进程、注册表路径内核函数封装源码

123456790 · 123456790

//依据EPROCESS得到进程全路径
extern VOID GetFullPathByEprocess( ULONG eprocess,PCHAR ProcessImageName );
//得到当前调用函数的进程信息
extern VOID GetCurrentProcess(PULONG pid, PCHAR name, PCHAR path);
//路径解析出子进程名
extern VOID GetSonName( PCHAR ProcessPath, PCHAR ProcessName );
//根据SectionHandle得到进程全路径
extern VOID GetFullPathBySectionHandle( HANDLE SectionHandle, PCHAR ProcessImageName);
//根据ProcessHandle得到进程全路径
extern VOID GetFullPathByProcessHandle( HANDLE ProcessHandle, PCHAR ProcessImageName , PULONG pid );
//FileObject得到进程全路径
extern VOID GetFullPathByFileObject( PFILE_OBJECT FileObject, PCHAR ProcessImageName);
//KeyHandle得到注册表全路径
extern BOOLEAN GetRegKeyNameByHandle(HANDLE handle, char *realpath);
//
extern VOID UnicodeTochar(PUNICODE_STRING dst , char *src);
//
extern VOID WcharToChar(PWCHAR src,PCHAR dst);
代码:
extern POBJECT_TYPE *PsProcessType;
NTKERNELAPI
UCHAR *
PsGetProcessImageFileName(
PEPROCESS Process);
NTKERNELAPI
NTSTATUS
ObQueryNameString(
INPVOID Object,
OUT POBJECT_NAME_INFORMATION ObjectNameInfo,
INULONG Length,
OUT PULONG ReturnLength);
//路径解析出子进程名
VOIDGetSonName( char *ProcessPath, char *ProcessName )
{
ULONG n = strlen( ProcessPath) - 1;
ULONG i = n;
//KdPrint(("%d",n));
while( ProcessPath[i] != '\\')
{
i = i-1;
}
strncpy( ProcessName,ProcessPath+i+1,n-i);
}
//依据EPROCESS得到进程全路径
VOID GetFullPathByEprocess( ULONG eprocess,PCHAR ProcessImageName )
{
//原理Eprocess->sectionobject(0x138)->Segment(0x014)->ControlAera(0x000)->FilePointer(0x024)->(FileObject->FileName,FileObject->DeviceObject)
ULONG object;
PFILE_OBJECT FileObject;
UNICODE_STRING FilePath;
UNICODE_STRING DosName;
STRING AnsiString;
FileObject = NULL;
FilePath.Buffer = NULL;
FilePath.Length = 0;
*ProcessImageName = 0;
if(MmIsAddressValid((PULONG)(eprocess+0x138)))//Eprocess->sectionobject(0x138)
{
object=(*(PULONG)(eprocess+0x138));
//KdPrint(("[GetProcessFileName] sectionobject :0x%x\n",object));
if(MmIsAddressValid((PULONG)((ULONG)object+0x014)))
{
object=*(PULONG)((ULONG)object+0x014);
//KdPrint(("[GetProcessFileName] Segment :0x%x\n",object));
if(MmIsAddressValid((PULONG)((ULONG)object+0x0)))
{
object=*(PULONG)((ULONG_PTR)object+0x0);
//KdPrint(("[GetProcessFileName] ControlAera :0x%x\n",object));
if(MmIsAddressValid((PULONG)((ULONG)object+0x024)))
{
object=*(PULONG)((ULONG)object+0x024);
//KdPrint(("[GetProcessFileName] FilePointer :0x%x\n",object));
}
else
return ;
}
else
return ;
}
else
return ;
}
else
return ;
FileObject=(PFILE_OBJECT)object;
FilePath.Buffer = ExAllocatePool(PagedPool,0x200);
FilePath.MaximumLength = 0x200;
//KdPrint(("[GetProcessFileName] FilePointer :%wZ\n",&FilePointer->FileName));
ObReferenceObjectByPointer((PVOID)FileObject,0,NULL,KernelMode);//引用计数+1，操作对象
RtlVolumeDeviceToDosName(FileObject-> DeviceObject, &DosName);
RtlCopyUnicodeString(&FilePath, &DosName);
RtlAppendUnicodeStringToString(&FilePath, &FileObject->FileName);
ObDereferenceObject(FileObject);
RtlUnicodeStringToAnsiString(&AnsiString, &FilePath, TRUE);
if ( AnsiString.Length >= 216 )
{
memcpy(ProcessImageName, AnsiString.Buffer, 0x100u);
*(ProcessImageName + 215) = 0;
}
