MSDN中ObQueryNameString的定义:
NTSTATUS
ObQueryNameString(IN PVOID Object ,
OUT POBJECT_NAME_INFORMATION ObjectNameInfo ,
IN ULONG Length , //If it is zero,ReturnLength receives the size, in bytes of the buffer needed to hold the object name information
OUT PULONG ReturnLength
);
typedef struct _OBJECT_NAME_INFORMATION {
UNICODE_STRING Name;
} OBJECT_NAME_INFORMATION, *POBJECT_NAME_INFORMATION;
ObQueryNameString源码解读
》http://blog.csdn.net/misterliwei/article/details/4467301中的第五步:
// 第五步.再次追根溯源直到根目录,将对象名称拷贝到用户缓冲区中。
StringBuffer = (PWCH)ObjectNameInfo;
StringBuffer = (PWCH)((PCH)StringBuffer + NameInfoSize);
//睁大眼睛:ObQueryNameString并没有利用参数ObjectNameInfo.Name.Buffer来指出
//缓冲区的地址,而是简单地认为名称紧跟着OBJECT_NAME_INFORMATION结构。
//>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
所以最终代码要如下:(为了简单,我直接将缓冲区大小设为1024,实际使用时另作处理)
POBJECT_NAME_INFORMATION pFullPath;
ULONG uRealSize;
pFullPath = (POBJECT_NAME_INFORMATION)ExAllocatePool(NonPagedPool ,1024); //不能pFullPath->Name->Buffer = (POBJECT_NAME_INFORMATION)ExAllocatePool(NonPagedPool ,1024);
ObQueryNameString(Object, pFullPath ,1024 ,&uRealSize);
KdPrint(("%wZ",(PUNICODE_STRING)pFullPath));
ExFreePool(pFullPath);