通过进程ID得到进程名

在内核中，通过进程ID，得到进程名称，有多种方法。

我使用了两种方法，第一种是使用ZwOpeProcess得到句柄

然后ObReferenceObjectByHandle函数得到PEPROCESS结构，然后

char *ProcessName = (char*)EProcess + 0x174;

第二种方法是得到PEPROCESS结构之后，使用PsGetProcessImageFileName函数得到进程名。

 

具体代码如下：

#include<ntddk.h> #include<wdm.h> UCHAR* PsGetProcessImageFileName(PEPROCESS Process); NTSTATUS Unload(IN PDRIVER_OBJECT DriverObject) { DbgPrint("驱动已经卸载/n"); } void GetProcessName(ULONG dwPid) { HANDLE ProcessHandle; NTSTATUS status; OBJECT_ATTRIBUTES ObjectAttributes; CLIENT_ID myCid; PEPROCESS EProcess; InitializeObjectAttributes(&ObjectAttributes,0,0,0,0); myCid.UniqueProcess = (HANDLE)dwPid; myCid.UniqueThread = 0; //打开进程，获取句柄 status = ZwOpenProcess (&ProcessHandle,PROCESS_ALL_ACCESS,&ObjectAttributes,&myCid); if (!NT_SUCCESS(status)) { DbgPrint("打开进程出错/n"); return; } //得到EPROCESS，结构中取进程名 status = ObReferenceObjectByHandle(ProcessHandle,FILE_READ_DATA,0,KernelMode,&EProcess, 0); if (status == STATUS_SUCCESS) { char *ProcessName = (char*)EProcess + 0x174; char *PsName = PsGetProcessImageFileName(EProcess); DbgPrint("ProcessName is %s/n",ProcessName); DbgPrint("PsName is %s/n",PsName); ZwClose(ProcessHandle); } else { DbgPrint("Get ProcessName error"); } } NTSTATUS DriverEntry( IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath ) { DbgPrint("驱动已经加载了/n"); GetProcessName(2044); DriverObject->DriverUnload = Unload; return STATUS_SUCCESS; }