ProcessImageFileNameWin32

原创 2016年05月30日 14:27:07

Result
       X:\xxx.exe
Note
       The calling application must free the memory call free function
Minimum supported client
       Windows Vista

NTSTATUS GetProcessPath(
    IN  HANDLE          UniqueProcessId,
    OUT PUNICODE_STRING*    ProcessPath )
{
    NTSTATUS Status = STATUS_SUCCESS;
    PVOID Buffer = NULL;
    HANDLE hProcess = NULL;
    ULONG NeedSize = 0;
    CLIENT_ID ci = { 0 };
    OBJECT_ATTRIBUTES oa = { 0 };

    ci.UniqueProcess = UniqueProcessId;
    oa.Length = sizeof( oa );

    Status = NtOpenProcess( &hProcess, PROCESS_QUERY_LIMITED_INFORMATION, &oa, &ci );
    if ( ! hProcess )
        return Status;

    Status = NtQueryInformationProcess( hProcess, ProcessImageFileNameWin32, NULL, 0, &NeedSize );
    if ( ! NeedSize )
        return Status;

    Buffer = malloc( NeedSize );
    memset( Buffer, 0, NeedSize );
    Status = NtQueryInformationProcess( hProcess, ProcessImageFileNameWin32, Buffer, NeedSize, NULL );

    CloseHandle( hProcess );
    *ProcessPath = ( PUNICODE_STRING )Buffer;

    return Status;
}
内容举报
返回顶部
收藏助手
不良信息举报
您举报文章:ProcessImageFileNameWin32
举报原因:
原因补充:

(最多只允许输入30个字)