通过进程ID得到进程名

在内核中，通过进程ID，得到进程名称，有多种方法。

我使用了两种方法，第一种是使用ZwOpeProcess得到句柄

然后ObReferenceObjectByHandle函数得到PEPROCESS结构，然后

char *ProcessName = (char*)EProcess + 0x174;

第二种方法是得到PEPROCESS结构之后，使用PsGetProcessImageFileName函数得到进程名。

具体代码如下：

#include<ntddk.h>
#include<wdm.h>

UCHAR* PsGetProcessImageFileName(PEPROCESS Process);

NTSTATUS Unload(IN PDRIVER_OBJECT  DriverObject)
{
DbgPrint("驱动已经卸载/n");
}

void GetProcessName(ULONG dwPid)
{
HANDLE ProcessHandle;
NTSTATUS status;
OBJECT_ATTRIBUTES  ObjectAttributes;
CLIENT_ID myCid;
PEPROCESS EProcess;

InitializeObjectAttributes(&ObjectAttributes,0,0,0,0);

myCid.UniqueProcess = (HANDLE)dwPid;
myCid.UniqueThread = 0;

//打开进程，获取句柄
status = ZwOpenProcess (&ProcessHandle,PROCESS_ALL_ACCESS,&ObjectAttributes,&myCid);
if (!NT_SUCCESS(status))
{
DbgPrint("打开进程出错/n");
return;
}

//得到EPROCESS，结构中取进程名
status = ObReferenceObjectByHandle(ProcessHandle,FILE_READ_DATA,0,KernelMode,&EProcess, 0);
if (status == STATUS_SUCCESS)
{
char *ProcessName = (char*)EProcess + 0x174;
char *PsName = PsGetProcessImageFileName(EProcess);

DbgPrint("ProcessName is %s/n",ProcessName);
DbgPrint("PsName is %s/n",PsName);

ZwClose(ProcessHandle);
}
else
{
DbgPrint("Get ProcessName error");
}
}

NTSTATUS
DriverEntry(
IN PDRIVER_OBJECT  DriverObject,
IN PUNICODE_STRING  RegistryPath
)
{
DbgPrint("驱动已经加载了/n");
GetProcessName(2044);
DriverObject->DriverUnload = Unload;
return STATUS_SUCCESS;
}