First use
PsgetCurrentProcess
or
IOGETCURRENTPROCESS
The function gets the handle of the current process, this handle is pointing
_EPROCESS
Structure pointer,
_EPROCESS
The structure is as follows:
TypedEf struct _eprocess
{
KPROCESS PCB;
NTSTATUS EXITSTATUS;
Kevent Lockevent;
DWORD LOCKCOUNT;
Qword createtime;
Qword EXITTIME;
PVOID LOCKOWNER;
DWORD UNIQUEPROCESSID;
Qword ActiveProcessLinks;
DWORD quotapeakpoolusage [2]; // np, p
DWORD quotapoolusage [2]; // np, p
DWORD PageFileusage;
DWORD commitcharge;
DWORD peakpagefileusage;
DWORD peakvirtualsize;
Qword Virtualsize;
DWORD VM [12];
DWORD LastProtoptefault;
DWORD Debugport;
DWORD EXCETIONPORT;
DWORD ObjectTable;
DWORD TOKEN;
DWORD WORKINGSETLOCK [8];
DWORD WORKINGSETPAGE;
Boolean processoutswapenabled;
Boolean processoutswapped;
Boolean AddressSpaceInitialized;
Boolean AddressSpacedeeted;
DWORD AddressCreationLock [9];
DWORD forkInprogress;
DWORD VMOPERATION;
DWORD VMOPERATIONEVENT;
DWORD PAGEDIRECTORYPTE;
Qword lastfaultcount;
Pvoid Vadroot; DWORD VADHINT;
DWord Cloneroot;
DWORD NUMBEROFPRIVATEPAGES;
DWORD NUMBEROFLOCKEDPAGES;
Word w184;
Boolean EXITPROCALLED;
Boolean createProcessReport;
Handle sectionhandle;
Struct _peb * peb; // offset 0x1b0
PVOID SectionBaseAddress;
Pvoid quotablock;
NTSTATUS LastthReadexitstatus;
Process_ws_watch_information workingsetwatch;
DWORD inheritedfromuniqueprocessid;
Access_mask grantedAccess;
DWORD defaultharderrorprocessing;
DWORD LDTINFORMATION;
DWORD VADFREEHINT;
DWORD VDMOBJECTS;
Kmutant Processmutant;
Byte ImageFileName [16]; // offset 0x1fc
DWORD VMTRIMFAULTVALUE [2];
PVOID WIN32PROCESS;
DWORD D1F8;
DWORD D1FC;
}
EPROCESS,
* Peprocess,
** ppeprocess;
As can be seen from the above structure, the process name is ImageFileName, as long as the offset address 0x1fc with _eprocess, the code is available, the code is as follows:
Char * processname = (char *) psgetcurrentprocess () 0x1FC;
Kdprint (("Current Process Name:% S / N", ProcessName);
To get the full path, you need to use the _peb structure pointer in the _peps structure structure to get the address of ProcessParameters. ProcessParameters saves the full path to the process. You can open an executable program with a WindBG tool included with DDK, then use the! Peb command to display the structure information of _peb. As follows:
---------------------------------------
>! PEB
Debugger Extension Library [f: / Winnt / System32 / NTSDexts] loadedpeb at 7FFDF000
InheritedAddressSpace: no
ReadimageFileExecOptions: no
Beingdebugged: Yes
ImageBaseAddress: 00400000
LDR.INITIALIZED: YES
LDr.ininitializationOrdermoduleList: 131f88. 132998
LDR.INLOADORDERMODULANLIST: 131EE0. 132988
LDR.INMEMORYORDERMODULIST: 131EE8. 132990
00400000 D: /ntsysinfo.exe
77F80000 f: /winnt/system32/NTDLL.DLL
77E60000 f: /winnt/system32/kernel32.dll
77DF0000 f: /winnt/system32/User32.dll
77F40000 f: /winnt/system32/gdi32.dll
76AF0000 f: /winnt/system32/comdlg32.dll
70BD0000 f: /winnt/system32/shlwapi.dll
77D90000 f: /winnt/system32/advapi32.dll
77D20000 f: /winnt/system32/rpcrt4.dll
71700000 f: /winnt/system32/comctl32.dll
77560000 f: /winnt/system32/shell32.dll
78000000 f: /winnt/system32/msvcrt.dll
777C0000 f: /winnt/system32/winspool.drv
SubsystemData: 0
ProcessHeap: 130000
ProcessParameters: 2000
WINDOWTITLE: 'D: /NTSYSINFO.EXE'
ImageFile: 'D: /ntsysinfo.exe'
CommandLine: '"d: /ntsysinfo.exe"'
Dllpath: 'd: /;.; F: / winnt / system; f: / winnt; f: / winnt / system32; f: / winnt; f: / winnt / system32 / wbem; J : / Windows / Command; E: / Windows / System / WBEM; J: / Windows; J: / Windows / Command; E: / Windows / System / WBEM; J: / Windows; J: / Windows /
Command '
ENVIRONMENT: 0x10000
The PEB structure information output from Windbg can see the address of ProcessParameters is 0x20000, and the ImageFile field is the full path to the process. Then where the address of the PorcessParamters is saved in the _peb structure? The base address of the _peb structure is 0x7ffdf000, and the information of the 0x7ffdf000 address can be found in the 0x10 offset of the _peb structure by Windbg's "DB 0x7ffDF000" command.
Continue to display the contents of the ProcessParameters address with the "DB 0x20000" command, the offset is 0x3c, and the contents of the 0x3c will display the full path using "DB 0x20670" if: 0x20670. The full path is saved in Unicode format. We use the program to simulate the steps above, you can get the full path to the current process, the code is as follows:
Pcwstr getCurrentProcessFileName ()
{
DWORD DWADDRESS = (DWORD) psgetcurrentprocess ();
IF (dwaddress == 0 || dwaddress == 0xfffffffff)
Return NULL;
DWADDRESS = 0x1b0;
IF ((dwaddress = * (dword *) dwaddress) == 0) Return 0;
DWADDRESS = 0x10;
IF ((dwaddress = * (dword *) dwaddress) == 0) Return 0;
DWADDRESS = 0x3c;
IF ((dwaddress = * (dword *) dwaddress) == 0) Return 0;
Kdprint ("Current Process Full Path Name:% WS / N", (PCWSTR) DWADDRESS);
Return (PCWSTR) dwaddress;
}
Windows NT is slightly different from Windows 2000's _eprocess structure, so the offset address is not the same, so the program above does not work properly in Windows NT. To get a process name and a complete path under Windows NT, you can use a similar method to get the correct offset address, and then write the correct program.
If you want to get the process name and complete path or other more knowledge about how to get the current process in the Windows 9x driver (VXD), you can access the Fair Security Lab website: http://www.xfilt.com.
