[求助]Hook ZwSetInformationFile 获得文件名-软件逆向-看雪-安全社区|安全招聘|kanxue.com

最新回复 (3)
TGOS 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 3 回帖 69 粉丝 0 关注私信	TGOS 2 楼 // 返回类似于C:\WINDOWS\Explorer.exe (ANSI) PVOID SectionObject; PFILE_OBJECT FileObject; UNICODE_STRING FilePath; UNICODE_STRING DosName; NTSTATUS Status; STRING AnsiString; SectionObject = NULL; FileObject = NULL; FilePath.Buffer = NULL; FilePath.Length = 0; ProcessImageName = 0; Status = ObReferenceObjectByHandle(SectionHandle, 0, NULL, KernelMode, &SectionObject, NULL); if ( NT_SUCCESS(Status) ) { FilePath.Buffer = ExAllocatePool(PagedPool,0x200); FilePath.MaximumLength = 0x200; FileObject = (PFILE_OBJECT)(((ULONG )SectionObject + 5)); // PSEGMENT FileObject = (PFILE_OBJECT )FileObject; // CONTROL_AREA FileObject = (PFILE_OBJECT )((ULONG)FileObject + 36); // FILE_OBJECT ObReferenceObjectByPointer((PVOID)FileObject, 0, NULL, KernelMode); RtlVolumeDeviceToDosName(FileObject-> DeviceObject, &DosName); RtlCopyUnicodeString(&FilePath, &DosName); RtlAppendUnicodeStringToString(&FilePath, &FileObject->FileName); ObDereferenceObject(FileObject); ObDereferenceObject(SectionObject); RtlUnicodeStringToAnsiString(&AnsiString, &FilePath, TRUE); if ( AnsiString.Length >= 256 ) { memcpy(ProcessImageName, AnsiString.Buffer, 0x100u); (ProcessImageName + 255) = 0; } else { memcpy(ProcessImageName, AnsiString.Buffer, AnsiString.Length); ProcessImageName[AnsiString.Length] = 0; } .............(ProcessImageName 就是了) 2008-8-13 22:05 0
combojiang 雪币： 321 活跃值： (275) 能力值： ( LV13，RANK：1050 ) 在线值：发帖 44 回帖 765 粉丝 60 关注私信	combojiang 26 3 楼 RtlVolumeDeviceToDosName 2008-8-13 22:23 0
xPLK 雪币： 375 活跃值： (12) 能力值： ( LV8，RANK：130 ) 在线值：发帖 18 回帖 705 粉丝 0 关注私信	xPLK 3 4 楼 2楼那不是炉子写的吗？ 2008-8-14 10:43 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

最新回复 (3)
TGOS 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 3 回帖 69 粉丝 0 关注私信	TGOS 2 楼 // 返回类似于C:\WINDOWS\Explorer.exe (ANSI) PVOID SectionObject; PFILE_OBJECT FileObject; UNICODE_STRING FilePath; UNICODE_STRING DosName; NTSTATUS Status; STRING AnsiString; SectionObject = NULL; FileObject = NULL; FilePath.Buffer = NULL; FilePath.Length = 0; ProcessImageName = 0; Status = ObReferenceObjectByHandle(SectionHandle, 0, NULL, KernelMode, &SectionObject, NULL); if ( NT_SUCCESS(Status) ) { FilePath.Buffer = ExAllocatePool(PagedPool,0x200); FilePath.MaximumLength = 0x200; FileObject = (PFILE_OBJECT)(((ULONG )SectionObject + 5)); // PSEGMENT FileObject = (PFILE_OBJECT )FileObject; // CONTROL_AREA FileObject = (PFILE_OBJECT )((ULONG)FileObject + 36); // FILE_OBJECT ObReferenceObjectByPointer((PVOID)FileObject, 0, NULL, KernelMode); RtlVolumeDeviceToDosName(FileObject-> DeviceObject, &DosName); RtlCopyUnicodeString(&FilePath, &DosName); RtlAppendUnicodeStringToString(&FilePath, &FileObject->FileName); ObDereferenceObject(FileObject); ObDereferenceObject(SectionObject); RtlUnicodeStringToAnsiString(&AnsiString, &FilePath, TRUE); if ( AnsiString.Length >= 256 ) { memcpy(ProcessImageName, AnsiString.Buffer, 0x100u); (ProcessImageName + 255) = 0; } else { memcpy(ProcessImageName, AnsiString.Buffer, AnsiString.Length); ProcessImageName[AnsiString.Length] = 0; } .............(ProcessImageName 就是了) 2008-8-13 22:05 0
combojiang 雪币： 321 活跃值： (275) 能力值： ( LV13，RANK：1050 ) 在线值：发帖 44 回帖 765 粉丝 60 关注私信	combojiang 26 3 楼 RtlVolumeDeviceToDosName 2008-8-13 22:23 0
xPLK 雪币： 375 活跃值： (12) 能力值： ( LV8，RANK：130 ) 在线值：发帖 18 回帖 705 粉丝 0 关注私信	xPLK 3 4 楼 2楼那不是炉子写的吗？ 2008-8-14 10:43 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复