利用PsGetCurrentProcess得进程路径

功力神

首先利用PsGetCurrentProcess或IoGetCurrentProcess函数得到当前进程的句柄，这个句柄是指向_EPROCESS结构的指针，_EPROCESS的结构如下：

typedef struct _EPROCESS
{
KPROCESS Pcb;
NTSTATUS ExitStatus;
KEVENT LockEvent;
DWORD LockCount;
QWORD CreateTime;
QWORD ExitTime;
PVOID LockOwner;
DWORD UniqueProcessId;
QWORD ActiveProcessLinks;
DWORD QuotaPeakPoolUsage [2]; // NP, P
DWORD QuotaPoolUsage [2]; // NP, P
DWORD PagefileUsage;
DWORD CommitCharge;
DWORD PeakPagefileUsage;
DWORD PeakVirtualSize;
QWORD VirtualSize;
DWORD Vm [12];
DWORD LastProtoPteFault;
DWORD DebugPort;
DWORD ExceptionPort;
DWORD ObjectTable;
DWORD Token;
DWORD WorkingSetLock [8];
DWORD WorkingSetPage;
BOOLEAN ProcessOutswapEnabled;
BOOLEAN ProcessOutswapped;
BOOLEAN AddressSpaceInitialized;
BOOLEAN AddressSpaceDeleted;
DWORD AddressCreationLock [9];
DWORD ForkInProgress;
DWORD VmOperation;
DWORD VmOperationEvent;
DWORD PageDirectoryPte;
QWORD LastFaultCount;
PVOID VadRoot;
DWORD VadHint;
DWORD CloneRoot;
DWORD NumberOfPrivatePages;
DWORD NumberOfLockedPages;
WORD w184;
BOOLEAN ExitProcessCalled;
BOOLEAN CreateProcessReported;
HANDLE SectionHandle;
struct _PEB *Peb; // offset 0x1B0
PVOID SectionBaseAddress;
PVOID QuotaBlock;
NTSTATUS LastThreadExitStatus;
PROCESS_WS_WATCH_INFORMATION WorkingSetWatch;
DWORD InheritedFromUniqueProcessId;
ACCESS_MASK GrantedAccess;
DWORD DefaultHardErrorProcessing;
DWORD LdtInformation;
DWORD VadFreeHint;
DWORD VdmObjects;
KMUTANT ProcessMutant;
BYTE ImageFileName [16]; // offset 0x1FC
DWORD VmTrimFaultValue [2];
PVOID Win32Process;
DWORD d1F8;
DWORD d1FC;
}
EPROCESS,
* PEPROCESS,
**PPEPROCESS;

从上面这个结构可以看出，进程名称就是ImageFileName，只要用_EPROCESS的基地址加上偏移地址0x1FC就可以得到进程名称的地址，代码如下：

游客，如果您要查看本帖隐藏内容请回复

akenabc123

v我想快點搞定IAT Hook

yvqvan

···································

yvqvan

额·············很不稳定的方法！！！！不建议使用。轻松抹掉！

luoma521

PsGetCurrentProcess得进程路径

msn882

谢谢分享谢谢分享

zhangchenggu

回复 1# 功力神


    这个也好玩

linoffice

回复 1# 功力神


    学习了~~~

cooby

不晓得能用否，别是标题党就好了！辛苦了。

swyx

好像可以获取进程名称的？