ProcessImageFileNameWin32

最新推荐文章于 2022-02-05 06:19:08 发布

Lycorisradiata_77

最新推荐文章于 2022-02-05 06:19:08 发布

阅读量1.1k

点赞数

分类专栏： C 文章标签： Ring3

本文链接：https://blog.csdn.net/zl11984/article/details/51537658

版权

C 专栏收录该内容

5 篇文章 0 订阅

订阅专栏

Result
X:\xxx.exe
Note
The calling application must free the memory call free function
Minimum supported client
Windows Vista

NTSTATUS GetProcessPath(
    IN  HANDLE          UniqueProcessId,
    OUT PUNICODE_STRING*    ProcessPath )
{
    NTSTATUS Status = STATUS_SUCCESS;
    PVOID Buffer = NULL;
    HANDLE hProcess = NULL;
    ULONG NeedSize = 0;
    CLIENT_ID ci = { 0 };
    OBJECT_ATTRIBUTES oa = { 0 };

    ci.UniqueProcess = UniqueProcessId;
    oa.Length = sizeof( oa );

    Status = NtOpenProcess( &hProcess, PROCESS_QUERY_LIMITED_INFORMATION, &oa, &ci );
    if ( ! hProcess )
        return Status;

    Status = NtQueryInformationProcess( hProcess, ProcessImageFileNameWin32, NULL, 0, &NeedSize );
    if ( ! NeedSize )
        return Status;

    Buffer = malloc( NeedSize );
    memset( Buffer, 0, NeedSize );
    Status = NtQueryInformationProcess( hProcess, ProcessImageFileNameWin32, Buffer, NeedSize, NULL );

    CloseHandle( hProcess );
    *ProcessPath = ( PUNICODE_STRING )Buffer;

    return Status;
}