else
{
memcpy(ProcessImageName, AnsiString.Buffer, AnsiString.Length);
ProcessImageName[AnsiString.Length] = 0;
}
RtlFreeAnsiString(&AnsiString);
ExFreePool(DosName.Buffer);
ExFreePool(FilePath.Buffer);
}
//
VOID GetCurrentProcess(PULONG pid, PCHAR name, PCHAR path)
{
PEPROCESS Cprocess;
Cprocess = PsGetCurrentProcess();
*pid = *(PULONG)((ULONG)Cprocess+0x84);
strcpy(name ,PsGetProcessImageFileName(Cprocess));
GetFullPathByEprocess((ULONG)Cprocess,path);
}
//根据SectionHandle得到进程全路径
VOID GetFullPathBySectionHandle( HANDLE SectionHandle, PCHAR ProcessImageName )
{
PVOID SectionObject;
PFILE_OBJECT FileObject;
UNICODE_STRING FilePath;
UNICODE_STRING DosName;
NTSTATUS Status;
STRING AnsiString;
SectionObject = NULL;
FileObject = NULL;
FilePath.Buffer = NULL;
FilePath.Length = 0;
*ProcessImageName = 0;
Status = ObReferenceObjectByHandle(SectionHandle, 0, NULL, KernelMode, &SectionObject, NULL);
if ( NT_SUCCESS(Status) )
{
FilePath.Buffer = ExAllocatePool(PagedPool,0x200);
FilePath.MaximumLength = 0x200;
FileObject = (PFILE_OBJECT)(*((ULONG *)SectionObject + 5)); // PSEGMENT
FileObject = *(PFILE_OBJECT *)FileObject; // CONTROL_AREA
FileObject = *(PFILE_OBJECT *)((ULONG)FileObject + 36); // FILE_OBJECT
ObReferenceObjectByPointer((PVOID)FileObject, 0, NULL, KernelMode);
RtlVolumeDeviceToDosName(FileObject-> DeviceObject, &DosName);
RtlCopyUnicodeString(&FilePath, &DosName);
RtlAppendUnicodeStringToString(&FilePath, &FileObject->FileName);
ObDereferenceObject(FileObject);
ObDereferenceObject(SectionObject);
RtlUnicodeStringToAnsiString(&AnsiString, &FilePath, TRUE);
if ( AnsiString.Length >= 216 )
{
memcpy(ProcessImageName, AnsiString.Buffer, 0x100u);
*(ProcessImageName + 215) = 0;
}
else
{
memcpy(ProcessImageName, AnsiString.Buffer, AnsiString.Length);
ProcessImageName[AnsiString.Length] = 0;
}
RtlFreeAnsiString(&AnsiString);
ExFreePool(DosName.Buffer);
ExFreePool(FilePath.Buffer);
}
}
//根据ProcessHandle得到EPROCESS然后得到进程全路径
VOID GetFullPathByProcessHandle( HANDLE ProcessHandle, PCHAR ProcessImageName , PULONG pid )
{
NTSTATUS status;
PVOID ProcessObject;
ULONG eprocess;
status = ObReferenceObjectByHandle( ProcessHandle ,0,*PsProcessType,KernelMode, &ProcessObject, NULL);
if(!NT_SUCCESS(status)) //失败
{
DbgPrint("Object Error");
KdPrint(("[GetFullPathByProcessHandle] error status:0x%x\n",status));
return;
}
//KdPrint(("[GetTerminateProcessPath] Eprocess :0x%x\n",(ULONG)ProcessObject));
//Object转换成EPROCESS: object低二位清零
eprocess = ((ULONG)ProcessObject) & 0xFFFFFFFC;
*pid = *(PULONG)((ULONG)eprocess+0x84);
ObDereferenceObject(ProcessObject);
GetFullPathByEprocess( eprocess ,ProcessImageName);
}
//根据FileObject得到全路径
VOID GetFullPathByFileObject( PFILE_OBJECT FileObject, PCHAR ProcessImageName)
{
UNICODE_STRING FilePath;
UNICODE_STRING DosName;
STRING AnsiString;
FilePath.Buffer = NULL;
FilePath.Length = 0;
*ProcessImageName = 0;
FilePath.Buffer = ExAllocatePool(PagedPool,0x200);
FilePath.MaximumLength = 0x200;
//KdPrint(("[GetProcessFileName] FilePointer :%wZ\n",&FilePointer->FileName));
ObReferenceObjectByPointer((PVOID)FileObject,0,NULL,KernelMode);//引用计数+1，操作对象
