Windows 得到一个进程的完整路径

头文件中：

    

#pragma once
#include <windows.h>
#include <iostream>
using namespace std;

#define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0)

typedef struct _UNICODE_STRING
{
 UINT16 Length;
 UINT16 MaximumLength;
 PWCHAR Buffer;
}UNICODE_STRING, PUNICODE_STRING;

typedef struct _RTL_USER_PROCESS_PARAMETERS_X86
{
 UINT32 MaximumLength;
 UINT32 Length;
 UINT32 Flags;
 UINT32 DebugFlags;
 PVOID  ConsoleHandle;
 UINT32 ConsoleFlags;
 PVOID  StandardInput;
 PVOID  StandardOutput;
 PVOID  StandardError;
 ULONG32 CurrentDirectory[3];
 UNICODE_STRING DllPath;
 UNICODE_STRING ImagePathName;
 UNICODE_STRING CommandLine;
}RTL_USER_PROCESS_PARAMETERS_X86, *PRTL_USER_PROCESS_PARAMETERS_X86;

typedef struct _PEB_X86
{
 UINT8 InheritedAddressSpace;
 UINT8 ReadImageFileExecOptions;
 UINT8 BeingDebugged;
 UINT8 BitField;
 PVOID Mutant;
 PVOID ImageBaseAddress;
 PVOID Ldr;
 PRTL_USER_PROCESS_PARAMETERS_X86 ProcessParameters;
}PEB_X86, *PPEB_X86;

#ifdef _WIN32
#define RTL_USER_PROCESS_PARAMETERS RTL_USER_PROCESS_PARAMETERS_X86
#define PPEB PPEB_X86
#define PEB  PEB_X86
#else
#define PPEB PPEB_X64
#define PEB  PEB_X64
#endif

typedef struct _PROCESS_BASIC_INFORMATION
{
 NTSTATUS ExitStatus;
 PPEB     PebBaseAddress;         //地址
 ULONG    AffinityMask;
 LONG     BasePriority;
 ULONG    UniqueProcessId;
 ULONG    InheritedFromUniqueProcessId;
} PROCESS_BASIC_INFORMATION;
typedef PROCESS_BASIC_INFORMATION *PPROCESS_BASIC_INFORMATION;

typedef enum _PROCESSINFOCLASS {
 ProcessBasicInformation,
 ProcessQuotaLimits,
 ProcessIoCounters,
 ProcessVmCounters,
 ProcessTimes,
 ProcessBasePriority,
 ProcessRaisePriority,
 ProcessDebugPort,
 ProcessExceptionPort,
 ProcessAccessToken,
 ProcessLdtInformation,
 ProcessLdtSize,
 ProcessDefaultHardErrorMode,
 ProcessIoPortHandlers,                  // Note: this is kernel mode only
 ProcessPooledUsageAndLimits,
 ProcessWorkingSetWatch,
 ProcessUserModeIOPL,
 ProcessEnableAlignmentFaultFixup,
 ProcessPriorityClass,
 ProcessWx86Information,
 ProcessHandleCount,
 ProcessAffinityMask,
 ProcessPriorityBoost,
 ProcessDeviceMap,
 ProcessSessionInformation,
 ProcessForegroundInformation,
 ProcessWow64Information,
 ProcessImageFileName,
 ProcessLUIDDeviceMapsEnabled,
 ProcessBreakOnTermination,
 ProcessDebugObjectHandle,
 ProcessDebugFlags,
 ProcessHandleTracing,
 ProcessIoPriority,
 ProcessExecuteFlags,
 ProcessResourceManagement,
 ProcessCookie,
 ProcessImageInformation,
 MaxProcessInfoClass
} PROCESSINFOCLASS;

typedef
NTSTATUS(NTAPI *pfnNtQueryInformationProcess)(
 IN HANDLE ProcessHandle,
 IN PROCESSINFOCLASS ProcessInformationClass,
 OUT PVOID ProcessInformation,
 IN UINT32 ProcessInformationLength,
 OUT PUINT32 ReturnLength);

BOOL GetProcessFullPathByProcessID(ULONG32 ProcessID, WCHAR* BufferData, ULONG BufferLegnth);

在CPP文件中：

#include "stdafx.h"               //加载头文件

int main()
{

 BOOL bOk = FALSE;
 ULONG32 ProcessID = 0;
 WCHAR   BufferData[MAX_PATH] = { 0 };
 printf("Input Process ID\r\n");
 scanf_s("%d", &ProcessID);
 bOk = GetProcessFullPathByProcessID(ProcessID, BufferData, MAX_PATH);

 if (bOk == TRUE)
 {
  printf("%S\r\n", BufferData);
 }
 return 0;
}

BOOL GetProcessFullPathByProcessID(ULONG32 ProcessID, WCHAR* BufferData, ULONG BufferLegnth)
{
 BOOL      bOk = FALSE;
 NTSTATUS     Status = 0;
 PEB                         Peb = { 0 };
 HANDLE      ProcessHandle = NULL;

                                       //通过进程ID获得进程句柄
 ProcessHandle = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, ProcessID);
 if (ProcessHandle == NULL)
 {
  return FALSE;
 }
 pfnNtQueryInformationProcess NtQueryInformationProcess =
  (pfnNtQueryInformationProcess)GetProcAddress(GetModuleHandle(L"ntdll.dll"), "NtQueryInformationProcess");
 if (NtQueryInformationProcess == NULL)
 {
  CloseHandle(ProcessHandle);
  ProcessHandle = NULL;
  return FALSE;
 }

                                        // 通过 NtQueryInformationProcess 获得 ProcessBasicInformation
 PROCESS_BASIC_INFORMATION pbi = { 0 };
 ULONG32      ReturnLength = 0;

 Status = NtQueryInformationProcess(ProcessHandle,
  ProcessBasicInformation, &pbi, sizeof(PROCESS_BASIC_INFORMATION),
  (PUINT32)&ReturnLength);

 if (!NT_SUCCESS(Status))
 {
  CloseHandle(ProcessHandle);
  ProcessHandle = NULL;
  return FALSE;
 }

                                       // 通过ReadProcessMemory 从进程里面 PebBaseAddress 内存数据读取出来

 bOk = ReadProcessMemory(ProcessHandle, pbi.PebBaseAddress, &Peb, sizeof(PEB), (SIZE_T*)&ReturnLength);
 if (bOk == FALSE)
 {
  CloseHandle(ProcessHandle);
  ProcessHandle = NULL;
  return FALSE;
 }
 RTL_USER_PROCESS_PARAMETERS RtlUserProcessParameters = { 0 };
 bOk = ReadProcessMemory(ProcessHandle, Peb.ProcessParameters, &RtlUserProcessParameters,
  sizeof(RTL_USER_PROCESS_PARAMETERS), (SIZE_T*)&ReturnLength);

 if (RtlUserProcessParameters.ImagePathName.Buffer != NULL)
 {
  ULONG v1 = 0;
  if (RtlUserProcessParameters.ImagePathName.Length<BufferLegnth)
  {
   v1 = RtlUserProcessParameters.ImagePathName.Length;
  }
  else
  {
   v1 = BufferLegnth - 10;
  }
  bOk = ReadProcessMemory(ProcessHandle, RtlUserProcessParameters.ImagePathName.Buffer,
   BufferData,
   v1, (SIZE_T*)&ReturnLength);

  if (bOk == FALSE)
  {
   CloseHandle(ProcessHandle);
   ProcessHandle = NULL;
   return FALSE;
  }
 }

 CloseHandle(ProcessHandle);
 return TRUE;
}