进程、注册表路径 内核函数封装源码

魔兽贱队

1. 
   
2. 
   
3. 
   
4. 
   
5. //依据EPROCESS得到进程全路径
   
6. extern VOID GetFullPathByEprocess( ULONG eprocess,PCHAR ProcessImageName );
   
7. 
   
8. //得到当前调用函数的进程信息
   
9. extern VOID GetCurrentProcess(PULONG pid, PCHAR name, PCHAR path);
   
10. 
    
11. //路径解析出子进程名
    
12. extern VOID GetSonName( PCHAR ProcessPath, PCHAR ProcessName );
    
13. 
    
14. //根据SectionHandle得到进程全路径
    
15. extern VOID GetFullPathBySectionHandle( HANDLE SectionHandle, PCHAR ProcessImageName);
    
16. 
    
17. //根据ProcessHandle得到进程全路径
    
18. extern VOID GetFullPathByProcessHandle( HANDLE ProcessHandle, PCHAR ProcessImageName , PULONG pid );
    
19. 
    
20. //FileObject得到进程全路径
    
21. extern VOID GetFullPathByFileObject( PFILE_OBJECT FileObject, PCHAR ProcessImageName);
    
22. 
    
23. //KeyHandle得到注册表全路径
    
24. extern BOOLEAN GetRegKeyNameByHandle(HANDLE handle, char *realpath);
    
25. 
    
26. //
    
27. extern VOID UnicodeTochar(PUNICODE_STRING dst , char *src);
    
28. //
    
29. extern VOID WcharToChar(PWCHAR src,PCHAR dst);
    
30. 
    
31. 代码:
    
32. extern POBJECT_TYPE *PsProcessType;
    
33. 
    
34. NTKERNELAPI
    
35. UCHAR *
    
36. PsGetProcessImageFileName(
    
37. PEPROCESS Process);
    
38. 
    
39. NTKERNELAPI
    
40. NTSTATUS
    
41. ObQueryNameString(
    
42. INPVOID Object,
    
43. OUT POBJECT_NAME_INFORMATION ObjectNameInfo,
    
44. INULONG Length,
    
45. OUT PULONG ReturnLength);
    
46. 
    
47. //路径解析出子进程名
    
48. VOIDGetSonName( char *ProcessPath, char *ProcessName )
    
49. {
    
50. ULONG n = strlen( ProcessPath) - 1;
    
51. ULONG i = n;
    
52. //KdPrint(("%d",n));
    
53. while( ProcessPath[i] != '\\')
    
54. {
    
55. i = i-1;
    
56. }
    
57. strncpy( ProcessName,ProcessPath+i+1,n-i);
    
58. }
    
59. 
    
60. //依据EPROCESS得到进程全路径
    
61. VOID GetFullPathByEprocess( ULONG eprocess,PCHAR ProcessImageName )
    
62. {
    
63. //原理Eprocess->sectionobject(0x138)->Segment(0x014)->ControlAera(0x000)->FilePointer(0x024)->(FileObject->FileName,FileObject->DeviceObject)
    
64. ULONG object;
    
65. PFILE_OBJECT FileObject;
    
66. UNICODE_STRING FilePath;
    
67. UNICODE_STRING DosName;
    
68. STRING AnsiString;
    
69. 
    
70. FileObject = NULL;
    
71. FilePath.Buffer = NULL;
    
72. FilePath.Length = 0;
    
73. *ProcessImageName = 0;
    
74. 
    
75. if(MmIsAddressValid((PULONG)(eprocess+0x138)))//Eprocess->sectionobject(0x138)
    
76. {
    
77. object=(*(PULONG)(eprocess+0x138));
    
78. //KdPrint(("[GetProcessFileName] sectionobject :0x%x\n",object));
    
79. if(MmIsAddressValid((PULONG)((ULONG)object+0x014)))
    
80. {
    
81. object=*(PULONG)((ULONG)object+0x014);
    
82. //KdPrint(("[GetProcessFileName] Segment :0x%x\n",object));
    
83. if(MmIsAddressValid((PULONG)((ULONG)object+0x0)))
    
84. {
    
85. object=*(PULONG)((ULONG_PTR)object+0x0);
    
86. //KdPrint(("[GetProcessFileName] ControlAera :0x%x\n",object));
    
87. if(MmIsAddressValid((PULONG)((ULONG)object+0x024)))
    
88. {
    
89. object=*(PULONG)((ULONG)object+0x024);
    
90. //KdPrint(("[GetProcessFileName] FilePointer :0x%x\n",object));
    
91. }
    
92. else
    
93. return ;
    
94. }
    
95. else
    
96. return ;
    
97. }
    
98. else
    
99. return ;
    
100. }
     
101. else
     
102. return ;
     
103. FileObject=(PFILE_OBJECT)object;
     
104. 
     