RtlVolumeDeviceToDosName(FileObject-> DeviceObject, &DosName);
RtlCopyUnicodeString(&FilePath, &DosName);
RtlAppendUnicodeStringToString(&FilePath, &FileObject->FileName);
ObDereferenceObject(FileObject);
RtlUnicodeStringToAnsiString(&AnsiString, &FilePath, TRUE);
if ( AnsiString.Length >= 216 )
{
memcpy(ProcessImageName, AnsiString.Buffer, 0x100u);
*(ProcessImageName + 215) = 0;
}
else
{
memcpy(ProcessImageName, AnsiString.Buffer, AnsiString.Length);
ProcessImageName[AnsiString.Length] = 0;
}
RtlFreeAnsiString(&AnsiString);
ExFreePool(DosName.Buffer);
ExFreePool(FilePath.Buffer);
}
//解析注册表路径
BOOLEAN StandardPrintHkey(char * path,char *realpath)
{
int judgeTop;
int judgeSecond;
int judgeThird;
inti;
int j;
int t;
int k;
int lencur;
char realname[255]={0};
j=0;
k=0;
t=0;
judgeTop=strncmp("\\REGISTRY\\USER",path,14);
if(judgeTop==0)
{
lencur=strlen(path);
for(i=0;i<lencur;i++)
{
if(path[i]=='-')
{
if(path[i+1]=='5')
{
if(path[i+2]=='0')
{
if(path[i+3]=='0')
{if(path[i+4]=='_')
{
k=i+12;
t=1;
}
else
{
j=i+4;
t=1;
}
}
}
}
}
}
DbgPrint("[j]%d\n",j);
DbgPrint("[k]%d\n",k);
if((k==0)&&(t==1))
{
strcpy(realname,"HKEY_CURRENT_USER");
strncat(realname,&path[j],sizeof(path)-j);
DbgPrint("[HKEY_CURRENT_USER]%s",path);
}
if((j==0)&&(t==1))
{
strcpy(realname,"HKEY_CLASSES_ROOT");
strncat(realname,&path[k],sizeof(path)-k);
DbgPrint("[HKEY_CLASSES_ROOT]%s",path);
}
if(t==0)
{
strcpy(realname,"HKEY_USERS");
strncat(realname,&path[14],sizeof(path)-14);
DbgPrint("[HKEY_USER]%s",path);
}
}
else
{
judgeThird=strncmp("\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Hardware Profiles\\0001",path,61);
if(judgeThird==0)
{
strcpy(realname,"HKEY_CURRENT_CONFIG");
strncat(realname,&path[61],sizeof(path)-61);
DbgPrint("[HKEY_CURRENT_CONFIG]%s",path);
}
else
{
strcpy(realname,"HKEY_LOCAL_MACHINE");
strncat(realname,&path[17],sizeof(path)-17);
DbgPrint("[HKEY_LOCAL_MACHINE]%s",path);
}
}
strcpy(realpath,realname);
return TRUE;
}
//注册表根据KeyHandle得到键
BOOLEAN GetRegKeyNameByHandle(HANDLE handle, char *realpath)
{
ULONG uactLength;
POBJECT_NAME_INFORMATIONpustr;
ANSI_STRING astr;
PVOID pObj;
NTSTATUS ns;
char pch[256]={0};
ns = ObReferenceObjectByHandle( handle, 0, NULL, KernelMode, &pObj, NULL );
if (!NT_SUCCESS(ns))
{
KdPrint(("111!\n"));
KdPrint(("0x%x\n",ns));
return FALSE;
}
pustr = ExAllocatePool(NonPagedPool,1024+4);
if (pObj==NULL||pch==NULL)
return FALSE;
ns = ObQueryNameString(pObj,pustr,512,&uactLength);
if (NT_SUCCESS(ns))
{
RtlUnicodeStringToAnsiString(&astr,(PUNICODE_STRING)pustr,TRUE);
strncpy(pch,astr.Buffer,256);
}
ExFreePool(pustr);
RtlFreeAnsiString( &astr );
if (pObj)
{
ObDereferenceObject(pObj);
}
StandardPrintHkey(pch,realpath);
return TRUE;
}
//UnicodeTochar
VOID UnicodeTochar(PUNICODE_STRING dst , char *src)
{
ANSI_STRING string;
RtlUnicodeStringToAnsiString(&string,dst, TRUE);
strcpy(src,string.Buffer);
RtlFreeAnsiString(&string);
}
//wcharTochar
VOID WcharToChar(PWCHAR src,PCHAR dst)
{
UNICODE_STRING uString;
ANSI_STRING aString;
RtlInitUnicodeString(&uString,src);
RtlUnicodeStringToAnsiString(&aString,&uString,TRUE);
strcpy(dst,aString.Buffer);
RtlFreeAnsiString(&aString);
}

