-
-
[分享]64位驱动取当前进程的全路径
-
发表于:
2011-12-25 05:33
7752
-
#if DBG
#define dprintf DbgPrint
#else
#define dprintf
#endif
PCWSTR GetCurrentProcessPathName(void)
{
UNICODE_STRING imagName={0};
RTL_OSVERSIONINFOW os={0};
ULONG_PTR uProcessPtr;
ULONG_PTR uImagNameAddr=NULL ;
ULONG uPebOffset=0;
ULONG uParamOffset=0x10;
ULONG uImagNameOffset=0x3c;
RtlGetVersion (&os);
dprintf ("MajorVer=%d\tMinorVer=%d\tBuildNumber=%d\r\n",
os.dwMajorVersion,os.dwMinorVersion,os.dwBuildNumber);
if(KeGetCurrentIrql() != PASSIVE_LEVEL)
return NULL;
if(os.dwMajorVersion==5)
{
switch(os.dwMinorVersion)
{
case 1://xp sp3
uPebOffset=0x1b0;
break;
case 2://2003 sp2
uPebOffset=0x1a0;
break;
}
}
else if(os.dwMajorVersion==6)
{
switch(os.dwMinorVersion)
{
case 0://2008
break;
case 1:
#ifdef _AMD64_
//win7x64 sp1, 2008R2x64 sp1
uPebOffset=0x338;
uParamOffset =0x20;
uImagNameOffset=0x68;
#else
//win7x32 sp1
uPebOffset=0x1a8;
#endif
}
}
if(uPebOffset==0)
{
dprintf ("this function do not supported current os.\r\n");
return NULL ;
}
uProcessPtr =(ULONG_PTR)PsGetCurrentProcess();
uImagNameAddr=(uProcessPtr+uPebOffset);
if((uImagNameAddr =*(ULONG_PTR*)uImagNameAddr)==0)return NULL ;
uImagNameAddr+=uParamOffset;
if((uImagNameAddr =*(ULONG_PTR*)uImagNameAddr)==0)return NULL;
uImagNameAddr+=uImagNameOffset;
if((uImagNameAddr =*(ULONG_PTR*)uImagNameAddr)==0)return NULL ;
dprintf ("Process full path name: %ws\r\n",(PCWSTR)uImagNameAddr );
return (PCWSTR)uImagNameAddr;
}
//64位只在win2008 R2 sp1 下测试
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
硬编码啊
