//获取进程路径,理论上至少支持XP;进程句柄需要PROCESS_QUERY_INFORMATION和PROCESS_VM_READ权限...实现方法和GetModuleFileNameEx类似.... //DESP: get process image path BOOL process_get_path(HANDLE hProcess, LPTSTR szImagePath, DWORD dwSize) { NTSTATUS ntStatus; ULONG uLength; DWORD dwBufferSize; LPWSTR pBuffer; UNICODE_STRING usImagePath; PROCESS_BASIC_INFORMATION BasicInformation; PRTL_USER_PROCESS_PARAMETERS pProcessParameters; //DO: query PEB address ntStatus = NtQueryInformationProcess( hProcess, ProcessBasicInformation, &BasicInformation, sizeof(PROCESS_BASIC_INFORMATION), &uLength); if(!NT_SUCCESS(ntStatus)) return FALSE; //DO: read ProcessParameters pointer ntStatus = NtReadVirtualMemory( hProcess, &BasicInformation.PebBaseAddress->ProcessParameters, &pProcessParameters, sizeof(PRTL_USER_PROCESS_PARAMETERS), &uLength); if(NT_SUCCESS(ntStatus)) { //DO: read ImagePathName UNICODE_STRING ntStatus = NtReadVirtualMemory( hProcess, &pProcessParameters->ImagePathName, &usImagePath, sizeof(UNICODE_STRING), &uLength); if(NT_SUCCESS(ntStatus)) { //DO: read image path #ifndef UNICODE dwBufferSize = dwSize * sizeof(WCHAR); pBuffer = (LPWSTR)RtlAllocateHeap(RtlProcessHeap(), 0, dwBufferSize); if(!pBuffer) return FALSE; #else //UNICODE dwBufferSize = dwSize; pBuffer = szImagePath; #endif if(dwBufferSize > (DWORD)usImagePath.Length + sizeof(WCHAR)) dwBufferSize = usImagePath.Length; else dwBufferSize -= 2; ntStatus = NtReadVirtualMemory( hProcess, usImagePath.Buffer, pBuffer, dwBufferSize, &uLength); if(NT_SUCCESS(ntStatus)) pBuffer[dwBufferSize / sizeof(WCHAR)] = L'\0'; #ifndef UNICODE //DO: Convert buffer to ansi WideCharToMultiByte( CP_ACP, 0, pBuffer, dwBufferSize, szImagePath, dwSize, NULL, NULL); RtlFreeHeap(RtlProcessHeap(), 0, pBuffer); #endif return NT_SUCCESS(ntStatus); } } return FALSE; }