|
[讨论]驱动编程中如何根据PID获得进程名和进程全路径?
获得进程全路径 给个参考文章吧 |
|
[讨论]驱动编程中如何根据PID获得进程名和进程全路径?
给点方案啊 大牛们 |
|
[讨论]驱动编程中如何根据PID获得进程名和进程全路径?
哎.........没发现切实可行的方案啊 |
|
[讨论]驱动编程中如何根据PID获得进程名和进程全路径?
KPEB好复杂啊 |
|
[讨论]驱动编程中如何根据PID获得进程名和进程全路径?
获得进程名可以利用下面2个函数: NTKERNELAPI NTSTATUS PsLookupProcessByProcessId ( IN ULONG ProcessId, OUT PEPROCESS *Process ); UCHAR * PsGetProcessImageFileName( __in PEPROCESS Process ); 涉及一个未导出结构PEPROCESS(又称KPEB),高手逆向的PEPROCESS结构定义如下: typedef struct _EPROCESS { KPROCESS Pcb; NTSTATUS ExitStatus; KEVENT LockEvent; ULONG LockCount; LARGE_INTEGER CreateTime; LARGE_INTEGER ExitTime; PKTHREAD LockOwner; HANDLE UniqueProcessId; LIST_ENTRY ActiveProcessLinks; SIZE_T QuotaPeakPoolUsage[2]; SIZE_T QuotaPoolUsage[2]; SIZE_T PagefileUsage; SIZE_T CommitCharge; SIZE_T PeakPagefileUsage; SIZE_T PeakVirtualSize; SIZE_T VirtualSize; MMSUPPORT Vm; LIST_ENTRY SessionProcessLinks; PVOID DebugPort; PVOID ExceptionPort; PHANDLE_TABLE ObjectTable; PACCESS_TOKEN Token; FAST_MUTEX WorkingSetLock; PFN_NUMBER WorkingSetPage; BOOLEAN ProcessOutswapEnabled; BOOLEAN ProcessOutswapped; UCHAR AddressSpaceInitialized; BOOLEAN AddressSpaceDeleted; FAST_MUTEX AddressCreationLock; KSPIN_LOCK HyperSpaceLock; struct _ETHREAD *ForkInProgress; USHORT VmOperation; UCHAR ForkWasSuccessful; UCHAR MmAgressiveWsTrimMask; PKEVENT VmOperationEvent; PVOID PaeTop; ULONG LastFaultCount; ULONG ModifiedPageCount; PVOID VadRoot; PVOID VadHint; PVOID CloneRoot; PFN_NUMBER NumberOfPrivatePages; PFN_NUMBER NumberOfLockedPages; USHORT NextPageColor; BOOLEAN ExitProcessCalled; BOOLEAN CreateProcessReported; HANDLE SectionHandle; PPEB Peb; PVOID SectionBaseAddress; PEPROCESS_QUOTA_BLOCK QuotaBlock; NTSTATUS LastThreadExitStatus; PPAGEFAULT_HISTORY WorkingSetWatch; HANDLE Win32WindowStation; HANDLE InheritedFromUniqueProcessId; ACCESS_MASK GrantedAccess; ULONG DefaultHardErrorProcessing; PVOID LdtInformation; PVOID VadFreeHint; PVOID VdmObjects; PVOID DeviceMap; ULONG SessionId; LIST_ENTRY PhysicalVadList; union { HARDWARE_PTE PageDirectoryPte; ULONGLONG Filler; }; ULONG PaePageDirectoryPage; UCHAR ImageFileName[ 16 ]; ULONG VmTrimFaultValue; BOOLEAN SetTimerResolution; UCHAR PriorityClass; union { struct { UCHAR SubSystemMinorVersion; UCHAR SubSystemMajorVersion; }; USHORT SubSystemVersion; }; PVOID Win32Process; struct _EJOB *Job; ULONG JobStatus; LIST_ENTRY JobLinks; PVOID LockedPagesList; PVOID SecurityPort ; PWOW64_PROCESS Wow64Process; LARGE_INTEGER ReadOperationCount; LARGE_INTEGER WriteOperationCount; LARGE_INTEGER OtherOperationCount; LARGE_INTEGER ReadTransferCount; LARGE_INTEGER WriteTransferCount; LARGE_INTEGER OtherTransferCount; SIZE_T CommitChargeLimit; SIZE_T CommitChargePeak; LIST_ENTRY ThreadListHead; PRTL_BITMAP VadPhysicalPagesBitMap; ULONG_PTR VadPhysicalPages; KSPIN_LOCK AweLock; } EPROCESS; |
|
[求助]Ring0列举每个进程路径
驱动是蓝出来的 |
|
[求助]Armadillo 3.78 - 4.xx疑问??
回头来看 仍然没有破文出现 看来还是要自己动手啊 过段时间我还是我自己来写破文吧 |
|
[求助]ASPack 2.001 -> Alexey Solodovnikov
回头来看这是我第一次help人 哈哈 |
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
能力排名:
No.{{ rank_num }}
等 级:
LV{{ rank_lv-100 }}
活跃值:
在线值:
浏览人数:{{ visits }}
最近活跃:{{ last_active_time }}
注册时间:{{ user_info.create_date_jsonfmt }}
勋章
兑换勋章
证书
证书查询 >
能力值