内核获取进程名,使用EPROCESS中的ImageFileName只能显示15个字节,如下: +0x174 ImageFileName : [16] "aaaaaaaaaaaaaaa" 问了mo哥后发现SeAuditProcessCreationInfo中有ImageFileName 字段,类型为_OBJECT_NAME_INFORMATION,可以从该字段获取全路径和进程名。
一些使用日志记录如下
!process 0 0 ... PROCESS 85a51020 SessionId: 0 Cid: 0218 Peb: 7ffd5000 ParentCid: 0560 DirBase: 25951000 ObjectTable: e20a0738 HandleCount: 35. Image: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaNOTEPADaaaaaaaaaaaaaaaaaaaaa.EXE ...
lkd> dt nt!_EPROCESS SeAuditProcessCreationInfo.ImageFileName 85a51020 +0x1f4 SeAuditProcessCreationInfo : +0x000 ImageFileName : 0x85a2de88 _OBJECT_NAME_INFORMATION lkd> dt nt!_OBJECT_NAME_INFORMATION 0x85a2de88 -b +0x000 Name : _UNICODE_STRING "/Device/HarddiskVolume1/Documents and Settings/.../桌面/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaNOTEPADaaaaaaaaaaaaaaaaaaaaa.EXE" +0x000 Length : 0x106 +0x002 MaximumLength : 0x108 +0x004 Buffer : 0x85a2de90 "/Device/HarddiskVolume1/Documents and Settings/.../桌面/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaNOTEPADaaaaaaaaaaaaaaaaaaaaa.EXE"
代码片断:
DWORD GetProcessNameOffset()
{
DWORD ProcessNameOffset = 0;
PEPROCESS curproc = PsGetCurrentProcess();
int i;
for( i = 0; i < 3*PAGE_SIZE; i++ )
{
if( !strncmp( "System", (PCHAR) curproc + i, strlen("System") ))
{
if (i<3*PAGE_SIZE)
{
ProcessNameOffset = i;
DbgMsg("ProcessNameOffset: %.8X",ProcessNameOffset);
break;
}
}
}
return ProcessNameOffset;
}
// Length of process name (rounded up to next DWORD)
#define PROCNAMELEN 20
/* Maximum length of NT process name */
#define NT_PROCNAMELEN 16
/* =================================================================================================
复制进程名到指定的缓冲区:ImageFileName
=================================================================================================== */
BOOL GetProcessName(PCHAR ImageFileName, DWORD dwProcessNameOffset)
{
PEPROCESS curproc;
char *nameptr;
if(dwProcessNameOffset)
{
curproc = PsGetCurrentProcess();
nameptr = (PCHAR) curproc + dwProcessNameOffset;
strncpy(ImageFileName, nameptr, NT_PROCNAMELEN);
ImageFileName[NT_PROCNAMELEN] = 0; /* NULL at end */
return TRUE;
}
return FALSE;
}
但是获取全名字还是需要修改,不同系统SeAuditProcessCreationInfo.ImageFileName位置不一样。