在LoadImageNotifyRoutine中有一个参数:ProcessId,如果ImageInfo->SystemModeImage的话ProcessId为0,否则为加载这个程序的ProcessId,可以通过它来取进程名:
NTSTATUS GetProcessNameById(OUT PCHAR ProcessName, IN HANDLE ProcessId)
{
PEPROCESS curproc;
char *nameptr;
/if (!gProcessNameOffset || !ProcessId) return STATUS_INVALID_PARAMETER;
if (!NT_SUCCESS(PsLookupProcessByProcessId(ProcessId,&curproc)))
{
strcpy(ProcessName,"???");
return STATUS_INVALID_PARAMETER;
}
else
{
nameptr = (PCHAR) curproc + gProcessNameOffset;
strncpy( ProcessName, nameptr, NT_PROCNAMELEN );
ProcessName[NT_PROCNAMELEN] = 0;
return STATUS_SUCCESS;
}
}