在内核中,通过进程ID,得到进程名称,有多种方法。
我使用了两种方法,第一种是使用ZwOpeProcess得到句柄
然后ObReferenceObjectByHandle函数得到PEPROCESS结构,然后
char *ProcessName = (char*)EProcess + 0x174;
第二种方法是得到PEPROCESS结构之后,使用PsGetProcessImageFileName函数得到进程名。
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 |
#include<ntddk.h> #include<wdm.h> UCHAR* PsGetProcessImageFileName(PEPROCESS Process); NTSTATUS Unload(IN PDRIVER_OBJECT DriverObject) { DbgPrint("驱动已经卸载\n"); } void GetProcessName(ULONG dwPid) { HANDLE ProcessHandle; NTSTATUS status; OBJECT_ATTRIBUTES ObjectAttributes; CLIENT_ID myCid; PEPROCESS EProcess; InitializeObjectAttributes(&ObjectAttributes,0,0,0,0); myCid.UniqueProcess = (HANDLE)dwPid; myCid.UniqueThread = 0; //打开进程,获取句柄 status = ZwOpenProcess (&ProcessHandle,PROCESS_ALL_ACCESS,&ObjectAttributes,&myCid); if (!NT_SUCCESS(status)) { DbgPrint("打开进程出错\n"); return; } //得到EPROCESS,结构中取进程名 status = ObReferenceObjectByHandle(ProcessHandle,FILE_READ_DATA,0,KernelMode,&EProcess, 0); if (status == STATUS_SUCCESS) { char *ProcessName = (char*)EProcess + 0x174; char *PsName = PsGetProcessImageFileName(EProcess); DbgPrint("ProcessName is %s\n",ProcessName); DbgPrint("PsName is %s\n",PsName); ZwClose(ProcessHandle); } else { DbgPrint("Get ProcessName error"); } } NTSTATUS DriverEntry( IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath ) { DbgPrint("驱动已经加载了\n"); GetProcessName(2044); DriverObject->DriverUnload = Unload; return STATUS_SUCCESS; } |
转载请注明:exchen's blog » 在内核中通过进程ID得到进程名