105. FilePath.Buffer = ExAllocatePool(PagedPool,0x200);
     
106. FilePath.MaximumLength = 0x200;
     
107. //KdPrint(("[GetProcessFileName] FilePointer :%wZ\n",&FilePointer->FileName));
     
108. ObReferenceObjectByPointer((PVOID)FileObject,0,NULL,KernelMode);//引用计数+1，操作对象
     
109. 
     
110. RtlVolumeDeviceToDosName(FileObject-> DeviceObject, &DosName);
     
111. RtlCopyUnicodeString(&FilePath, &DosName);
     
112. RtlAppendUnicodeStringToString(&FilePath, &FileObject->FileName);
     
113. ObDereferenceObject(FileObject);
     
114. 
     
115. RtlUnicodeStringToAnsiString(&AnsiString, &FilePath, TRUE);
     
116. if ( AnsiString.Length >= 216 )
     
117. {
     
118. memcpy(ProcessImageName, AnsiString.Buffer, 0x100u);
     
119. *(ProcessImageName + 215) = 0;
     
120. }
     
121. else
     
122. {
     
123. memcpy(ProcessImageName, AnsiString.Buffer, AnsiString.Length);
     
124. ProcessImageName[AnsiString.Length] = 0;
     
125. }
     
126. RtlFreeAnsiString(&AnsiString);
     
127. ExFreePool(DosName.Buffer);
     
128. ExFreePool(FilePath.Buffer);
     
129. }
     
130. 
     
131. 
     
132. //
     
133. VOID GetCurrentProcess(PULONG pid, PCHAR name, PCHAR path)
     
134. {
     
135. PEPROCESS Cprocess;
     
136. Cprocess = PsGetCurrentProcess();
     
137. *pid = *(PULONG)((ULONG)Cprocess+0x84);
     
138. strcpy(name ,PsGetProcessImageFileName(Cprocess));
     
139. GetFullPathByEprocess((ULONG)Cprocess,path);
     
140. }
     
141. 
     
142. 
     
143. //根据SectionHandle得到进程全路径
     
144. VOID GetFullPathBySectionHandle( HANDLE SectionHandle, PCHAR ProcessImageName )
     
145. {
     
146. PVOID SectionObject;
     
147. PFILE_OBJECT FileObject;
     
148. UNICODE_STRING FilePath;
     
149. UNICODE_STRING DosName;
     
150. NTSTATUS Status;
     
151. STRING AnsiString;
     
152. 
     
153. SectionObject = NULL;
     
154. FileObject = NULL;
     
155. FilePath.Buffer = NULL;
     
156. FilePath.Length = 0;
     
157. *ProcessImageName = 0;
     
158. Status = ObReferenceObjectByHandle(SectionHandle, 0, NULL, KernelMode, &SectionObject, NULL);
     
159. 
     
160. if ( NT_SUCCESS(Status) )
     
161. {
     
162. FilePath.Buffer = ExAllocatePool(PagedPool,0x200);
     
163. FilePath.MaximumLength = 0x200;
     
164. FileObject = (PFILE_OBJECT)(*((ULONG *)SectionObject + 5)); // PSEGMENT
     
165. FileObject = *(PFILE_OBJECT *)FileObject; // CONTROL_AREA
     
166. FileObject = *(PFILE_OBJECT *)((ULONG)FileObject + 36); // FILE_OBJECT
     
167. ObReferenceObjectByPointer((PVOID)FileObject, 0, NULL, KernelMode);
     
168. RtlVolumeDeviceToDosName(FileObject-> DeviceObject, &DosName);
     
169. RtlCopyUnicodeString(&FilePath, &DosName);
     
170. RtlAppendUnicodeStringToString(&FilePath, &FileObject->FileName);
     
171. ObDereferenceObject(FileObject);
     
172. ObDereferenceObject(SectionObject);
     
173. RtlUnicodeStringToAnsiString(&AnsiString, &FilePath, TRUE);
     
174. if ( AnsiString.Length >= 216 )
     
175. {
     
176. memcpy(ProcessImageName, AnsiString.Buffer, 0x100u);
     
177. *(ProcessImageName + 215) = 0;
     
178. }
     
179. else
     
180. {
     
181. memcpy(ProcessImageName, AnsiString.Buffer, AnsiString.Length);
     
182. ProcessImageName[AnsiString.Length] = 0;
     
183. }
     
184. RtlFreeAnsiString(&AnsiString);
     
185. ExFreePool(DosName.Buffer);
     
186. ExFreePool(FilePath.Buffer);
     
187. }
     
188. }
     
189. 
     
