//依据EPROCESS得到进程全路径
extern VOID GetFullPathByEprocess( ULONG eprocess,PCHAR ProcessImageName );
//得到当前调用函数的进程信息
extern VOID GetCurrentProcess(PULONG pid, PCHAR name, PCHAR path);
//路径解析出子进程名
extern VOID GetSonName( PCHAR ProcessPath, PCHAR ProcessName );
//根据SectionHandle得到进程全路径
extern VOID GetFullPathBySectionHandle( HANDLE SectionHandle, PCHAR ProcessImageName);
//根据ProcessHandle得到进程全路径
extern VOID GetFullPathByProcessHandle( HANDLE ProcessHandle, PCHAR ProcessImageName , PULONG pid );
//FileObject得到进程全路径
extern VOID GetFullPathByFileObject( PFILE_OBJECT FileObject, PCHAR ProcessImageName);
//KeyHandle得到注册表全路径
extern BOOLEAN GetRegKeyNameByHandle(HANDLE handle, char *realpath);
//
extern VOID UnicodeTochar(PUNICODE_STRING dst , char *src);
//
extern VOID WcharToChar(PWCHAR src,PCHAR dst);
/ extern POBJECT_TYPE *PsProcessType; NTKERNELAPI UCHAR * PsGetProcessImageFileName( PEPROCESS Process); NTKERNELAPI NTSTATUS ObQueryNameString( IN PVOID Object, OUT POBJECT_NAME_INFORMATION ObjectNameInfo, IN ULONG Length, OUT PULONG ReturnLength); //路径解析出子进程名 VOID GetSonName( char *ProcessPath, char *ProcessName ) { ULONG n = strlen( ProcessPath) - 1; ULONG i = n; //KdPrint(("%d",n)); while( ProcessPath[i] != '\\') { i = i-1; } strncpy( ProcessName,ProcessPath+i+1,n-i); } //依据EPROCESS得到进程全路径 VOID GetFullPathByEprocess( ULONG eprocess,PCHAR ProcessImageName ) { //原理Eprocess->sectionobject(0x138)->Segment(0x014)->ControlAera(0x000)->FilePointer(0x024)->(FileObject->FileName,FileObject->DeviceObject) ULONG object; PFILE_OBJECT FileObject; UNICODE_STRING FilePath; UNICODE_STRING DosName; STRING AnsiString; FileObject = NULL; FilePath.Buffer = NULL; FilePath.Length = 0; *ProcessImageName = 0; if(MmIsAddressValid((PULONG)(eprocess+0x138)))//Eprocess->sectionobject(0x138) { object=(*(PULONG)(eprocess+0x138)); //KdPrint(("[GetProcessFileName] sectionobject :0x%x\n",object)); if(MmIsAddressValid((PULONG)((ULONG)object+0x014))) { object=*(PULONG)((ULONG)object+0x014); //KdPrint(("[GetProcessFileName] Segment :0x%x\n",object)); if(MmIsAddressValid((PULONG)((ULONG)object+0x0))) { object=*(PULONG)((ULONG_PTR)object+0x0); //KdPrint(("[GetProcessFileName] ControlAera :0x%x\n",object)); if(MmIsAddressValid((PULONG)((ULONG)object+0x024))) { object=*(PULONG)((ULONG)object+0x024); //KdPrint(("[GetProcessFileName] FilePointer :0x%x\n",object)); } else return ; } else return ; } else return ; } else return ; FileObject=(PFILE_OBJECT)object; FilePath.Buffer = ExAllocatePool(PagedPool,0x200); FilePath.MaximumLength = 0x200; //KdPrint(("[GetProcessFileName] FilePointer :%wZ\n",&FilePointer->FileName)); ObReferenceObjectByPointer((PVOID)FileObject,0,NULL,KernelMode);//引用计数+1,操作对象 RtlVolumeDeviceToDosName(FileObject-> DeviceObject, &DosName); RtlCopyUnicodeString(&FilePath, &DosName); RtlAppendUnicodeStringToString(&FilePath, &FileObject->FileName); ObDereferenceObject(FileObject); RtlUnicodeStringToAnsiString(&AnsiString, &FilePath, TRUE); if ( AnsiString.Length >= 216 ) { memcpy(ProcessImageName, AnsiString.Buffer, 0x100u); *(ProcessImageName + 215) = 0; } else { memcpy(ProcessImageName, AnsiString.Buffer, AnsiString.Length); ProcessImageName[AnsiString.Length] = 0; } RtlFreeAnsiString(&AnsiString); ExFreePool(DosName.Buffer); ExFreePool(FilePath.Buffer); } // VOID GetCurrentProcess(PULONG pid, PCHAR name, PCHAR path) { PEPROCESS Cprocess; Cprocess = PsGetCurrentProcess(); *pid = *(PULONG)((ULONG)Cprocess+0x84); strcpy(name ,PsGetProcessImageFileName(Cprocess)); GetFullPathByEprocess((ULONG)Cprocess,path); } //根据SectionHandle得到进程全路径 VOID GetFullPathBySectionHandle( HANDLE SectionHandle, PCHAR ProcessImageName ) { PVOID SectionObject; PFILE_OBJECT FileObject; UNICODE_STRING FilePath; UNICODE_STRING DosName; NTSTATUS Status; STRING AnsiString; SectionObject = NULL; FileObject = NULL; FilePath.Buffer = NULL; FilePath.Length = 0; *ProcessImageName = 0; Status = ObReferenceObjectByHandle(SectionHandle, 0, NULL, KernelMode, &SectionObject, NULL); if ( NT_SUCCESS(Status) ) { FilePath.Buffer = ExAllocatePool(PagedPool,0x200); FilePath.MaximumLength = 0x200; FileObject = (PFILE_OBJECT)(*((ULONG *)SectionObject + 5)); // PSEGMENT FileObject = *(PFILE_OBJECT *)FileObject; // CONTROL_AREA FileObject = *(PFILE_OBJECT *)((ULONG)FileObject + 36); // FILE_OBJECT ObReferenceObjectByPointer((PVOID)FileObject, 0, NULL, KernelMode); RtlVolumeDeviceToDosName(FileObject-> DeviceObject, &DosName); RtlCopyUnicodeString(&FilePath, &DosName); RtlAppendUnicodeStringToString(&FilePath, &FileObject->FileName); ObDereferenceObject(FileObject); ObDereferenceObject(SectionObject); RtlUnicodeStringToAnsiString(&AnsiString, &FilePath, TRUE); if ( AnsiString.Length >= 216 ) { memcpy(ProcessImageName, AnsiString.Buffer, 0x100u); *(ProcessImageName + 215) = 0; } else { memcpy(ProcessImageName, AnsiString.Buffer, AnsiString.Length); ProcessImageName[AnsiString.Length] = 0; } RtlFreeAnsiString(&AnsiString); ExFreePool(DosName.Buffer); ExFreePool(FilePath.Buffer); } } //根据ProcessHandle得到EPROCESS 然后得到进程全路径 VOID GetFullPathByProcessHandle( HANDLE ProcessHandle, PCHAR ProcessImageName , PULONG pid ) { NTSTATUS status; PVOID ProcessObject; ULONG eprocess; /*__asm { int 3 }*/ status = ObReferenceObjectByHandle( ProcessHandle ,0,*PsProcessType,KernelMode, &ProcessObject, NULL); if(!NT_SUCCESS(status)) //失败 { DbgPrint("Object Error"); KdPrint(("[GetFullPathByProcessHandle] error status:0x%x\n",status)); return; } //KdPrint(("[GetTerminateProcessPath] Eprocess :0x%x\n",(ULONG)ProcessObject)); //Object转换成EPROCESS: object低二位清零 eprocess = ((ULONG)ProcessObject) & 0xFFFFFFFC; *pid = *(PULONG)((ULONG)eprocess+0x84); ObDereferenceObject(ProcessObject); GetFullPathByEprocess( eprocess ,ProcessImageName); } //根据FileObject得到全路径 VOID GetFullPathByFileObject( PFILE_OBJECT FileObject, PCHAR ProcessImageName) { UNICODE_STRING FilePath; UNICODE_STRING DosName; STRING AnsiString; FilePath.Buffer = NULL; FilePath.Length = 0; *ProcessImageName = 0; FilePath.Buffer = ExAllocatePool(PagedPool,0x200); FilePath.MaximumLength = 0x200; //KdPrint(("[GetProcessFileName] FilePointer :%wZ\n",&FilePointer->FileName)); ObReferenceObjectByPointer((PVOID)FileObject,0,NULL,KernelMode);//引用计数+1,操作对象 