复制代码

		自动登录	找回密码
密码			立即注册

龙马谷VIP会员办理客服QQ：82926983（如果临时会话没有收到回复，请先加QQ好友再发。）
1 [已完结] GG修改器新手入门与实战教程 31课	2 [已完结] GG修改器美化修改教程 6课	3 [已完结] GG修改器Lua脚本新手入门教程 12课
4 [已完结] 触动精灵脚本新手入门必学教程 22课	5 [已完结] 手游自动化脚本入门实战教程 9课	6 [已完结] C++射击游戏方框骨骼透视与自瞄教程 27课
7 [已完结] C++零基础UE4逆向开发FPS透视自瞄教程 29课	8 [已完结] C++零基础大漠模拟器手游自动化辅助教程 22课	9 [已完结] C++零基础开发DXF内存脚本辅助教程 32课

以下是天马阁VIP教程，本站与天马阁合作，赞助VIP可以获得天马阁对应VIP会员，名额有限！点击进入天马阁论坛
1 [已完结] x64CE与x64dbg入门基础教程 7课	2 [已完结] x64汇编语言基础教程 16课	3 [已完结] x64辅助入门基础教程 9课
4 [已完结] C++x64内存辅助实战技术教程 149课	5 [已完结] C++x64内存检测与过检测技术教程 10课	6 [已完结] C+x64二叉树分析遍历与LUA自动登陆教程 19课
7 [已完结] C++BT功能原理与x64实战教程 29课	8 [已完结] C+FPS框透视与自瞄x64实现原理及防护思路

进程、注册表路径 内核函数封装源码

浏览过的版块

进程、注册表路径内核函数封装源码