头文件中:
#pragma once
#include <windows.h>
#include <iostream>
using namespace std;
#include <windows.h>
#include <iostream>
using namespace std;
#define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0)
typedef struct _UNICODE_STRING
{
UINT16 Length;
UINT16 MaximumLength;
PWCHAR Buffer;
}UNICODE_STRING, PUNICODE_STRING;
{
UINT16 Length;
UINT16 MaximumLength;
PWCHAR Buffer;
}UNICODE_STRING, PUNICODE_STRING;
typedef struct _RTL_USER_PROCESS_PARAMETERS_X86
{
UINT32 MaximumLength;
UINT32 Length;
UINT32 Flags;
UINT32 DebugFlags;
PVOID ConsoleHandle;
UINT32 ConsoleFlags;
PVOID StandardInput;
PVOID StandardOutput;
PVOID StandardError;
ULONG32 CurrentDirectory[3];
UNICODE_STRING DllPath;
UNICODE_STRING ImagePathName;
UNICODE_STRING CommandLine;
}RTL_USER_PROCESS_PARAMETERS_X86, *PRTL_USER_PROCESS_PARAMETERS_X86;
{
UINT32 MaximumLength;
UINT32 Length;
UINT32 Flags;
UINT32 DebugFlags;
PVOID ConsoleHandle;
UINT32 ConsoleFlags;
PVOID StandardInput;
PVOID StandardOutput;
PVOID StandardError;
ULONG32 CurrentDirectory[3];
UNICODE_STRING DllPath;
UNICODE_STRING ImagePathName;
UNICODE_STRING CommandLine;
}RTL_USER_PROCESS_PARAMETERS_X86, *PRTL_USER_PROCESS_PARAMETERS_X86;
typedef struct _PEB_X86
{
UINT8 InheritedAddressSpace;
UINT8 ReadImageFileExecOptions;
UINT8 BeingDebugged;
UINT8 BitField;
PVOID Mutant;
PVOID ImageBaseAddress;
PVOID Ldr;
PRTL_USER_PROCESS_PARAMETERS_X86 ProcessParameters;
}PEB_X86, *PPEB_X86;
{
UINT8 InheritedAddressSpace;
UINT8 ReadImageFileExecOptions;
UINT8 BeingDebugged;
UINT8 BitField;
PVOID Mutant;
PVOID ImageBaseAddress;
PVOID Ldr;
PRTL_USER_PROCESS_PARAMETERS_X86 ProcessParameters;
}PEB_X86, *PPEB_X86;
#ifdef _WIN32
#define RTL_USER_PROCESS_PARAMETERS RTL_USER_PROCESS_PARAMETERS_X86
#define PPEB PPEB_X86
#define PEB PEB_X86
#else
#define PPEB PPEB_X64
#define PEB PEB_X64
#endif
typedef struct _PROCESS_BASIC_INFORMATION
{
NTSTATUS ExitStatus;
PPEB PebBaseAddress; //地址
ULONG AffinityMask;
LONG BasePriority;
ULONG UniqueProcessId;
ULONG InheritedFromUniqueProcessId;
} PROCESS_BASIC_INFORMATION;
typedef PROCESS_BASIC_INFORMATION *PPROCESS_BASIC_INFORMATION;
typedef enum _PROCESSINFOCLASS {
ProcessBasicInformation,
ProcessQuotaLimits,
ProcessIoCounters,
ProcessVmCounters,
ProcessTimes,
ProcessBasePriority,
ProcessRaisePriority,
ProcessDebugPort,
ProcessExceptionPort,
ProcessAccessToken,
ProcessLdtInformation,
ProcessLdtSize,
ProcessDefaultHardErrorMode,
ProcessIoPortHandlers, // Note: this is kernel mode only
ProcessPooledUsageAndLimits,
ProcessWorkingSetWatch,
ProcessUserModeIOPL,
ProcessEnableAlignmentFaultFixup,
ProcessPriorityClass,
ProcessWx86Information,
ProcessHandleCount,
ProcessAffinityMask,
ProcessPriorityBoost,
ProcessDeviceMap,
ProcessSessionInformation,
ProcessForegroundInformation,
ProcessWow64Information,
ProcessImageFileName,
ProcessLUIDDeviceMapsEnabled,
ProcessBreakOnTermination,
ProcessDebugObjectHandle,
ProcessDebugFlags,
ProcessHandleTracing,
ProcessIoPriority,
ProcessExecuteFlags,
ProcessResourceManagement,
ProcessCookie,
ProcessImageInformation,
MaxProcessInfoClass
} PROCESSINFOCLASS;
typedef
NTSTATUS(NTAPI *pfnNtQueryInformationProcess)(
IN HANDLE ProcessHandle,
IN PROCESSINFOCLASS ProcessInformationClass,
OUT PVOID ProcessInformation,
IN UINT32 ProcessInformationLength,
OUT PUINT32 ReturnLength);
NTSTATUS(NTAPI *pfnNtQueryInformationProcess)(
IN HANDLE ProcessHandle,
IN PROCESSINFOCLASS ProcessInformationClass,
OUT PVOID ProcessInformation,
IN UINT32 ProcessInformationLength,
OUT PUINT32 ReturnLength);
