NTSTATUS PsGetProcessPathByPid( IN ULONG Pid ,char* FilePath) { NTSTATUS status; char path[256] = {0}; char disk[10] = {0}; STRING ansi_path; STRING ansi_disk; UNICODE_STRING uni_path; UNICODE_STRING uni_disk; PEPROCESS pEprocess; PFILE_OBJECT FileObject; PVOID Object; status = PsLookupProcessByProcessId(Pid,&pEprocess); if(!NT_SUCCESS(status)) { DbgPrint("EPROCESS Error"); return STATUS_UNSUCCESSFUL; } DbgPrint("EPROCESS 0x%0.8X",pEprocess); if( !MmIsAddressValid( (PULONG)( (ULONG)pEprocess+0x138 ) ) )//EPROCESS+0x138 -> SectionObject { DbgPrint("SectionObject Error"); return STATUS_UNSUCCESSFUL; } Object = (PVOID)(*(PULONG)((ULONG)pEprocess+0x138)); if( !MmIsAddressValid( (PULONG)( (ULONG)Object+0x014 ) ) )//SectionObject+0x014 -> Segment { DbgPrint("Segment Error"); return STATUS_UNSUCCESSFUL; } Object = (PVOID)(*(PULONG)( (ULONG)Object+0x014 )); if( !MmIsAddressValid( (PULONG)((ULONG)Object+0x000) ) )//Segment+0x000 -> ControlAera { DbgPrint("ControlAera Error"); return STATUS_UNSUCCESSFUL; } Object = (PVOID)(*(PULONG)( (ULONG)Object+0x000 )); if( !MmIsAddressValid( (PULONG)( (ULONG)Object+0x024 ) ) )//ControlAera+0x024 -> FilePointer(FileObject) { DbgPrint("FilePointer Error"); return STATUS_UNSUCCESSFUL; } Object = (PVOID)(*(PULONG)( (ULONG)Object+0x024 )); FileObject = Object; ObReferenceObjectByPointer((PVOID)FileObject,0,NULL,KernelMode); RtlInitUnicodeString(&uni_path,FileObject->FileName.Buffer); //获取路径名 RtlVolumeDeviceToDosName(FileObject->DeviceObject,&uni_disk); //获取盘符名 ObDereferenceObject(FileObject); RtlUnicodeStringToAnsiString(&ansi_path,&uni_path,TRUE); RtlUnicodeStringToAnsiString(&ansi_disk,&uni_disk,TRUE); strcat(path,&ansi_path.Buffer[0]); strcat(disk,&ansi_disk.Buffer[0]); RtlFreeAnsiString(&ansi_path); RtlFreeAnsiString(&ansi_disk); if( strlen(path)+strlen(disk) < 256 ) { strcat(FilePath,disk); strcat(FilePath,path); } else { strcat(FilePath,disk); memcpy( FilePath,path,256-strlen(disk)-1 ); *(FilePath + 256) = 0; } return STATUS_SUCCESS; }