注册 登录  
 加关注
   显示下一条  |  关闭
温馨提示!由于新浪微博认证机制调整,您的新浪微博帐号绑定已过期,请重新绑定!立即重新绑定新浪微博》  |  关闭

从C开始

 
 
 

日志

 
 

几个有用的函数  

2011-05-12 09:22:29|  分类: 驱动编程 |  标签: |举报 |字号 订阅

  下载LOFTER 我的照片书  |
看雪竹君兄原创

//依据EPROCESS得到进程全路径
extern VOID GetFullPathByEprocess( ULONG eprocess,PCHAR ProcessImageName );

//得到当前调用函数的进程信息
extern VOID GetCurrentProcess(PULONG pid, PCHAR name, PCHAR path);

//路径解析出子进程名
extern VOID GetSonName( PCHAR ProcessPath, PCHAR ProcessName );

//根据SectionHandle得到进程全路径
extern VOID GetFullPathBySectionHandle( HANDLE SectionHandle, PCHAR ProcessImageName);

//根据ProcessHandle得到进程全路径
extern VOID GetFullPathByProcessHandle( HANDLE ProcessHandle, PCHAR ProcessImageName , PULONG pid );

//FileObject得到进程全路径
extern VOID GetFullPathByFileObject( PFILE_OBJECT FileObject, PCHAR ProcessImageName);

//KeyHandle得到注册表全路径
extern BOOLEAN GetRegKeyNameByHandle(HANDLE handle, char *realpath);

//
extern VOID UnicodeTochar(PUNICODE_STRING dst , char *src);
//
extern VOID WcharToChar(PWCHAR src,PCHAR dst);

代码:


extern POBJECT_TYPE *PsProcessType;

NTKERNELAPI
UCHAR *
PsGetProcessImageFileName(
              PEPROCESS Process);

NTKERNELAPI 
NTSTATUS
ObQueryNameString(
          IN  PVOID Object,
          OUT POBJECT_NAME_INFORMATION ObjectNameInfo,
          IN  ULONG Length,
          OUT PULONG ReturnLength);

//路径解析出子进程名
VOID  GetSonName( char *ProcessPath, char *ProcessName )
{
  ULONG n = strlen( ProcessPath) - 1;
  ULONG i = n;
  //KdPrint(("%d",n));
  while( ProcessPath[i] != '\\')
  {
    i = i-1;
  }
  strncpy( ProcessName,ProcessPath+i+1,n-i);
}

//依据EPROCESS得到进程全路径
VOID GetFullPathByEprocess( ULONG eprocess,PCHAR ProcessImageName )
{
  //原理Eprocess->sectionobject(0x138)->Segment(0x014)->ControlAera(0x000)->FilePointer(0x024)->(FileObject->FileName,FileObject->DeviceObject)
  ULONG object;
  PFILE_OBJECT FileObject;
  UNICODE_STRING FilePath; 
  UNICODE_STRING DosName; 
  STRING AnsiString; 

  FileObject = NULL; 
  FilePath.Buffer = NULL; 
  FilePath.Length = 0; 
  *ProcessImageName = 0;  
  
  if(MmIsAddressValid((PULONG)(eprocess+0x138)))//Eprocess->sectionobject(0x138)
  {
    object=(*(PULONG)(eprocess+0x138));
        //KdPrint(("[GetProcessFileName] sectionobject :0x%x\n",object));
    if(MmIsAddressValid((PULONG)((ULONG)object+0x014)))
    {
      object=*(PULONG)((ULONG)object+0x014);
      //KdPrint(("[GetProcessFileName] Segment :0x%x\n",object));
      if(MmIsAddressValid((PULONG)((ULONG)object+0x0)))
      {
        object=*(PULONG)((ULONG_PTR)object+0x0);
        //KdPrint(("[GetProcessFileName] ControlAera :0x%x\n",object));
        if(MmIsAddressValid((PULONG)((ULONG)object+0x024)))
        {
          object=*(PULONG)((ULONG)object+0x024);
          //KdPrint(("[GetProcessFileName] FilePointer :0x%x\n",object));
        }
        else
          return ;
      }
      else
        return ;
    }
    else
      return ;
  }
  else
    return ;
    FileObject=(PFILE_OBJECT)object;

