获得进程名可以利用下面2个函数：
NTKERNELAPI
NTSTATUS
PsLookupProcessByProcessId (
IN ULONG ProcessId,
OUT PEPROCESS *Process
);

UCHAR *
PsGetProcessImageFileName(
__in PEPROCESS Process
);
涉及一个未导出结构PEPROCESS（又称KPEB），高手逆向的PEPROCESS结构定义如下:
typedef struct _EPROCESS {
  KPROCESS Pcb;
  NTSTATUS ExitStatus;
  KEVENT LockEvent;
  ULONG LockCount;
  LARGE_INTEGER CreateTime;
  LARGE_INTEGER ExitTime;
  PKTHREAD LockOwner;

  HANDLE UniqueProcessId;

  LIST_ENTRY ActiveProcessLinks;

  SIZE_T QuotaPeakPoolUsage[2];
  SIZE_T QuotaPoolUsage[2];

  SIZE_T PagefileUsage;
  SIZE_T CommitCharge;
  SIZE_T PeakPagefileUsage;

  SIZE_T PeakVirtualSize;
  SIZE_T VirtualSize;

  MMSUPPORT Vm;
  LIST_ENTRY SessionProcessLinks;

  PVOID DebugPort;
  PVOID ExceptionPort;
  PHANDLE_TABLE ObjectTable;

  PACCESS_TOKEN Token;     

  FAST_MUTEX WorkingSetLock;
  PFN_NUMBER WorkingSetPage;
  BOOLEAN ProcessOutswapEnabled;
  BOOLEAN ProcessOutswapped;
  UCHAR AddressSpaceInitialized;
  BOOLEAN AddressSpaceDeleted;
  FAST_MUTEX AddressCreationLock;
  KSPIN_LOCK HyperSpaceLock;
  struct _ETHREAD *ForkInProgress;
  USHORT VmOperation;
  UCHAR ForkWasSuccessful;
  UCHAR MmAgressiveWsTrimMask;
  PKEVENT VmOperationEvent;
  PVOID PaeTop;
  ULONG LastFaultCount;
  ULONG ModifiedPageCount;
  PVOID VadRoot;
  PVOID VadHint;
  PVOID CloneRoot;
  PFN_NUMBER NumberOfPrivatePages;
  PFN_NUMBER NumberOfLockedPages;
  USHORT NextPageColor;
  BOOLEAN ExitProcessCalled;

  BOOLEAN CreateProcessReported;
  HANDLE SectionHandle;

  PPEB Peb;
  PVOID SectionBaseAddress;

  PEPROCESS_QUOTA_BLOCK QuotaBlock;
  NTSTATUS LastThreadExitStatus;
  PPAGEFAULT_HISTORY WorkingSetWatch;
  HANDLE Win32WindowStation;
  HANDLE InheritedFromUniqueProcessId;
  ACCESS_MASK GrantedAccess;
  ULONG DefaultHardErrorProcessing;
  PVOID LdtInformation;
  PVOID VadFreeHint;
  PVOID VdmObjects;
  PVOID DeviceMap;

  ULONG SessionId;

  LIST_ENTRY PhysicalVadList;
  union {
    HARDWARE_PTE PageDirectoryPte;
    ULONGLONG Filler;
  };
  ULONG PaePageDirectoryPage;
  UCHAR ImageFileName[ 16 ];
  ULONG VmTrimFaultValue;
  BOOLEAN SetTimerResolution;
  UCHAR PriorityClass;
  union {
    struct {
        UCHAR SubSystemMinorVersion;
        UCHAR SubSystemMajorVersion;
    };
    USHORT SubSystemVersion;
  };
  PVOID Win32Process;
  struct _EJOB *Job;
  ULONG JobStatus;
  LIST_ENTRY JobLinks;
  PVOID LockedPagesList;
  PVOID SecurityPort ;         
  PWOW64_PROCESS Wow64Process;

  LARGE_INTEGER ReadOperationCount;
  LARGE_INTEGER WriteOperationCount;
  LARGE_INTEGER OtherOperationCount;
  LARGE_INTEGER ReadTransferCount;
  LARGE_INTEGER WriteTransferCount;
  LARGE_INTEGER OtherTransferCount;

  SIZE_T CommitChargeLimit;
  SIZE_T CommitChargePeak;

  LIST_ENTRY ThreadListHead;

  PRTL_BITMAP VadPhysicalPagesBitMap;
  ULONG_PTR VadPhysicalPages;
  KSPIN_LOCK AweLock;
} EPROCESS;

KPEB好复杂啊

Win2000和XP的EPROCESS结构不一样，文件名字段的偏移也不一样，需要根据系统版本判断，或者在System的EPROCESS里搜索"System"字符串来定位（KsBinSword的方法）。
PsGetProcessImageFileName则好像不是所有系统都有？

先获取盘符
获取相对路径
咋实现呢？

1.获得进程名:
win2000下直接用偏移0x1fc + PsGetCurrentProcess() 得到镜像名
win2000以后用PsGetProcessImageFileName

2.获得全路径
win2000下获得EProcess->SectionHandle
ObReferenceObjectByHandle得到SectionObject
SectionObject + 0x14得到SegmentObject
SegmentObject 的一个域是BaseAddress(ControlArea)
BaseAddress+0x24取到FileObject
ObQueryNameString，取到全路径

win2000后使用API ZwQueryInformationProcess->ProcessImageFileName取到全路径