上一篇文章在xp下取路径太麻烦
既然规定在了xp系统下,为什么不硬编码呢?
好吧,走起~~~
PFILE_OBJECT __declspec(naked) __stdcall _MmGetFileObjectForSection(PVOID Section)
{
__asm
{
push ebp;
mov ebp, esp;
mov eax, dword ptr ss:[ebp + 0x08];
mov eax, dword ptr ds:[eax + 0x14];
mov eax, dword ptr ds:[eax];
mov eax, dword ptr ds:[eax + 0x24];
mov esp, ebp;
pop ebp;
ret 0x04;
}
}
NTSTATUS PsReferenceProcessFilePointer(IN PEPROCESS Process, OUT PVOID *OutFileObject)
{
PVOID SectionObject;
if (SectionObject = *(PVOID*)((PCHAR)Process + 0x138))
{
PFILE_OBJECT FileObject;
FileObject = _MmGetFileObjectForSection(SectionObject);
*OutFileObject = FileObject;
ObReferenceObject (FileObject);
return STATUS_SUCCESS;
}
return STATUS_UNSUCCESSFUL;
}
WRK+DBG