|
阅读:2915回复:0
紧急请教:如何在Minifilter中获取当前进程的完整名称
以下函数可以获取当前进程名的偏移,但是在IRP_MJ_CREATE里从偏移地址拷贝时就死机,不知为什么? 还有其它更好的办法吗?
重谢..... PCWSTR TiFilterGetProcessFullName() { ULONG dwAddress = 0; ULONG gSfOsMajorVersion = 0; ULONG gSfOsMinorVersion = 0; if(KeGetCurrentIrql() != PASSIVE_LEVEL) return NULL; /*dwAddress = (ULONG)PsGetCurrentProcess();*/ dwAddress = (ULONG)IoGetCurrentProcess(); if(dwAddress == 0 || dwAddress == 0xFFFFFFFF) return NULL; PsGetVersion(&gSfOsMajorVersion,&gSfOsMinorVersion,NULL,NULL); //目前只支持Win 2000/xp/2003 if( (gSfOsMajorVersion < 5) || (gSfOsMinorVersion > 2 ) ) return NULL; //取得PEB,不同平台的位置是不同的。 if( (gSfOsMajorVersion == 5) && (gSfOsMinorVersion < 2) ) dwAddress += BASE_PROCESS_PEB_OFFSET; else dwAddress += W2003_BASE_PROCESS_PEB_OFFSET; if((dwAddress = *(ULONG*)dwAddress) == 0) return NULL; // 通过peb取得RTL_USER_PROCESS_PARAMETERS dwAddress += BASE_PEB_PROCESS_PARAMETER_OFFSET; if((dwAddress = *(ULONG*)dwAddress) == 0) return NULL; //在RTL_USER_PROCESS_PARAMETERS->ImagePathName保存了路径,偏移为38, dwAddress += BASE_PROCESS_PARAMETER_FULL_IMAGE_NAME; if((dwAddress = *(ULONG*)dwAddress) == 0) return NULL; return (PCWSTR)dwAddress; } |
|
|
