如何从微型过滤器内核驱动程序获取当前进程映像路径?
how to get current process image path from mini-filter kernel driver?
我想在我的微型过滤器内核中获取当前进程路径 driver.I 可以使用 PEPROCESS peProcess = IoGetCurrentProcess() 获取当前进程并且可以使用 ZwQueryInformationProcess 获取进程完整文件名(包括路径) .
但我只想获取路径(没有文件名)。
我使用 visualstudio 2019 和最新 SDK/WDK.
也许是这样的:
ZwCreateFile(DesiredAccess=FILE_READ_ATTRIBUTES) → 文件句柄
https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-ntcreatefile
ZwQueryInformationFile(FileInformationClass=FileNameInformation) → FILE_NAME_INFORMATION 结构
https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-ntqueryinformationfile
"If the full path and file name are returned, the string will begin
with a single backslash, regardless of its location. Thus the file
C:\dir1\dir2\filename.ext will appear as \dir1\dir2\filename.ext"
(然后通过找到最后一个反斜杠去掉叶子文件名。)
ZwClose(手柄)
https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/nf-wdm-zwclose
我想在我的微型过滤器内核中获取当前进程路径 driver.I 可以使用 PEPROCESS peProcess = IoGetCurrentProcess() 获取当前进程并且可以使用 ZwQueryInformationProcess 获取进程完整文件名(包括路径) .
但我只想获取路径(没有文件名)。
我使用 visualstudio 2019 和最新 SDK/WDK.
也许是这样的:
ZwCreateFile(DesiredAccess=FILE_READ_ATTRIBUTES) → 文件句柄
https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-ntcreatefile
ZwQueryInformationFile(FileInformationClass=FileNameInformation) → FILE_NAME_INFORMATION 结构
https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-ntqueryinformationfile
"If the full path and file name are returned, the string will begin with a single backslash, regardless of its location. Thus the file C:\dir1\dir2\filename.ext will appear as
\dir1\dir2\filename.ext"
(然后通过找到最后一个反斜杠去掉叶子文件名。)
ZwClose(手柄)
https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/nf-wdm-zwclose