  FilePath.Buffer = ExAllocatePool(PagedPool,0x200);
  FilePath.MaximumLength = 0x200; 
    //KdPrint(("[GetProcessFileName] FilePointer :%wZ\n",&FilePointer->FileName));
  ObReferenceObjectByPointer((PVOID)FileObject,0,NULL,KernelMode);//引用计数+1,操作对象
  
  RtlVolumeDeviceToDosName(FileObject-> DeviceObject, &DosName); 
  RtlCopyUnicodeString(&FilePath, &DosName); 
  RtlAppendUnicodeStringToString(&FilePath, &FileObject->FileName); 
  ObDereferenceObject(FileObject); 
   
  RtlUnicodeStringToAnsiString(&AnsiString, &FilePath, TRUE); 
  if ( AnsiString.Length >= 216 ) 
  { 
    memcpy(ProcessImageName, AnsiString.Buffer, 0x100u); 
    *(ProcessImageName + 215) = 0; 
  } 
  else 
  { 
    memcpy(ProcessImageName, AnsiString.Buffer, AnsiString.Length); 
    ProcessImageName[AnsiString.Length] = 0; 
  } 
  RtlFreeAnsiString(&AnsiString); 
  ExFreePool(DosName.Buffer); 
  ExFreePool(FilePath.Buffer); 
}


//
VOID GetCurrentProcess(PULONG pid, PCHAR name, PCHAR path)
{
  PEPROCESS Cprocess;
  Cprocess = PsGetCurrentProcess();
  *pid = *(PULONG)((ULONG)Cprocess+0x84);
  strcpy(name ,PsGetProcessImageFileName(Cprocess));
  GetFullPathByEprocess((ULONG)Cprocess,path);
}


//根据SectionHandle得到进程全路径
VOID GetFullPathBySectionHandle( HANDLE SectionHandle, PCHAR ProcessImageName )
  PVOID SectionObject;
  PFILE_OBJECT FileObject;
  UNICODE_STRING FilePath; 
  UNICODE_STRING DosName; 
  NTSTATUS Status;
  STRING AnsiString; 
  
  SectionObject = NULL; 
  FileObject = NULL; 
  FilePath.Buffer = NULL; 
  FilePath.Length = 0; 
  *ProcessImageName = 0; 
  Status = ObReferenceObjectByHandle(SectionHandle, 0, NULL, KernelMode, &SectionObject, NULL); 
  
  if ( NT_SUCCESS(Status) ) 
  { 
    FilePath.Buffer = ExAllocatePool(PagedPool,0x200);
    FilePath.MaximumLength = 0x200; 
    FileObject = (PFILE_OBJECT)(*((ULONG *)SectionObject + 5)); // PSEGMENT
    FileObject = *(PFILE_OBJECT *)FileObject; // CONTROL_AREA
    FileObject = *(PFILE_OBJECT *)((ULONG)FileObject + 36); // FILE_OBJECT
    ObReferenceObjectByPointer((PVOID)FileObject, 0, NULL, KernelMode); 
    RtlVolumeDeviceToDosName(FileObject-> DeviceObject, &DosName); 
    RtlCopyUnicodeString(&FilePath, &DosName); 
    RtlAppendUnicodeStringToString(&FilePath, &FileObject->FileName); 
    ObDereferenceObject(FileObject); 
    ObDereferenceObject(SectionObject); 
    RtlUnicodeStringToAnsiString(&AnsiString, &FilePath, TRUE); 
    if ( AnsiString.Length >= 216 ) 
    { 
      memcpy(ProcessImageName, AnsiString.Buffer, 0x100u); 
      *(ProcessImageName + 215) = 0; 
    } 
    else 
    { 
      memcpy(ProcessImageName, AnsiString.Buffer, AnsiString.Length); 
      ProcessImageName[AnsiString.Length] = 0; 
    } 
    RtlFreeAnsiString(&AnsiString); 
    ExFreePool(DosName.Buffer); 
    ExFreePool(FilePath.Buffer); 
  } 


