How do I get the full path and process name of the current process in the driver (SYS)?

zhaozj2021-02-08  199

First use

PsgetCurrentProcess

or

IOGETCURRENTPROCESS

The function gets the handle of the current process, this handle is pointing

_EPROCESS

Structure pointer,

_EPROCESS

The structure is as follows:

TypedEf struct _eprocess

{

KPROCESS PCB;

NTSTATUS EXITSTATUS;

Kevent Lockevent;

DWORD LOCKCOUNT;

Qword createtime;

Qword EXITTIME;

PVOID LOCKOWNER;

DWORD UNIQUEPROCESSID;

Qword ActiveProcessLinks;

DWORD quotapeakpoolusage [2]; // np, p

DWORD quotapoolusage [2]; // np, p

DWORD PageFileusage;

DWORD commitcharge;

DWORD peakpagefileusage;

DWORD peakvirtualsize;

Qword Virtualsize;

DWORD VM [12];

DWORD LastProtoptefault;

DWORD Debugport;

DWORD EXCETIONPORT;

DWORD ObjectTable;

DWORD TOKEN;

DWORD WORKINGSETLOCK [8];

DWORD WORKINGSETPAGE;

Boolean processoutswapenabled;

Boolean processoutswapped;

Boolean AddressSpaceInitialized;

Boolean AddressSpacedeeted;

DWORD AddressCreationLock [9];

DWORD forkInprogress;

DWORD VMOPERATION;

DWORD VMOPERATIONEVENT;

DWORD PAGEDIRECTORYPTE;

Qword lastfaultcount;

Pvoid ​​Vadroot; DWORD VADHINT;

DWord Cloneroot;

DWORD NUMBEROFPRIVATEPAGES;

DWORD NUMBEROFLOCKEDPAGES;

Word w184;

Boolean EXITPROCALLED;

Boolean createProcessReport;

Handle sectionhandle;

Struct _peb * peb; // offset 0x1b0

PVOID SectionBaseAddress;

Pvoid ​​quotablock;

NTSTATUS LastthReadexitstatus;

Process_ws_watch_information workingsetwatch;

DWORD inheritedfromuniqueprocessid;

Access_mask grantedAccess;

DWORD defaultharderrorprocessing;

DWORD LDTINFORMATION;

DWORD VADFREEHINT;

DWORD VDMOBJECTS;

Kmutant Processmutant;

Byte ImageFileName [16]; // offset 0x1fc

DWORD VMTRIMFAULTVALUE [2];

PVOID WIN32PROCESS;

DWORD D1F8;

DWORD D1FC;

}

EPROCESS,

* Peprocess,

** ppeprocess;

As can be seen from the above structure, the process name is ImageFileName, as long as the offset address 0x1fc with _eprocess, the code is available, the code is as follows:

Char * processname = (char *) psgetcurrentprocess () 0x1FC;

Kdprint (("Current Process Name:% S / N", ProcessName);

To get the full path, you need to use the _peb structure pointer in the _peps structure structure to get the address of ProcessParameters. ProcessParameters saves the full path to the process. You can open an executable program with a WindBG tool included with DDK, then use the! Peb command to display the structure information of _peb. As follows:

---------------------------------------

>! PEB

Debugger Extension Library [f: / Winnt / System32 / NTSDexts] loadedpeb at 7FFDF000

InheritedAddressSpace: no

ReadimageFileExecOptions: no

Beingdebugged: Yes

ImageBaseAddress: 00400000

LDR.INITIALIZED: YES

LDr.ininitializationOrdermoduleList: 131f88. 132998

LDR.INLOADORDERMODULANLIST: 131EE0. 132988

LDR.INMEMORYORDERMODULIST: 131EE8. 132990

00400000 D: /ntsysinfo.exe

77F80000 f: /winnt/system32/NTDLL.DLL

77E60000 f: /winnt/system32/kernel32.dll

77DF0000 f: /winnt/system32/User32.dll

77F40000 f: /winnt/system32/gdi32.dll

76AF0000 f: /winnt/system32/comdlg32.dll

70BD0000 f: /winnt/system32/shlwapi.dll

77D90000 f: /winnt/system32/advapi32.dll

77D20000 f: /winnt/system32/rpcrt4.dll

71700000 f: /winnt/system32/comctl32.dll

77560000 f: /winnt/system32/shell32.dll

78000000 f: /winnt/system32/msvcrt.dll

777C0000 f: /winnt/system32/winspool.drv

SubsystemData: 0

ProcessHeap: 130000

ProcessParameters: 2000

WINDOWTITLE: 'D: /NTSYSINFO.EXE'

ImageFile: 'D: /ntsysinfo.exe'

CommandLine: '"d: /ntsysinfo.exe"'

Dllpath: 'd: /;.; F: / winnt / system; f: / winnt; f: / winnt / system32; f: / winnt; f: / winnt / system32 / wbem; J : / Windows / Command; E: / Windows / System / WBEM; J: / Windows; J: / Windows / Command; E: / Windows / System / WBEM; J: / Windows; J: / Windows /

Command '

ENVIRONMENT: 0x10000

The PEB structure information output from Windbg can see the address of ProcessParameters is 0x20000, and the ImageFile field is the full path to the process. Then where the address of the PorcessParamters is saved in the _peb structure? The base address of the _peb structure is 0x7ffdf000, and the information of the 0x7ffdf000 address can be found in the 0x10 offset of the _peb structure by Windbg's "DB 0x7ffDF000" command.

Continue to display the contents of the ProcessParameters address with the "DB 0x20000" command, the offset is 0x3c, and the contents of the 0x3c will display the full path using "DB 0x20670" if: 0x20670. The full path is saved in Unicode format. We use the program to simulate the steps above, you can get the full path to the current process, the code is as follows:

Pcwstr getCurrentProcessFileName ()

{

DWORD DWADDRESS = (DWORD) psgetcurrentprocess ();

IF (dwaddress == 0 || dwaddress == 0xfffffffff)

Return NULL;

DWADDRESS = 0x1b0;

IF ((dwaddress = * (dword *) dwaddress) == 0) Return 0;

DWADDRESS = 0x10;

IF ((dwaddress = * (dword *) dwaddress) == 0) Return 0;

DWADDRESS = 0x3c;

IF ((dwaddress = * (dword *) dwaddress) == 0) Return 0;

Kdprint ("Current Process Full Path Name:% WS / N", (PCWSTR) DWADDRESS);

Return (PCWSTR) dwaddress;

}

Windows NT is slightly different from Windows 2000's _eprocess structure, so the offset address is not the same, so the program above does not work properly in Windows NT. To get a process name and a complete path under Windows NT, you can use a similar method to get the correct offset address, and then write the correct program.

If you want to get the process name and complete path or other more knowledge about how to get the current process in the Windows 9x driver (VXD), you can access the Fair Security Lab website: http://www.xfilt.com.

转载请注明原文地址:https://www.9cbs.com/read-2997.html

New Post(0)