Get Process Full path Code

DKOM 방식

   char* ProcessNameByPid(IN ULONG Pid)
{
     NTSTATUS status;
     ANSI_STRING ansi_filepath;
     PEPROCESS pCurProcess;
     UNICODE_STRING   fullUniName;
     ULONG Index;
     char FilePath[256];
     POBJECT_NAME_INFORMATION pObjNameInfo =NULL;
     
     char* Dos[12]={"C:","D:","E:","F:","G:","H:","I:","J","K","L:","M:","N:"};
     
     status = PsLookupProcessByProcessId((HANDLE)Pid,&pCurProcess);
     if(!NT_SUCCESS(status))
     {
          DbgPrint("FAILE!!");
          return NULL;
     }
     // XP 0x1f4
     if(MmIsAddressValid((ULONG*)((ULONG)pCurProcess+0x1f4))) //XP
     {
          pObjNameInfo =(POBJECT_NAME_INFORMATION)(*(ULONG*)((ULONG)pCurProcess+0x1f4));
          RtlInitUnicodeString(&fullUniName,pObjNameInfo->Name.Buffer);
          RtlUnicodeStringToAnsiString(&ansi_filepath,&fullUniName,TRUE);
   
          Index = ansi_filepath.Buffer[22]-0x31;
          strcpy(FilePath,Dos[Index]);
          strcat(FilePath,&ansi_filepath.Buffer[23]);
          DbgPrint("%s \n",FilePath);
          //return FilePath;
     }
     return NULL;
     

}


NativeApi 사용

char *GProcessName(
       char *pProcessName, ///< 프로세스 네임을 담아 갈 포인터
       BOOLEAN * Check  ///< 함수의 성공 여부를 체크하는 포인터(TURE/FALSE) 
       )
{
 NTSTATUS ntStatus;
 unsigned short Temp1[50] = {0, };
 unsigned short *pwstr=NULL;
 ANSI_STRING   Temp = {0, };
 UNICODE_STRING  uFullpath;
 unsigned short *wstr = NULL;
 HANDLE ntCpro = NULL;
 int cbRet;

 RtlZeroMemory(pProcessName,MAXPROCNAMELEN);

 wstr = (unsigned short *)ExAllocatePoolWithTag( NonPagedPool , sizeof(unsigned short)*200 , _POOL_TAG );

 if(!wstr)
 {
  *Check = FALSE;
  return pProcessName;
 }

 RtlZeroMemory( wstr , sizeof(unsigned short)*200);

 ntCpro = NtCurrentProcess();
 //DebugPrint(("ZwQuerInformation Handle = 0x%08x", ntCpro));
 ntStatus = ZwQueryInformationProcess( NtCurrentProcess(),
  ProcessImageFileName,
  wstr, 200,
  &cbRet);

 if( ntStatus == STATUS_SUCCESS )
 {
  if( !(((UNICODE_STRING*)wstr)->Length) )
  {
   *Check = FALSE;
   if(wstr) ExFreePoolWithTag(wstr , _POOL_TAG );
   return pProcessName;
  }

  if(((UNICODE_STRING*)wstr)->Length)
  {

   pwstr = wcsrchr(wstr, L'\\');

   if(pwstr)
   {
    ULONG wstemplen=0;

    swprintf(Temp1 ,L"%ws" , (pwstr+1) );

    RtlInitUnicodeString(&uFullpath, Temp1); 

    ntStatus = RtlUnicodeStringToAnsiString( &Temp, &uFullpath, TRUE );

    if( Temp.Buffer && (ntStatus == STATUS_SUCCESS) )
    {
     wstemplen = (Temp.Length>MAXPROCNAMELEN-1) ? MAXPROCNAMELEN-1 : Temp.Length;
     RtlCopyMemory(pProcessName,Temp.Buffer, wstemplen );
     RtlFreeAnsiString(&Temp); 
     *Check = TRUE;   
    }
   }
  }
 }
 if(wstr) ExFreePoolWithTag(wstr , _POOL_TAG );
 return pProcessName;
}