190. 
     
191. //根据ProcessHandle得到EPROCESS然后得到进程全路径
     
192. VOID GetFullPathByProcessHandle( HANDLE ProcessHandle, PCHAR ProcessImageName , PULONG pid )
     
193. {
     
194. NTSTATUS status;
     
195. PVOID ProcessObject;
     
196. ULONG eprocess;
     
197. 
     
198. status = ObReferenceObjectByHandle( ProcessHandle ,0,*PsProcessType,KernelMode, &ProcessObject, NULL);
     
199. if(!NT_SUCCESS(status)) //失败
     
200. {
     
201. DbgPrint("Object Error");
     
202. KdPrint(("[GetFullPathByProcessHandle] error status:0x%x\n",status));
     
203. return;
     
204. }
     
205. //KdPrint(("[GetTerminateProcessPath] Eprocess :0x%x\n",(ULONG)ProcessObject));
     
206. //Object转换成EPROCESS: object低二位清零
     
207. eprocess = ((ULONG)ProcessObject) & 0xFFFFFFFC;
     
208. *pid = *(PULONG)((ULONG)eprocess+0x84);
     
209. ObDereferenceObject(ProcessObject);
     
210. GetFullPathByEprocess( eprocess ,ProcessImageName);
     
211. }
     
212. 
     
213. 
     
214. //根据FileObject得到全路径
     
215. VOID GetFullPathByFileObject( PFILE_OBJECT FileObject, PCHAR ProcessImageName)
     
216. {
     
217. 
     
218. UNICODE_STRING FilePath;
     
219. UNICODE_STRING DosName;
     
220. STRING AnsiString;
     
221. 
     
222. FilePath.Buffer = NULL;
     
223. FilePath.Length = 0;
     
224. *ProcessImageName = 0;
     
225. 
     
226. FilePath.Buffer = ExAllocatePool(PagedPool,0x200);
     
227. FilePath.MaximumLength = 0x200;
     
228. //KdPrint(("[GetProcessFileName] FilePointer :%wZ\n",&FilePointer->FileName));
     
229. ObReferenceObjectByPointer((PVOID)FileObject,0,NULL,KernelMode);//引用计数+1，操作对象
     
230. 
     
231. RtlVolumeDeviceToDosName(FileObject-> DeviceObject, &DosName);
     
232. RtlCopyUnicodeString(&FilePath, &DosName);
     
233. RtlAppendUnicodeStringToString(&FilePath, &FileObject->FileName);
     
234. ObDereferenceObject(FileObject);
     
235. 
     
236. RtlUnicodeStringToAnsiString(&AnsiString, &FilePath, TRUE);
     
237. if ( AnsiString.Length >= 216 )
     
238. {
     
239. memcpy(ProcessImageName, AnsiString.Buffer, 0x100u);
     
240. *(ProcessImageName + 215) = 0;
     
241. }
     
242. else
     
243. {
     
244. memcpy(ProcessImageName, AnsiString.Buffer, AnsiString.Length);
     
245. ProcessImageName[AnsiString.Length] = 0;
     
246. }
     
247. RtlFreeAnsiString(&AnsiString);
     
248. ExFreePool(DosName.Buffer);
     
249. ExFreePool(FilePath.Buffer);
     
250. }
     
251. 
     
252. 
     
253. //解析注册表路径
     
254. BOOLEAN StandardPrintHkey(char * path,char *realpath)
     
255. {
     
256. 
     
257. int judgeTop;
     
258. int judgeSecond;
     
259. int judgeThird;
     
260. inti;
     
261. int j;
     
262. int t;
     
263. int k;
     
264. int lencur;
     
265. char realname[255]={0};
     
266. j=0;
     
267. k=0;
     
268. t=0;
     
269. judgeTop=strncmp("\\REGISTRY\\USER",path,14);
     
270. 
     
271. if(judgeTop==0)
     
272. {
     
273. 
     
274. lencur=strlen(path);
     
275. for(i=0;i<lencur;i++)
     
276. {
     
277. if(path[i]=='-')
     
278. {
     
279. if(path[i+1]=='5')
     
280. {
     
281. if(path[i+2]=='0')
     
282. {
     
283. if(path[i+3]=='0')
     
284. {if(path[i+4]=='_')
     
285. {
     
286. k=i+12;
     
287. t=1;
     
288. }
     
289. else
     
290. {
     
291. j=i+4;
     
292. t=1;
     
293. }
     
294. }
     
295. }
     
296. }
     
297. }
     
298. }
     
299. 
     
