//win 10 1903
ULONG g_Offset_ControlArea = 0x28;
ULONG g_Offset_FileObjectInControlArea = 0x40;
//写在HOOK内
//----------------------
PEPROCESS process;
if (NT_SUCCESS(PsLookupProcessByProcessId(PsGetCurrentProcessId(), &process)))
{
PCHAR image_name = PsGetProcessImageFileName(process);
//测试程序
if (!_stricmp(image_name, "ntcsb.exe"))
{
PVOID Section = NULL;
NTSTATUS Status = ObReferenceObjectByHandle(SectionHandle, SECTION_MAP_READ, *MmSectionObjectType, UserMode, (PVOID*)&Section, NULL);
if (NT_SUCCESS(Status))
{
PVOID ControlArea = *(PVOID*)((ULONG_PTR)Section + g_Offset_ControlArea);
if (ControlArea)
{
PVOID FileObject = (PVOID)((ULONG_PTR)ControlArea + g_Offset_FileObjectInControlArea);
if (FileObject)
{
FileObject = *(PVOID*)FileObject;
if (FileObject)
{
//去掉低位的标志
FileObject = (PVOID)((ULONG_PTR)FileObject & 0xFFFFFFFFFFFFFFF0);
ULONG ReturnLength = 1024;
//获取完整路径
POBJECT_NAME_INFORMATION ObjectNameInfo = (POBJECT_NAME_INFORMATION)ExAllocatePoolWithTag(PagedPool, ReturnLength, 'bsmi');
if (ObjectNameInfo && NT_SUCCESS(ObQueryNameString(FileObject, ObjectNameInfo, ReturnLength, &ReturnLength)))
{
mydbg("当前DLL的名称为 %d %wZ", (ULONG)(ULONG_PTR)PsGetCurrentProcessId(), &ObjectNameInfo->Name);
ExFreePool(ObjectNameInfo);
}
}
}
}
ObDereferenceObject(Section);
}
}
ObDereferenceObject(process);
process = NULL;
}
