文件系统驱动里获取读写当前文件的进程信息

最新推荐文章于 2023-04-10 23:43:56 发布

danxuezx

最新推荐文章于 2023-04-10 23:43:56 发布

阅读量357

点赞数

分类专栏： windows内核API 文章标签：文件系统驱动获取进程信息

本文链接：https://blog.csdn.net/danxuezx/article/details/115317007

版权

windows内核API 专栏收录该内容

4 篇文章 0 订阅

订阅专栏

NTSTATUS GetProcessName(IN PEPROCESS pEproc, PWCHAR* outFullPath, PWCHAR* outProcName)
{
    typedef NTSTATUS(*xxQUERY_INFO_PROCESS) (
        __in HANDLE ProcessHandle,
        __in PROCESSINFOCLASS ProcessInformationClass,
        __out_bcount(ProcessInformationLength) PVOID ProcessInformation,
        __in ULONG ProcessInformationLength,
        __out_opt PULONG ReturnLength
        );

    static xxQUERY_INFO_PROCESS ZwQueryInformationProcess = NULL;
    NTSTATUS status = STATUS_UNSUCCESSFUL;
    ULONG returnedLength;
    ULONG bufferLength;
    PVOID buffer;
    PUNICODE_STRING imageName;
    HANDLE handle;

    *outProcName = NULL; *outFullPath = 0;

    if (KeGetCurrentIrql() != PASSIVE_LEVEL)
    {
        DbgPrint("IRQL Must PASSIVE_LEVEL.\n");
        return status;
    }

    if (NULL == ZwQueryInformationProcess)
    {
        UNICODE_STRING routineName;

        RtlInitUnicodeString(&routineName, L"ZwQueryInformationProcess");

        ZwQueryInformationProcess =
            (xxQUERY_INFO_PROCESS)MmGetSystemRoutineAddress(&routineName);

        if (NULL == ZwQueryInformationProcess)
        {
            DbgPrint("Cannot resolve ZwQueryInformationProcess\n");
            return status;
        }
    }

    // 
    // 1. pEproc --> handle 
    // 
    status = ObOpenObjectByPointer(pEproc,
        OBJ_KERNEL_HANDLE,
        NULL,
        0,
        NULL,
        KernelMode,
        &handle
    );

    //
    status = ZwQueryInformationProcess(handle,
        ProcessImageFileName,
        NULL, // buffer
        0, // buffer size
        &returnedLength);
    if (STATUS_INFO_LENGTH_MISMATCH != status)
    {
        ZwClose(handle);
        return status;
    }

    bufferLength = returnedLength - sizeof(UNICODE_STRING);

    buffer = ExAllocatePoolWithTag(NonPagedPool, returnedLength, 'FXSD');
    if (NULL == buffer)
    {
        ZwClose(handle);
        return STATUS_NO_MEMORY;
    }

    __try
    {

        status = ZwQueryInformationProcess(handle,
            ProcessImageFileName,
            buffer,
            returnedLength,
            &returnedLength);

        if (NT_SUCCESS(status))
        {

            imageName = (PUNICODE_STRING)buffer;

            USHORT len = imageName->Length;
            RtlMoveMemory(buffer, imageName->Buffer, imageName->Length);
            RtlZeroMemory(((PUCHAR)buffer) + len, sizeof(WCHAR));

            *outFullPath = (PWCHAR)buffer;

            PWCHAR ptr = wcsrchr((PWCHAR)buffer, L'\\');
            if (ptr)
            {
                *outProcName = ptr + 1;
            }
            else
            {
                *outProcName = (PWCHAR)buffer;
            }

            ZwClose(handle);
            return STATUS_SUCCESS;
        }
    }
    __except (EXCEPTION_EXECUTE_HANDLER)
    {
        status = GetExceptionCode();
        DbgPrint("get_process_name: Exception!!\n");
    }

    ZwClose(handle);
    ExFreePool(buffer);

    return status;
}

//调用示例        
PEPROCESS eProcess;
eProcess = IoThreadToProcess( PsGetCurrentThread());

PWCHAR pwFullPath = NULL, pwProcName = NULL;
NTSTATUS ntStatus = STATUS_SUCCESS;
ntStatus = GetProcessName(eProcess, &pwFullPath, &pwProcName);
if (NT_SUCCESS(ntStatus))
{
      DbgPrint("Process111 %ws !\n", pwProcName);
      if (NULL != pwFullPath)
      {
            ExFreePool(pwFullPath);
      }
}
else
{
       DbgPrint("GetProcessName failed, status = 0x%08X \n", ntStatus);
}

上面代码调试通过，记录下来，以备后续Ctrl+V时使用~ 如果你使用时遇到问题，欢迎交流（WX: zhxunCC）