程序演示了在Ring0下通过FILE_OBJECT获取文件路径(至于怎么从EPROCESS获取FILE_OPBJECT就不要再问我了)
BOOLEAN GetProcessImageName(PFILE_OBJECT FileObject,LPSTR ProcessImageName)
{
NTSTATUS ntStatus=STATUS_BUFFER_OVERFLOW;
ULONG uSize=1;
UNICODE_STRING ustrDosName={0};
PFILE_NAME_INFORMATION NameInfo = NULL;
BOOLEAN blnRet=FALSE;
if (!ProcessImageName ||
!MmIsAddressValid(FileObject) ||
!MmIsAddressValid(FileObject->DeviceObject))
return FALSE;
NameInfo = ExAllocatePool(PagedPool,uSize * 0x200);
if (!NameInfo) return FALSE;
ntStatus=IrpQueryInformationFile(FileObject,NameInfo,uSize * 0x200,FileNameInformation);
while (ntStatus==STATUS_BUFFER_OVERFLOW)
{
ExFreePool(NameInfo);
uSize++;
NameInfo = ExAllocatePool(PagedPool,uSize * 0x200);
ntStatus=IrpQueryInformationFile(FileObject,NameInfo,uSize * 0x200,FileNameInformation);
}
if (NT_SUCCESS(ntStatus))
{
if (KeGetCurrentIrql()==PASSIVE_LEVEL)
{
ntStatus=RtlVolumeDeviceToDosName(FileObject->DeviceObject,&ustrDosName);
if (NT_SUCCESS(ntStatus))
{
WCHAR strFileName[260]={0};
UNICODE_STRING ustrFileName;
STRING astrFileName={0};
wcscpy(strFileName,ustrDosName.Buffer);
if (NameInfo->FileNameLength<512)
{
wcscat(strFileName,NameInfo->FileName);
}
else
{
memcpy(&strFileName[2],NameInfo->FileName,511);
}
RtlInitUnicodeString(&ustrFileName,strFileName);
if (RtlUnicodeStringToAnsiString(&astrFileName,&ustrFileName,TRUE)==STATUS_SUCCESS)
{
strcpy(ProcessImageName,astrFileName.Buffer);
RtlFreeAnsiString(&astrFileName);
DbgPrint("路径:%s/n",ProcessImageName);
blnRet=TRUE;
}
RtlFreeUnicodeString(&ustrDosName);
}
}
}
if (NameInfo) ExFreePool(NameInfo);
return blnRet;
}