

正如你看到的 str.Buffer 是空的或填充垃圾。在填充 str 通过 ZwQueryInformationProcess（）时触发BSOD可能会出现缓冲区溢出。

As you see str.Buffer is empty or filled with garbage. Perhaps a buffer overflow while filling the str via ZwQueryInformationProcess() triggers the BSOD.

推荐答案

此API的MSDN文档表明

The MSDN docs for this API indicate that

当ProcessInformationClass
参数是ProcessImageFileName时，
ProcessInformation参数指向的
缓冲区应该是
，足够容纳一个UNICODE_STRING
结构以及字符串
本身。存储在
Buffer成员中的字符串是图像
file.file的名称。

When the ProcessInformationClass parameter is ProcessImageFileName, the buffer pointed to by the ProcessInformation parameter should be large enough to hold a UNICODE_STRING structure as well as the string itself. The string stored in the Buffer member is the name of the image file.file.

请注意，我建议您尝试修改您的缓冲结构，如下所示：

With this in mind, I suggest you try modifying your buffer structure like this:

WCHAR strBuffer[(sizeof(UNICODE_STRING) / sizeof(WCHAR)) + 260];
UNICODE_STRING str;
str = (UNICODE_STRING*)&strBuffer;

//initialize
str.Buffer = &strBuffer[sizeof(UNICODE_STRING) / sizeof(WCHAR)];
str.Length = 0x0;
str.MaximumLength = 260 * sizeof(WCHAR);

//note that the seconds arg (27) is ProcessImageFileName
ZwQueryInformationProcess(proc, 27, &strBuffer, sizeof(strBuffer), NULL);

此外，您的代码需要检查并处理文档中所述的错误。这可能是为什么你错过了BSOD触发器情况。

Additionally, your code needs to check and handle the error case described in the docs here. This may be why you missed the BSOD trigger case.

如果缓冲区太小，
函数失败，
STATUS_INFO_LENGTH_MISMATCH错误代码
，并且ReturnLength参数将
设置为所需的缓冲区大小。

If the buffer is too small, the function fails with the STATUS_INFO_LENGTH_MISMATCH error code and the ReturnLength parameter is set to the required buffer size.

这篇关于如何使用ZwQueryInformationProcess在内核驱动程序中获取ProcessImageFileName？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！