BOOL GetProcessFullPathByProcessID(ULONG32 ProcessID, WCHAR* BufferData, ULONG BufferLegnth);
在CPP文件中:
#include "stdafx.h" //加载头文件
int main()
{
{
BOOL bOk = FALSE;
ULONG32 ProcessID = 0;
WCHAR BufferData[MAX_PATH] = { 0 };
printf("Input Process ID\r\n");
scanf_s("%d", &ProcessID);
bOk = GetProcessFullPathByProcessID(ProcessID, BufferData, MAX_PATH);
ULONG32 ProcessID = 0;
WCHAR BufferData[MAX_PATH] = { 0 };
printf("Input Process ID\r\n");
scanf_s("%d", &ProcessID);
bOk = GetProcessFullPathByProcessID(ProcessID, BufferData, MAX_PATH);
if (bOk == TRUE)
{
printf("%S\r\n", BufferData);
}
return 0;
}
{
printf("%S\r\n", BufferData);
}
return 0;
}
BOOL GetProcessFullPathByProcessID(ULONG32 ProcessID, WCHAR* BufferData, ULONG BufferLegnth)
{
BOOL bOk = FALSE;
NTSTATUS Status = 0;
PEB Peb = { 0 };
HANDLE ProcessHandle = NULL;
{
BOOL bOk = FALSE;
NTSTATUS Status = 0;
PEB Peb = { 0 };
HANDLE ProcessHandle = NULL;
//通过进程ID获得进程句柄
ProcessHandle = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, ProcessID);
if (ProcessHandle == NULL)
{
return FALSE;
}
pfnNtQueryInformationProcess NtQueryInformationProcess =
(pfnNtQueryInformationProcess)GetProcAddress(GetModuleHandle(L"ntdll.dll"), "NtQueryInformationProcess");
if (NtQueryInformationProcess == NULL)
{
CloseHandle(ProcessHandle);
ProcessHandle = NULL;
return FALSE;
}
ProcessHandle = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, ProcessID);
if (ProcessHandle == NULL)
{
return FALSE;
}
pfnNtQueryInformationProcess NtQueryInformationProcess =
(pfnNtQueryInformationProcess)GetProcAddress(GetModuleHandle(L"ntdll.dll"), "NtQueryInformationProcess");
if (NtQueryInformationProcess == NULL)
{
CloseHandle(ProcessHandle);
ProcessHandle = NULL;
return FALSE;
}
// 通过 NtQueryInformationProcess 获得 ProcessBasicInformation
PROCESS_BASIC_INFORMATION pbi = { 0 };
ULONG32 ReturnLength = 0;
PROCESS_BASIC_INFORMATION pbi = { 0 };
ULONG32 ReturnLength = 0;
Status = NtQueryInformationProcess(ProcessHandle,
ProcessBasicInformation, &pbi, sizeof(PROCESS_BASIC_INFORMATION),
(PUINT32)&ReturnLength);
if (!NT_SUCCESS(Status))
{
CloseHandle(ProcessHandle);
ProcessHandle = NULL;
return FALSE;
}
{
CloseHandle(ProcessHandle);
ProcessHandle = NULL;
return FALSE;
}
// 通过ReadProcessMemory 从进程里面 PebBaseAddress 内存数据读取出来
bOk = ReadProcessMemory(ProcessHandle, pbi.PebBaseAddress, &Peb, sizeof(PEB), (SIZE_T*)&ReturnLength);
if (bOk == FALSE)
{
CloseHandle(ProcessHandle);
ProcessHandle = NULL;
return FALSE;
}
RTL_USER_PROCESS_PARAMETERS RtlUserProcessParameters = { 0 };
bOk = ReadProcessMemory(ProcessHandle, Peb.ProcessParameters, &RtlUserProcessParameters,
sizeof(RTL_USER_PROCESS_PARAMETERS), (SIZE_T*)&ReturnLength);
if (bOk == FALSE)
{
CloseHandle(ProcessHandle);
ProcessHandle = NULL;
return FALSE;
}
RTL_USER_PROCESS_PARAMETERS RtlUserProcessParameters = { 0 };
bOk = ReadProcessMemory(ProcessHandle, Peb.ProcessParameters, &RtlUserProcessParameters,
sizeof(RTL_USER_PROCESS_PARAMETERS), (SIZE_T*)&ReturnLength);
if (RtlUserProcessParameters.ImagePathName.Buffer != NULL)
{
ULONG v1 = 0;
if (RtlUserProcessParameters.ImagePathName.Length<BufferLegnth)
{
v1 = RtlUserProcessParameters.ImagePathName.Length;
}
else
{
v1 = BufferLegnth - 10;
}
bOk = ReadProcessMemory(ProcessHandle, RtlUserProcessParameters.ImagePathName.Buffer,
BufferData,
v1, (SIZE_T*)&ReturnLength);
if (bOk == FALSE)
{
CloseHandle(ProcessHandle);
ProcessHandle = NULL;
return FALSE;
}
}
{
CloseHandle(ProcessHandle);
ProcessHandle = NULL;
return FALSE;
}
}
CloseHandle(ProcessHandle);
return TRUE;
}
return TRUE;
}