{
DbgPrint( "TERMINATED == PROCESS ID: %d\n", PId);
}
if (handle) ZwClose(handle);
if (EProcess)
ObfDereferenceObject((PVOID)EProcess);
}
//获得进程的 NT 路径
BOOLEAN GetProcPath(IN HANDLE PID,OUT PANSI_STRING pImageName)
{
NTSTATUS status; HANDLE hProcess=NULL; CLIENT_ID clientid;
OBJECT_ATTRIBUTES ObjectAttributes; ULONG returnedLength;
ULONG bufferLength; PVOID buffer;
PUNICODE_STRING uniNtProcename={0}; UNICODE_STRING uniDosProcename;
WCHAR   DosProcessNameW[MAX_PATH*2]={0}; BOOL result;
//初始化字符串
try
{
if(!MmIsAddressValid(pImageName))
{
return FALSE;
}
pImageName->Length = 0 ;
pImageName->MaximumLength = 0 ;
pImageName->Buffer = NULL ;
}
except (EXCEPTION_EXECUTE_HANDLER)
{

return FALSE ;
}

InitializeObjectAttributes(&ObjectAttributes,0,OBJ_CASE_INSENSITIVE|OBJ_KER NEL_HANDLE,0,0);
clientid.UniqueProcess=PID;
clientid.UniqueThread=0;
//通过 PID 获得进程句柄
ZwOpenProcess(&hProcess,PROCESS_ALL_ACCESS,&ObjectAttributes,&clientid);
//获得大小
status = ZwQueryInformationProcess(hProcess, ProcessImageFileName,
NULL, // buffer
 

 
0, // buffer size
 

&returnedLength);
 

if (status!=STATUS_INFO_LENGTH_MISMATCH)
{

return FALSE;
}

bufferLength = returnedLength - sizeof(UNICODE_STRING); buffer=ExAllocatePoolWithTag(PagedPool,returnedLength,'ipgD'); if (buffer==NULL)
{

return FALSE;
}

status=ZwQueryInformationProcess(hProcess,ProcessImageFileName,buffer,retur nedLength,&returnedLength);
if (NT_SUCCESS(status))
{

uniNtProcename=(PUNICODE_STRING)buffer;
uniDosProcename.Buffer = DosProcessNameW;
result = QueryProcessDosPathW(uniNtProcename->Buffer,&uniDosProcename);
if (result)
{
//得到 Dos 全路径
if
(RtlUnicodeStringToAnsiString(pImageName,&uniDosProcename,TRUE)!=STATUS_SUC CESS )
{
return FALSE ;

KdPrint(("Current ProcessImageFileName: Unknow\r\n")) ;
}
else
{

return TRUE ;
KdPrint  (("Current  ProcessImageFileName:  \"%s\"\r\n", pImageName->Buffer)) ;
}
 

}
else
{
 

//得到 NT 式全路径
 

RtlUnicodeStringToAnsiString (pImageName,uniNtProcename,TRUE);
}
}

ExFreePool(buffer);
 

}
HANDLE MyOpenFile(IN PCWSTR  ProcessPathw)
{

HANDLE FileHandle; OBJECT_ATTRIBUTES oa; IO_STATUS_BLOCK  iosb={0}; UNICODE_STRING uniProcessPath={0}; NTSTATUS status;
int result;
result = 0;
if (ProcessPathw)
{

RtlInitUnicodeString(&uniProcessPath,ProcessPathw);

InitializeObjectAttributes(&oa,&uniProcessPath,OBJ_KERNEL_HANDLE|OBJ_CASE_I NSENSITIVE,NULL,NULL);
status = IoCreateFile(&FileHandle, GENERIC_READ,
&oa,
&iosb,
0,
 

FILE_ATTRIBUTE_NORMAL,
 

FILE_SHARE_READ, FILE_OPEN,
 

FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT,
NULL,
 
0,

if (NT_SUCCESS(status))
result = FileHandle;
}
 

CreateFileTypeNone, NULL, IO_NO_PARAMETER_CHECKING);
 
return result;
}
//将 NT 路径转换为 Dos 路径
BOOL  QueryProcessDosPathW(IN  PWSTR  ProcessPathw,OUT  PUNICODE_STRING ProcessDosPathw)
{
HANDLE hFile; NTSTATUS status; PFILE_OBJECT fileobj;
POBJECT_NAME_INFORMATION ObjectNameInformation;
int result;
 

result = 0;
hFile = MyOpenFile(ProcessPathw);
if (hFile)
{
status = ObReferenceObjectByHandle(hFile,0,*IoFileObjectType,KernelMode,&fileobj,NUL
L);
if (NT_SUCCESS(status))
{
status = IoQueryFileDosDeviceName(fileobj,&ObjectNameInformation);
if (NT_SUCCESS(status))
{
ProcessDosPathw->Length = ObjectNameInformation->Name.Length;
ProcessDosPathw->MaximumLength =
ObjectNameInformation->Name.MaximumLength;
memcpy(ProcessDosPathw->Buffer,ObjectNameInformation->Name.Buffer,ProcessDo sPathw->Length);
result = 1;
}
}
}
if ( fileobj ) ObfDereferenceObject(fileobj);