查找导出但未记录的API:
NTSTATUS
SeLocateProcessImageName(
__in PEPROCESS Process,
__deref_out PUNICODE_STRING *pImageFileName
)
/*++
Routine Description
This routine returns the ImageFileName information from the process, if available. This is a "lazy evaluation" wrapper
around SeInitializeProcessAuditName. If the image file name information has already been computed, then this call simply
allocates and returns a UNICODE_STRING with this information. Otherwise, the function determines the name, stores the name in the
EPROCESS structure, and then allocates and returns a UNICODE_STRING. Caller must free the memory returned in pImageFileName.
Arguments
Process - process for which to acquire the name
pImageFileName - output parameter to return name to caller
Return Value
NTSTATUS.
--*/
在里面
EPROCESS
结构现有成员
SE_AUDIT_PROCESS_CREATION_INFO SeAuditProcessCreationInfo;
(当然,这种结构不是公开的,而且非常不稳定-在任何操作系统版本中都是不同的)
struct SE_AUDIT_PROCESS_CREATION_INFO {
OBJECT_NAME_INFORMATION * ImageFileName;
};
这个
OBJECT_NAME_INFORMATION
在中声明
波分复用器
. 但我们当然不能直接进入
SeAuditProcessCreationInfo
因为布局
E-过程
是未知的。你可以打电话
SeLocateProcessImageName
或
NtQueryInformationProcess
