利用PsGetCurrentProcess得进程路径
首先利用PsGetCurrentProcess或IoGetCurrentProcess函数得到当前进程的句柄,这个句柄是指向_EPROCESS结构的指针,_EPROCESS的结构如下:typedef struct _EPROCESS
{
KPROCESS Pcb;
NTSTATUS ExitStatus;
KEVENT LockEvent;
DWORD LockCount;
QWORD CreateTime;
QWORD ExitTime;
PVOID LockOwner;
DWORD UniqueProcessId;
QWORD ActiveProcessLinks;
DWORD QuotaPeakPoolUsage ; // NP, P
DWORD QuotaPoolUsage ; // NP, P
DWORD PagefileUsage;
DWORD CommitCharge;
DWORD PeakPagefileUsage;
DWORD PeakVirtualSize;
QWORD VirtualSize;
DWORD Vm ;
DWORD LastProtoPteFault;
DWORD DebugPort;
DWORD ExceptionPort;
DWORD ObjectTable;
DWORD Token;
DWORD WorkingSetLock ;
DWORD WorkingSetPage;
BOOLEAN ProcessOutswapEnabled;
BOOLEAN ProcessOutswapped;
BOOLEAN AddressSpaceInitialized;
BOOLEAN AddressSpaceDeleted;
DWORD AddressCreationLock ;
DWORD ForkInProgress;
DWORD VmOperation;
DWORD VmOperationEvent;
DWORD PageDirectoryPte;
QWORD LastFaultCount;
PVOID VadRoot;
DWORD VadHint;
DWORD CloneRoot;
DWORD NumberOfPrivatePages;
DWORD NumberOfLockedPages;
WORD w184;
BOOLEAN ExitProcessCalled;
BOOLEAN CreateProcessReported;
HANDLE SectionHandle;
struct _PEB *Peb; // offset 0x1B0
PVOID SectionBaseAddress;
PVOID QuotaBlock;
NTSTATUS LastThreadExitStatus;
PROCESS_WS_WATCH_INFORMATION WorkingSetWatch;
DWORD InheritedFromUniqueProcessId;
ACCESS_MASK GrantedAccess;
DWORD DefaultHardErrorProcessing;
DWORD LdtInformation;
DWORD VadFreeHint;
DWORD VdmObjects;
KMUTANT ProcessMutant;
BYTE ImageFileName ; // offset 0x1FC
DWORD VmTrimFaultValue ;
PVOID Win32Process;
DWORD d1F8;
DWORD d1FC;
}
EPROCESS,
* PEPROCESS,
**PPEPROCESS;
从上面这个结构可以看出,进程名称就是ImageFileName,只要用_EPROCESS的基地址加上偏移地址0x1FC就可以得到进程名称的地址,代码如下:
**** Hidden Message ***** v我想快點搞定IAT Hook ··································· 额·············很不稳定的方法!!!!不建议使用。轻松抹掉! PsGetCurrentProcess得进程路径 谢谢分享谢谢分享 回复 1# 功力神
这个也好玩 回复 1# 功力神
学习了~~~ 不晓得能用否,别是标题党就好了!辛苦了。 好像可以获取进程名称的?
页:
[1]
2