//根据ProcessHandle得到EPROCESS  然后得到进程全路径
VOID GetFullPathByProcessHandle( HANDLE ProcessHandle, PCHAR ProcessImageName , PULONG pid )
{
  NTSTATUS status;
  PVOID ProcessObject;
  ULONG eprocess;

  status = ObReferenceObjectByHandle( ProcessHandle ,0,*PsProcessType,KernelMode, &ProcessObject, NULL);
  if(!NT_SUCCESS(status))   //失败
  {
    DbgPrint("Object Error");
    KdPrint(("[GetFullPathByProcessHandle] error status:0x%x\n",status));
    return;
  }
  //KdPrint(("[GetTerminateProcessPath] Eprocess :0x%x\n",(ULONG)ProcessObject));
  //Object转换成EPROCESS: object低二位清零
  eprocess = ((ULONG)ProcessObject) & 0xFFFFFFFC;
  *pid = *(PULONG)((ULONG)eprocess+0x84); 
  ObDereferenceObject(ProcessObject);
  GetFullPathByEprocess( eprocess ,ProcessImageName);
}


//根据FileObject得到全路径
VOID GetFullPathByFileObject( PFILE_OBJECT FileObject, PCHAR ProcessImageName)
{

  UNICODE_STRING FilePath; 
  UNICODE_STRING DosName; 
  STRING AnsiString; 

  FilePath.Buffer = NULL; 
  FilePath.Length = 0; 
  *ProcessImageName = 0;  

  FilePath.Buffer = ExAllocatePool(PagedPool,0x200);
  FilePath.MaximumLength = 0x200; 
    //KdPrint(("[GetProcessFileName] FilePointer :%wZ\n",&FilePointer->FileName));
  ObReferenceObjectByPointer((PVOID)FileObject,0,NULL,KernelMode);//引用计数+1,操作对象
  
  RtlVolumeDeviceToDosName(FileObject-> DeviceObject, &DosName); 
  RtlCopyUnicodeString(&FilePath, &DosName); 
  RtlAppendUnicodeStringToString(&FilePath, &FileObject->FileName); 
  ObDereferenceObject(FileObject); 
   
  RtlUnicodeStringToAnsiString(&AnsiString, &FilePath, TRUE); 
  if ( AnsiString.Length >= 216 ) 
  { 
    memcpy(ProcessImageName, AnsiString.Buffer, 0x100u); 
    *(ProcessImageName + 215) = 0; 
  } 
  else 
  { 
    memcpy(ProcessImageName, AnsiString.Buffer, AnsiString.Length); 
    ProcessImageName[AnsiString.Length] = 0; 
  } 
  RtlFreeAnsiString(&AnsiString); 
  ExFreePool(DosName.Buffer); 
  ExFreePool(FilePath.Buffer); 
}


//解析注册表路径
BOOLEAN StandardPrintHkey(char * path,char *realpath)
{

  int judgeTop;
  int judgeSecond;
  int judgeThird;
  int  i;
  int j;
  int t;
  int k;
  int lencur;
  char realname[255]={0};
  j=0;
  k=0;
  t=0;
  judgeTop=strncmp("\\REGISTRY\\USER",path,14);

  if(judgeTop==0)
  {
  
        lencur=strlen(path);
        for(i=0;i<lencur;i++)
        { 
          if(path[i]=='-')
          {  
          if(path[i+1]=='5')
          {  
            if(path[i+2]=='0')
            {  
              if(path[i+3]=='0')
              {  if(path[i+4]=='_')
                {
                k=i+12;
                t=1;
                }  
                else
                {  
                j=i+4;
                t=1;
                }  
              }
            }
          }
          }
        }

