关闭

ProcessImageFileNameWin32

标签: Ring3
330人阅读 评论(0) 收藏 举报
分类:

Result
       X:\xxx.exe
Note
       The calling application must free the memory call free function
Minimum supported client
       Windows Vista

NTSTATUS GetProcessPath(
    IN  HANDLE          UniqueProcessId,
    OUT PUNICODE_STRING*    ProcessPath )
{
    NTSTATUS Status = STATUS_SUCCESS;
    PVOID Buffer = NULL;
    HANDLE hProcess = NULL;
    ULONG NeedSize = 0;
    CLIENT_ID ci = { 0 };
    OBJECT_ATTRIBUTES oa = { 0 };

    ci.UniqueProcess = UniqueProcessId;
    oa.Length = sizeof( oa );

    Status = NtOpenProcess( &hProcess, PROCESS_QUERY_LIMITED_INFORMATION, &oa, &ci );
    if ( ! hProcess )
        return Status;

    Status = NtQueryInformationProcess( hProcess, ProcessImageFileNameWin32, NULL, 0, &NeedSize );
    if ( ! NeedSize )
        return Status;

    Buffer = malloc( NeedSize );
    memset( Buffer, 0, NeedSize );
    Status = NtQueryInformationProcess( hProcess, ProcessImageFileNameWin32, Buffer, NeedSize, NULL );

    CloseHandle( hProcess );
    *ProcessPath = ( PUNICODE_STRING )Buffer;

    return Status;
}
0
0

查看评论
* 以上用户言论只代表其个人观点,不代表CSDN网站的观点或立场
    个人资料
    • 访问:1334次
    • 积分:66
    • 等级:
    • 排名:千里之外
    • 原创:5篇
    • 转载:3篇
    • 译文:0篇
    • 评论:0条
    文章分类