如何将长进程名称存储在 _EPROCESS 中
How to are long process-names stored in _EPROCESS
windows _EPROCESS (http://terminus.rewolf.pl/terminus/structures/ntdll/_EPROCESS_x64.html) 结构有一个字段 ImageFileName 声明如下:
使用 WinDbg:
ImageFileName : [15] UChar
所以 15 个字符有 space。
如何存储超过 15 个字符的进程名称?
寻找已导出但未记录的 api :
NTSTATUS
SeLocateProcessImageName(
__in PEPROCESS Process,
__deref_out PUNICODE_STRING *pImageFileName
)
/*++
Routine Description
This routine returns the ImageFileName information from the process, if available. This is a "lazy evaluation" wrapper
around SeInitializeProcessAuditName. If the image file name information has already been computed, then this call simply
allocates and returns a UNICODE_STRING with this information. Otherwise, the function determines the name, stores the name in the
EPROCESS structure, and then allocates and returns a UNICODE_STRING. Caller must free the memory returned in pImageFileName.
Arguments
Process - process for which to acquire the name
pImageFileName - output parameter to return name to caller
Return Value
NTSTATUS.
--*/
在EPROCESS结构中存在成员SE_AUDIT_PROCESS_CREATION_INFO SeAuditProcessCreationInfo;(当然这个结构不是public并且非常易变-在任何os版本中都不同)
struct SE_AUDIT_PROCESS_CREATION_INFO {
OBJECT_NAME_INFORMATION * ImageFileName;
};
OBJECT_NAME_INFORMATION is declared in wdm.h. but of course we can not direct access SeAuditProcessCreationInfo because layout of EPROCESS is unknown. you can call SeLocateProcessImageName or NtQueryInformationProcess
windows _EPROCESS (http://terminus.rewolf.pl/terminus/structures/ntdll/_EPROCESS_x64.html) 结构有一个字段 ImageFileName 声明如下:
使用 WinDbg:
ImageFileName : [15] UChar
所以 15 个字符有 space。
如何存储超过 15 个字符的进程名称?
寻找已导出但未记录的 api :
NTSTATUS
SeLocateProcessImageName(
__in PEPROCESS Process,
__deref_out PUNICODE_STRING *pImageFileName
)
/*++
Routine Description
This routine returns the ImageFileName information from the process, if available. This is a "lazy evaluation" wrapper
around SeInitializeProcessAuditName. If the image file name information has already been computed, then this call simply
allocates and returns a UNICODE_STRING with this information. Otherwise, the function determines the name, stores the name in the
EPROCESS structure, and then allocates and returns a UNICODE_STRING. Caller must free the memory returned in pImageFileName.
Arguments
Process - process for which to acquire the name
pImageFileName - output parameter to return name to caller
Return Value
NTSTATUS.
--*/
在EPROCESS结构中存在成员SE_AUDIT_PROCESS_CREATION_INFO SeAuditProcessCreationInfo;(当然这个结构不是public并且非常易变-在任何os版本中都不同)
struct SE_AUDIT_PROCESS_CREATION_INFO {
OBJECT_NAME_INFORMATION * ImageFileName;
};
OBJECT_NAME_INFORMATION is declared in wdm.h. but of course we can not direct access SeAuditProcessCreationInfo because layout of EPROCESS is unknown. you can call SeLocateProcessImageName or NtQueryInformationProcess