能力值:
( LV9,RANK:610 )
|
-
-
2 楼
可以啊。SectionObject->Segment->ControlArea->FileObject,就可以拿到全路径了
|
能力值:
( LV2,RANK:10 )
|
-
-
3 楼
谢谢楼上..
我google了一下,找到一个函数,看了下大概就是你这思路吧.
NTSTATUS GetProcessImageName(HANDLE SectionHandle, PCHAR ProcessImageName)
{
PVOID SectionObject;
PFILE_OBJECT FileObject;
UNICODE_STRING FilePath;
NTSTATUS Status;
UNICODE_STRING DosName;
STRING AnsiString;
SectionObject = NULL;
FileObject = NULL;
FilePath.Buffer = 0;
FilePath.Length = 0;
*ProcessImageName = 0;
Status = ObReferenceObjectByHandle(SectionHandle, 0, NULL, KernelMode, &SectionObject, NULL);
if ( NT_SUCCESS(Status) )
{
FilePath.Buffer = (PWSTR)ExAllocatePoolWithTag(PagedPool, 0x200u, ' kdD');
FilePath.MaximumLength = 512;
FileObject = (PFILE_OBJECT)*((DWORD *)SectionObject + 5);
FileObject = (PFILE_OBJECT)*(DWORD *)FileObject;
FileObject = (PFILE_OBJECT)*(DWORD *)(FileObject + 36);
ObReferenceObjectByPointer((PVOID)FileObject, 0, NULL, KernelMode);
RtlVolumeDeviceToDosName(FileObject->DeviceObject, &DosName);
RtlCopyUnicodeString(&FilePath, &DosName);
RtlAppendUnicodeStringToString(&FilePath, &FileObject->FileName);
ObfDereferenceObject(FileObject);
ObfDereferenceObject(SectionObject);
RtlUnicodeStringToAnsiString(&AnsiString, &FilePath, TRUE);
if ( AnsiString.Length >= 256 )
{
memcpy(ProcessImageName, AnsiString.Buffer, 0x100u);
*(ProcessImageName + 255) = 0;
}
else
{
memcpy(ProcessImageName, AnsiString.Buffer, AnsiString.Length);
ProcessImageName[AnsiString.Length] = 0;
}
RtlFreeAnsiString(&AnsiString);
ExFreePoolWithTag(DosName.Buffer, 0);
ExFreePoolWithTag(FilePath.Buffer, 0);
Status = STATUS_SUCCESS;
}
return Status;
}
这个函数会蓝....
不过他的SectionObject定义成PVOID了,偏移不清楚,楼上的是否能给出SectionObject的定义,或者直接给出偏移吗,谢谢了
|
能力值:
( LV9,RANK:610 )
|
-
-
4 楼
定义直接参考WRK~~
|