windows _EPROCESS(http://terminus.rewolf.pl/terminus/structures/ntdll/_EPROCESS_x64.html)结构有一个字段ImageFileName,声明如下:
使用WinDbg:
ImageFileName : [15] UChar
所以有15个字符的空间。
如何存储超过15个字符的进程名称?
答案 0 :(得分:4)
寻找导出但未记录的api:
NTSTATUS
SeLocateProcessImageName(
__in PEPROCESS Process,
__deref_out PUNICODE_STRING *pImageFileName
)
/*++
Routine Description
This routine returns the ImageFileName information from the process, if available. This is a "lazy evaluation" wrapper
around SeInitializeProcessAuditName. If the image file name information has already been computed, then this call simply
allocates and returns a UNICODE_STRING with this information. Otherwise, the function determines the name, stores the name in the
EPROCESS structure, and then allocates and returns a UNICODE_STRING. Caller must free the memory returned in pImageFileName.
Arguments
Process - process for which to acquire the name
pImageFileName - output parameter to return name to caller
Return Value
NTSTATUS.
--*/
EPROCESS结构中的存在成员SE_AUDIT_PROCESS_CREATION_INFO SeAuditProcessCreationInfo;(当然这个结构不公开且非常易变 - 在任何操作系统版本中都不同)
struct SE_AUDIT_PROCESS_CREATION_INFO {
OBJECT_NAME_INFORMATION * ImageFileName;
};
在{em> wdm.h 中声明了OBJECT_NAME_INFORMATION。但我们当然无法直接访问SeAuditProcessCreationInfo,因为EPROCESS的布局未知。您可以致电SeLocateProcessImageName或NtQueryInformationProcess