САБЖ Перехватываю ZwResumeThread PsGetCurrentProcess - узнаем ИД А теперь как в ядре по ИД определить имя процесса?
На основе инфы от FOUR-F, шоб мы без него делали... ))) Код (Text): UNICODE_STRING GetFullProcessName(HANDLE PID) { PEPROCESS proc; PSECTION Section; PSEGMENT Segment; PCONTROL_AREA ControlArea; PFILE_OBJECT FileObject; PsLookupProcessByProcessId(PID,&proc); if(proc->SectionObject) { Section = proc->SectionObject; Segment = Section->Segment; ControlArea = Segment->ControlArea; FileObject = ControlArea->FilePointer; DbgPrint("Section FileName: %S\n",FileObject->FileName.Buffer); } ObDereferenceObject((PVOID)proc); return FileObject->FileName; }
как вариант Код (Text): NTSTATUS GetProcessList(ULONG Id) { ULONG Buffer=0x8000; LPVOID pBuffer=NULL; NTSTATUS status; char ProcName[256]; PSYSTEM_PROCESS_INFORMATION ProcInfo; do { pBuffer = ExAllocatePool(NonPagedPool,Buffer); if(pBuffer==NULL) { DbgPrint("Error! ExAllocate!"); return status; } status = ZwQuerySystemInformation(SystemProcessesAndThreadsInformation, pBuffer, Buffer, NULL); if(status==STATUS_INFO_LENGTH_MISMATCH) { ExFreePool(pBuffer); Buffer *= 2; } else if(!NT_SUCCESS(status)) { ExFreePool(pBuffer); return status; } } while(status==STATUS_INFO_LENGTH_MISMATCH); ProcInfo = (PSYSTEM_PROCESS_INFORMATION)pBuffer; for(;;) { LPWSTR szProcessName = ProcInfo->ProcessName.Buffer; if(ProcInfo->ProcessId == Id) { wcstombs(ProcName,szProcessName,256); DbgPrint("Process found!"); DbgPrint("Process: %s",ProcName); break; } if(ProcInfo->NextEntryDelta==0) { break; } ProcInfo = (PSYSTEM_PROCESS_INFORMATION)(((PUCHAR)ProcInfo)+ ProcInfo->NextEntryDelta); } ExFreePool(pBuffer); return status; }
