驱动层分别使用PEB和sectionObject获取进程执行文件全路径的方法

本文链接：https://blog.csdn.net/twtzw/article/details/3335244

在WIN2003 SP2环境下，通过PEB的ProcessParameters和SectionObject的Segment及ControlArea获取进程执行文件的完整路径。代码示例展示了如何从EPROCESS结构中遍历到必要的数据结构，最终转换为ANSI字符串。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

本人是在WIN2003 SP2下开发的,请注意不同操作系统的偏移量不同

PEB

EPROCESS->PEB(_PEB)->ProcessParameters((_RTL_USER_PROCESS_PARAMETERS)->ImagePathName(_UNICODE_STRING)

 
 void GetProcessName( IN OUT PCHAR pszName)
{
        int pebOffeset=0x1a0;
        int RTLUSERPROCESSPARAMETERSOffset= 0x010;
        int imagePathNameOffset=0x038;
    ANSI_STRING astr;
    UNICODE_STRING US;
    PEPROCESS peCurProc;
    ULONG* dwAddress;
    peCurProc=PsGetCurrentProcess();//EPROCESS 
    dwAddress=(ULONG*)peCurProc;
    
    if(dwAddress!=NULL)
    {
        dwAddress=*((ULONG**)dwAddress+pebOffeset/sizeof(ULONG));//EPROCESS->PEB 
        if(dwAddress!=NULL)
        {
            dwAddress=*((ULONG**)dwAddress+RTLUSERPROCESSPARAMETERSOffset /sizeof(ULONG));//PEB->ProcessParameters(_RTL_USER_PROCESS_PARAMETERS) 
            if(dwAddress!=NULL)
            {
                US=*((UNICODE_STRING*)dwAddress+imagePathNameOffset/sizeof(UNICODE_STRING));//PEB->ProcessParameters->ImagePathName(_UNICODE_STRING) 
                if(RtlUnicodeStringToAnsiString(&astr,(PUNICODE_STRING)&US,TRUE)==STATUS_SUCCESS)
                {
                    strcpy(pszName, astr.Buffer);
                    RtlFreeAnsiString( &astr );
                }
            }
        }
    
    }
}
 

SectionObject

EPROCESS->SectionObject(_SECTION_OBJECT)->Segment(_SEGMENT)->ControlArea (_CONTROL_AREA)->FilePointer( _FILE_OBJECT)

 
  PEPROCESS   peCurProc;
ULONG* dwAddress;
PFILE_OBJECT FileObject;
UNICODE_STRING usDosName;
STRING fileName; 
STRING dosName;
peCurProc = PsGetCurrentProcess();
dwAddress=(ULONG*)peCurProc;
if(MmIsAddressValid(dwAddress))
{
    dwAddress=*((ULONG**)dwAddress+0x124/sizeof(ULONG));//EPROCESS->SectionObject 
    if(MmIsAddressValid(dwAddress))
    {
        dwAddress=*((ULONG**)dwAddress+0x014/sizeof(ULONG));//EPROCESS->SectionObject->Segment 
        if(MmIsAddressValid(dwAddress))
        {
            dwAddress=*((ULONG**)dwAddress+0x000/sizeof(ULONG));//EPROCESS->SectionObject->Segment->ControlArea 
            if(MmIsAddressValid(dwAddress))
            {
                FileObject=(PFILE_OBJECT)(*((ULONG**)dwAddress+0x024 /sizeof(ULONG)));//EPROCESS->SectionObject->Segment->ControlArea->FilePointer 
                if(MmIsAddressValid(FileObject));
                {
                      
                    if(RtlVolumeDeviceToDosName(FileObject->DeviceObject,&usDosName)==STATUS_SUCCESS)//获取磁盘逻辑名称 
                    {
                        RtlUnicodeStringToAnsiString(&dosName,&usDosName, TRUE); 
                        RtlUnicodeStringToAnsiString(&fileName,&FileObject->FileName, TRUE);//文件名 
                        DbgPrint(dosName.Buffer);
                        DbgPrint(fileName.Buffer);
                        DbgPrint("/n/n");
                        RtlFreeAnsiString(&dosName);
                        RtlFreeAnsiString(&fileName);
                    }
                }
            }
        }
    }
}
        
 
 

PEB可以通过某种方式擦除