300. DbgPrint("[j]%d\n",j);
     
301. DbgPrint("[k]%d\n",k);
     
302. if((k==0)&&(t==1))
     
303. {
     
304. strcpy(realname,"HKEY_CURRENT_USER");
     
305. strncat(realname,&path[j],sizeof(path)-j);
     
306. DbgPrint("[HKEY_CURRENT_USER]%s",path);
     
307. }
     
308. if((j==0)&&(t==1))
     
309. {
     
310. strcpy(realname,"HKEY_CLASSES_ROOT");
     
311. strncat(realname,&path[k],sizeof(path)-k);
     
312. DbgPrint("[HKEY_CLASSES_ROOT]%s",path);
     
313. }
     
314. if(t==0)
     
315. {
     
316. strcpy(realname,"HKEY_USERS");
     
317. strncat(realname,&path[14],sizeof(path)-14);
     
318. DbgPrint("[HKEY_USER]%s",path);
     
319. }
     
320. }
     
321. else
     
322. {
     
323. judgeThird=strncmp("\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Hardware Profiles\\0001",path,61);
     
324. if(judgeThird==0)
     
325. {
     
326. strcpy(realname,"HKEY_CURRENT_CONFIG");
     
327. strncat(realname,&path[61],sizeof(path)-61);
     
328. DbgPrint("[HKEY_CURRENT_CONFIG]%s",path);
     
329. }
     
330. else
     
331. {
     
332. 
     
333. 
     
334. strcpy(realname,"HKEY_LOCAL_MACHINE");
     
335. strncat(realname,&path[17],sizeof(path)-17);
     
336. DbgPrint("[HKEY_LOCAL_MACHINE]%s",path);
     
337. 
     
338. 
     
339. }
     
340. }
     
341. strcpy(realpath,realname);
     
342. return TRUE;
     
343. }
     
344. 
     
345. 
     
346. //注册表根据KeyHandle得到键
     
347. BOOLEAN GetRegKeyNameByHandle(HANDLE handle, char *realpath)
     
348. {
     
349. 
     
350. ULONG uactLength;
     
351. POBJECT_NAME_INFORMATIONpustr;
     
352. ANSI_STRING astr;
     
353. PVOID pObj;
     
354. NTSTATUS ns;
     
355. char pch[256]={0};
     
356. ns = ObReferenceObjectByHandle( handle, 0, NULL, KernelMode, &pObj, NULL );
     
357. if (!NT_SUCCESS(ns))
     
358. {
     
359. KdPrint(("111!\n"));
     
360. KdPrint(("0x%x\n",ns));
     
361. return FALSE;
     
362. }
     
363. pustr = ExAllocatePool(NonPagedPool,1024+4);
     
364. 
     
365. if (pObj==NULL||pch==NULL)
     
366. return FALSE;
     
367. 
     
368. ns = ObQueryNameString(pObj,pustr,512,&uactLength);
     
369. 
     
370. if (NT_SUCCESS(ns))
     
371. {
     
372. RtlUnicodeStringToAnsiString(&astr,(PUNICODE_STRING)pustr,TRUE);
     
373. strncpy(pch,astr.Buffer,256);
     
374. }
     
375. ExFreePool(pustr);
     
376. RtlFreeAnsiString( &astr );
     
377. if (pObj)
     
378. {
     
379. ObDereferenceObject(pObj);
     
380. }
     
381. StandardPrintHkey(pch,realpath);
     
382. return TRUE;
     
383. }
     
384. 
     
385. 
     
386. //UnicodeTochar
     
387. VOID UnicodeTochar(PUNICODE_STRING dst , char *src)
     
388. {
     
389. ANSI_STRING string;
     
390. RtlUnicodeStringToAnsiString(&string,dst, TRUE);
     
391. strcpy(src,string.Buffer);
     
392. RtlFreeAnsiString(&string);
     
393. }
     
394. 
     
395. 
     
396. //wcharTochar
     
397. VOID WcharToChar(PWCHAR src,PCHAR dst)
     
398. {
     
399. UNICODE_STRING uString;
     
400. ANSI_STRING aString;
     
401. RtlInitUnicodeString(&uString,src);
     
402. RtlUnicodeStringToAnsiString(&aString,&uString,TRUE);
     
403. strcpy(dst,aString.Buffer);
     
404. RtlFreeAnsiString(&aString);
     
405. }
     
406. 
     
407. 
     

复制代码