EPROCESS取进程全路径(xp)

上一篇文章在xp下取路径太麻烦

既然规定在了xp系统下，为什么不硬编码呢？

好吧，走起~~~

PFILE_OBJECT __declspec(naked) __stdcall _MmGetFileObjectForSection(PVOID Section)
{
    __asm
	{
		push ebp;
		mov  ebp, esp;
		mov  eax, dword ptr ss:[ebp + 0x08];
		mov  eax, dword ptr ds:[eax + 0x14];
		mov  eax, dword ptr ds:[eax];
		mov  eax, dword ptr ds:[eax + 0x24];
		mov  esp, ebp;
		pop  ebp;
		ret  0x04;
	}
}

NTSTATUS PsReferenceProcessFilePointer(IN PEPROCESS Process, OUT PVOID *OutFileObject)
{
	PVOID SectionObject;

	if (SectionObject = *(PVOID*)((PCHAR)Process + 0x138))
	{
		PFILE_OBJECT FileObject;

		FileObject = _MmGetFileObjectForSection(SectionObject);
		*OutFileObject = FileObject;
		ObReferenceObject (FileObject);
		return STATUS_SUCCESS;
	}
	return STATUS_UNSUCCESSFUL;
}

WRK+DBG