RtlVolumeDeviceToDosName(FileObject-> DeviceObject, &DosName); RtlCopyUnicodeString(&FilePath, &DosName); RtlAppendUnicodeStringToString(&FilePath, &FileObject->FileName); ObDereferenceObject(FileObject); RtlUnicodeStringToAnsiString(&AnsiString, &FilePath, TRUE); if ( AnsiString.Length >= 216 ) { memcpy(ProcessImageName, AnsiString.Buffer, 0x100u); *(ProcessImageName + 215) = 0; } else { memcpy(ProcessImageName, AnsiString.Buffer, AnsiString.Length); ProcessImageName[AnsiString.Length] = 0; } RtlFreeAnsiString(&AnsiString); ExFreePool(DosName.Buffer); ExFreePool(FilePath.Buffer); } //解析 BOOLEAN StandardPrintHkey(char * path,char *realpath) { int judgeTop; int judgeSecond; int judgeThird; int i; int j; int t; int k; int lencur; char realname[255]={0}; j=0; k=0; t=0; judgeTop=strncmp("\\REGISTRY\\USER",path,14); if(judgeTop==0) { lencur=strlen(path); for(i=0;i<lencur;i++) { if(path[i]=='-') { if(path[i+1]=='5') { if(path[i+2]=='0') { if(path[i+3]=='0') { if(path[i+4]=='_') { k=i+12; t=1; } else { j=i+4; t=1; } } } } } } DbgPrint("[j]%d\n",j); DbgPrint("[k]%d\n",k); if((k==0)&&(t==1)) { strcpy(realname,"HKEY_CURRENT_USER"); strncat(realname,&path[j],sizeof(path)-j); DbgPrint("[HKEY_CURRENT_USER]%s",path); } if((j==0)&&(t==1)) { strcpy(realname,"HKEY_CLASSES_ROOT"); strncat(realname,&path[k],sizeof(path)-k); DbgPrint("[HKEY_CLASSES_ROOT]%s",path); } if(t==0) { strcpy(realname,"HKEY_USERS"); strncat(realname,&path[14],sizeof(path)-14); DbgPrint("[HKEY_USER]%s",path); } } else { judgeThird=strncmp("\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Hardware Profiles\\0001",path,61); if(judgeThird==0) { strcpy(realname,"HKEY_CURRENT_CONFIG"); strncat(realname,&path[61],sizeof(path)-61); DbgPrint("[HKEY_CURRENT_CONFIG]%s",path); } else { strcpy(realname,"HKEY_LOCAL_MACHINE"); strncat(realname,&path[17],sizeof(path)-17); DbgPrint("[HKEY_LOCAL_MACHINE]%s",path); } } strcpy(realpath,realname); return TRUE; } //注册表根据KeyHandle得到键 BOOLEAN GetRegKeyNameByHandle(HANDLE handle, char *realpath) { ULONG uactLength; POBJECT_NAME_INFORMATION pustr; ANSI_STRING astr; PVOID pObj; NTSTATUS ns; char pch[256]={0}; ns = ObReferenceObjectByHandle( handle, 0, NULL, KernelMode, &pObj, NULL ); if (!NT_SUCCESS(ns)) { KdPrint(("111!\n")); KdPrint(("0x%x\n",ns)); return FALSE; } pustr = ExAllocatePool(NonPagedPool,1024+4); if (pObj==NULL||pch==NULL) return FALSE; ns = ObQueryNameString(pObj,pustr,512,&uactLength); if (NT_SUCCESS(ns)) { RtlUnicodeStringToAnsiString(&astr,(PUNICODE_STRING)pustr,TRUE); strncpy(pch,astr.Buffer,256); } ExFreePool(pustr); RtlFreeAnsiString( &astr ); if (pObj) { ObDereferenceObject(pObj); } StandardPrintHkey(pch,realpath); return TRUE; } //UnicodeTochar VOID UnicodeTochar(PUNICODE_STRING dst , char *src) { ANSI_STRING string; RtlUnicodeStringToAnsiString(&string,dst, TRUE); strcpy(src,string.Buffer); RtlFreeAnsiString(&string); } //wcharTochar VOID WcharToChar(PWCHAR src,PCHAR dst) { UNICODE_STRING uString; ANSI_STRING aString; RtlInitUnicodeString(&uString,src); RtlUnicodeStringToAnsiString(&aString,&uString,TRUE); strcpy(dst,aString.Buffer); RtlFreeAnsiString(&aString); }