        DbgPrint("[j]%d\n",j);
        DbgPrint("[k]%d\n",k);
        if((k==0)&&(t==1))
        {
        strcpy(realname,"HKEY_CURRENT_USER");
        strncat(realname,&path[j],sizeof(path)-j);
        DbgPrint("[HKEY_CURRENT_USER]%s",path);
        }
        if((j==0)&&(t==1))
        {
        strcpy(realname,"HKEY_CLASSES_ROOT");
        strncat(realname,&path[k],sizeof(path)-k);
        DbgPrint("[HKEY_CLASSES_ROOT]%s",path);
        }
        if(t==0)
        {
        strcpy(realname,"HKEY_USERS");
        strncat(realname,&path[14],sizeof(path)-14);
        DbgPrint("[HKEY_USER]%s",path);
        }
  }
  else
  {
    judgeThird=strncmp("\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Hardware Profiles\\0001",path,61);
    if(judgeThird==0)
    {
      strcpy(realname,"HKEY_CURRENT_CONFIG");
      strncat(realname,&path[61],sizeof(path)-61);
      DbgPrint("[HKEY_CURRENT_CONFIG]%s",path);
    }
    else
    {
  
    
      strcpy(realname,"HKEY_LOCAL_MACHINE");
      strncat(realname,&path[17],sizeof(path)-17);
      DbgPrint("[HKEY_LOCAL_MACHINE]%s",path);

  
    }
  }
 strcpy(realpath,realname);
 return TRUE;


//注册表根据KeyHandle得到键
BOOLEAN GetRegKeyNameByHandle(HANDLE handle, char *realpath)  
{

  ULONG uactLength;
  POBJECT_NAME_INFORMATION  pustr;
  ANSI_STRING astr;
  PVOID pObj;
  NTSTATUS ns;
  char pch[256]={0};
  ns = ObReferenceObjectByHandle( handle, 0, NULL, KernelMode, &pObj, NULL );
  if (!NT_SUCCESS(ns))
  {
    KdPrint(("111!\n"));
    KdPrint(("0x%x\n",ns));
    return FALSE;
  }
  pustr = ExAllocatePool(NonPagedPool,1024+4);

  if (pObj==NULL||pch==NULL)
    return FALSE;

  ns = ObQueryNameString(pObj,pustr,512,&uactLength);

  if (NT_SUCCESS(ns))
  {
    RtlUnicodeStringToAnsiString(&astr,(PUNICODE_STRING)pustr,TRUE);
    strncpy(pch,astr.Buffer,256);
  }
  ExFreePool(pustr);
  RtlFreeAnsiString( &astr );
  if (pObj)
  {
    ObDereferenceObject(pObj);
  }
  StandardPrintHkey(pch,realpath);
  return TRUE;
}


//UnicodeTochar
VOID UnicodeTochar(PUNICODE_STRING dst , char *src)
{
  ANSI_STRING string;
  RtlUnicodeStringToAnsiString(&string,dst, TRUE); 
  strcpy(src,string.Buffer);
  RtlFreeAnsiString(&string); 
}


//wcharTochar
VOID WcharToChar(PWCHAR src,PCHAR dst)
{
  UNICODE_STRING uString;
  ANSI_STRING aString;
  RtlInitUnicodeString(&uString,src);
  RtlUnicodeStringToAnsiString(&aString,&uString,TRUE); 
  strcpy(dst,aString.Buffer);
  RtlFreeAnsiString(&aString); 
}
  评论这张
 
阅读(1491)| 评论(0)
推荐 转载

历史上的今天

评论

<#--最新日志,群博日志--> <#--推荐日志--> <#--引用记录--> <#--博主推荐--> <#--随机阅读--> <#--首页推荐--> <#--历史上的今天--> <#--被推荐日志--> <#--上一篇,下一篇--> <#-- 热度 --> <#-- 网易新闻广告 --> <#--右边模块结构--> <#--评论模块结构--> <#--引用模块结构--> <#--博主发起的投票-->
 
 
 
 
 
 
 
 
 
 
 
 
 
 

页脚

网易公司版权所有 ©1997-2018