//获取进程路径,理论上至少支持XP;进程句柄需要PROCESS_QUERY_INFORMATION和PROCESS_VM_READ权限...实现方法和GetModuleFileNameEx类似....
//DESP: get process image path
BOOL process_get_path(HANDLE hProcess, LPTSTR szImagePath, DWORD dwSize)
{
NTSTATUS ntStatus;
ULONG uLength;
DWORD dwBufferSize;
LPWSTR pBuffer;
UNICODE_STRING usImagePath;
PROCESS_BASIC_INFORMATION BasicInformation;
PRTL_USER_PROCESS_PARAMETERS pProcessParameters;
//DO: query PEB address
ntStatus = NtQueryInformationProcess(
hProcess,
ProcessBasicInformation,
&BasicInformation,
sizeof(PROCESS_BASIC_INFORMATION),
&uLength);
if(!NT_SUCCESS(ntStatus))
return FALSE;
//DO: read ProcessParameters pointer
ntStatus = NtReadVirtualMemory(
hProcess,
&BasicInformation.PebBaseAddress->ProcessParameters,
&pProcessParameters,
sizeof(PRTL_USER_PROCESS_PARAMETERS),
&uLength);
if(NT_SUCCESS(ntStatus)) {
//DO: read ImagePathName UNICODE_STRING
ntStatus = NtReadVirtualMemory(
hProcess,
&pProcessParameters->ImagePathName,
&usImagePath,
sizeof(UNICODE_STRING),
&uLength);
if(NT_SUCCESS(ntStatus)) {
//DO: read image path
#ifndef UNICODE
dwBufferSize = dwSize * sizeof(WCHAR);
pBuffer = (LPWSTR)RtlAllocateHeap(RtlProcessHeap(), 0, dwBufferSize);
if(!pBuffer)
return FALSE;
#else
//UNICODE
dwBufferSize = dwSize;
pBuffer = szImagePath;
#endif
if(dwBufferSize > (DWORD)usImagePath.Length + sizeof(WCHAR))
dwBufferSize = usImagePath.Length;
else
dwBufferSize -= 2;
ntStatus = NtReadVirtualMemory(
hProcess,
usImagePath.Buffer,
pBuffer,
dwBufferSize,
&uLength);
if(NT_SUCCESS(ntStatus))
pBuffer[dwBufferSize / sizeof(WCHAR)] = L'\0';
#ifndef UNICODE
//DO: Convert buffer to ansi
WideCharToMultiByte(
CP_ACP,
0,
pBuffer,
dwBufferSize,
szImagePath,
dwSize,
NULL,
NULL);
RtlFreeHeap(RtlProcessHeap(), 0, pBuffer);
#endif
return NT_SUCCESS(ntStatus);
}
}
return FALSE;
}