void GetProcessPath(ULONG eprocess,CHAR ProcessPath[256])
{
	ULONG object;
	PFILE_OBJECT FilePointer;
	UNICODE_STRING path;  //路径
	UNICODE_STRING name;  //盘符
	ANSI_STRING  string;
	path.Length=0;
    path.MaximumLength=256;
	path.Buffer=(PWCHAR)ExAllocatePoolWithTag(NonPagedPool,256,MEM_TAG);     //必须释放
	if(MmIsAddressValid((PULONG)(eprocess+0x138)))//Eprocess->sectionobject(0x138)
	{
		object=(*(PULONG)(eprocess+0x138));
        KdPrint(("[GetProcessFileName] sectionobject :0x%x\n",object));
		if(MmIsAddressValid((PULONG)((ULONG)object+0x014)))
		{
			object=*(PULONG)((ULONG)object+0x014);
			KdPrint(("[GetProcessFileName] Segment :0x%x\n",object));
			if(MmIsAddressValid((PULONG)((ULONG)object+0x0)))
			{
				object=*(PULONG)((ULONG_PTR)object+0x0);
				KdPrint(("[GetProcessFileName] ControlAera :0x%x\n",object));
				if(MmIsAddressValid((PULONG)((ULONG)object+0x024)))
				{
					object=*(PULONG)((ULONG)object+0x024);
					KdPrint(("[GetProcessFileName] FilePointer :0x%x\n",object));
				}
				else
					return ;
			}
			else
				return ;
		}
		else
			return ;
	}
	else
		return ;
    FilePointer=(PFILE_OBJECT)object;
    //KdPrint(("[GetProcessFileName] FilePointer :%wZ\n",&FilePointer->FileName));
	ObReferenceObjectByPointer((PVOID)FilePointer,0,NULL,KernelMode);//引用计数+1，操作对象
	RtlVolumeDeviceToDosName(FilePointer->DeviceObject,&name); //获取盘符名
	//KdPrint(("[GetProcessFileName] FilePointer :%wZ\n",&name));
    RtlCopyUnicodeString(&path,&name);//盘符连接
	RtlAppendUnicodeStringToString(&path,&FilePointer->FileName);//路径连接
	//KdPrint(("[GetProcessFileName] FilePointer :%wZ\n",&path));
	ObDereferenceObject(FilePointer);         //关闭对象引用
	//需要转换成ANSI_STRING，然后在转换成char输出给ring3
	RtlUnicodeStringToAnsiString(&string,&path,TRUE);    //释放内存
	if(string.Length >= 256 ) //保证以\0结尾
	{ 
		memcpy(ProcessPath, string.Buffer, 256); 
		*(ProcessPath + 255) = 0; 
	} 
	else 
	{ 
		memcpy(ProcessPath, string.Buffer, string.Length); 
		ProcessPath[string.Length] = 0; 
	}
	ExFreePool(path.Buffer); //释放
	RtlFreeAnsiString(&string);//释放
}