读进程错误

100

101

102

103

104

105

106

107

108

#pragma once
#include <windows.h>
#include <iostream>
using namespace std;
#define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0)
typedef struct _UNICODE_STRING
{
    UINT16 Length;
    UINT16 MaximumLength;
    PWCHAR Buffer;
}UNICODE_STRING, PUNICODE_STRING;
typedef struct _RTL_USER_PROCESS_PARAMETERS_X86
{
    UINT32 MaximumLength;
    UINT32 Length;
    UINT32 Flags;
    UINT32 DebugFlags;
    PVOID ConsoleHandle;
    UINT32 ConsoleFlags;
    PVOID StandardInput;
    PVOID StandardOutput;
    PVOID StandardError;
    ULONG32 CurrentDirectory[3];
    UNICODE_STRING DllPath;
    UNICODE_STRING ImagePathName;
    UNICODE_STRING CommandLine;
}RTL_USER_PROCESS_PARAMETERS_X86, *PRTL_USER_PROCESS_PARAMETERS_X86;
typedef struct _PEB_X86
{
    UINT8 InheritedAddressSpace;
    UINT8 ReadImageFileExecOptions;
    UINT8 BeingDebugged;
    UINT8 BitField;
    PVOID Mutant;
    PVOID ImageBaseAddress;
    PVOID Ldr;
    PRTL_USER_PROCESS_PARAMETERS_X86 ProcessParameters;
}PEB_X86, *PPEB_X86;
 
#ifdef _WIN32
#define RTL_USER_PROCESS_PARAMETERS RTL_USER_PROCESS_PARAMETERS_X86
#define PPEB PPEB_X86
#define PEB PEB_X86
#else
#define PPEB PPEB_X64
#define PEB PEB_X64
#endif
 
typedef struct _PROCESS_BASIC_INFORMATION
{
    NTSTATUS ExitStatus;
    PPEB PebBaseAddress; //地址
    ULONG AffinityMask;
    LONG BasePriority;
    ULONG UniqueProcessId;
    ULONG InheritedFromUniqueProcessId;
} PROCESS_BASIC_INFORMATION;
typedef PROCESS_BASIC_INFORMATION *PPROCESS_BASIC_INFORMATION;
 
typedef enum _PROCESSINFOCLASS {
    ProcessBasicInformation,
    ProcessQuotaLimits,
    ProcessIoCounters,
    ProcessVmCounters,
    ProcessTimes,
    ProcessBasePriority,
    ProcessRaisePriority,
    ProcessDebugPort,
    ProcessExceptionPort,
    ProcessAccessToken,
    ProcessLdtInformation,
    ProcessLdtSize,
    ProcessDefaultHardErrorMode,
    ProcessIoPortHandlers, // Note: this is kernel mode only
    ProcessPooledUsageAndLimits,
    ProcessWorkingSetWatch,
    ProcessUserModeIOPL,
    ProcessEnableAlignmentFaultFixup,
    ProcessPriorityClass,
    ProcessWx86Information,
    ProcessHandleCount,
    ProcessAffinityMask,
    ProcessPriorityBoost,
    ProcessDeviceMap,
    ProcessSessionInformation,
    ProcessForegroundInformation,
    ProcessWow64Information,
    ProcessImageFileName,
    ProcessLUIDDeviceMapsEnabled,
    ProcessBreakOnTermination,
    ProcessDebugObjectHandle,
    ProcessDebugFlags,
    ProcessHandleTracing,
    ProcessIoPriority,
    ProcessExecuteFlags,
    ProcessResourceManagement,
    ProcessCookie,
    ProcessImageInformation,
    MaxProcessInfoClass
} PROCESSINFOCLASS;
typedef
    NTSTATUS(NTAPI *pfnNtQueryInformationProcess)(
    IN HANDLE ProcessHandle,
    IN PROCESSINFOCLASS ProcessInformationClass,
    OUT PVOID ProcessInformation,
    IN UINT32 ProcessInformationLength,
    OUT PUINT32 ReturnLength);
BOOL GetProcessFullPathByProcessID(ULONG32 ProcessID, WCHAR* BufferData, ULONG BufferLegnth);

100

101

// testprocessid.cpp : Defines the entry point for the console application.
//
 
#include "stdafx.h"
#include "processstruct.h"
#include <iostream>
#include <windows.h>
#include <string>
using namespace std;
#include <direct.h>
#include <process.h>
#include <stdio.h>
#include <tlhelp32.h>
#include <tchar.h>
#include <psapi.h>
#pragma comment(lib,"Kernel32.lib")
#pragma comment(lib,"Psapi.lib")
 
BOOL GetProcessFullPathByProcessID(ULONG32 ProcessID, WCHAR* BufferData, ULONG BufferLegnth)
{
    BOOL bOk = FALSE;
    NTSTATUS Status = 0;
    PEB Peb = { 0 };
    HANDLE ProcessHandle = NULL;
    //通过进程ID获得进程句柄
    ProcessHandle = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, ProcessID);
    if (ProcessHandle == NULL)
    {
        return FALSE;
    }
    pfnNtQueryInformationProcess NtQueryInformationProcess =
        (pfnNtQueryInformationProcess)GetProcAddress(GetModuleHandle(_T("ntdll.dll")), "NtQueryInformationProcess");
    if (NtQueryInformationProcess == NULL)
    {
        CloseHandle(ProcessHandle);
        ProcessHandle = NULL;
        return FALSE;
    }
    // 通过 NtQueryInformationProcess 获得 ProcessBasicInformation
    PROCESS_BASIC_INFORMATION pbi = { 0 };
    ULONG32 ReturnLength = 0;
 
    Status = NtQueryInformationProcess(ProcessHandle,
        ProcessBasicInformation, &pbi, sizeof(PROCESS_BASIC_INFORMATION),
        (PUINT32)&ReturnLength);
    if (!NT_SUCCESS(Status))
    {
        CloseHandle(ProcessHandle);
        ProcessHandle = NULL;
        return FALSE;
    }
    // 通过ReadProcessMemory 从进程里面 PebBaseAddress 内存数据读取出来
    bOk = ReadProcessMemory(ProcessHandle, pbi.PebBaseAddress, &Peb, sizeof(PEB), (SIZE_T*)&ReturnLength);
    if (bOk == FALSE)
    {
        CloseHandle(ProcessHandle);
        ProcessHandle = NULL;
        return FALSE;
    }
    RTL_USER_PROCESS_PARAMETERS RtlUserProcessParameters = { 0 };
    bOk = ReadProcessMemory(ProcessHandle, Peb.ProcessParameters, &RtlUserProcessParameters,
        sizeof(RTL_USER_PROCESS_PARAMETERS), (SIZE_T*)&ReturnLength);
 
    if (RtlUserProcessParameters.ImagePathName.Buffer != NULL)
    {
        ULONG v1 = 0;
        if (RtlUserProcessParameters.ImagePathName.Length<BufferLegnth)
        {
            v1 = RtlUserProcessParameters.ImagePathName.Length;
        }
        else
        {
            v1 = BufferLegnth - 10;
        }
        bOk = ReadProcessMemory(ProcessHandle, RtlUserProcessParameters.ImagePathName.Buffer,
            BufferData,
            v1, (SIZE_T*)&ReturnLength);
        if (bOk == FALSE)
        {
            CloseHandle(ProcessHandle);
            ProcessHandle = NULL;
            return FALSE;
        }
    }
    CloseHandle(ProcessHandle);
    return TRUE;
}
int main()
{
    BOOL bOk = FALSE;
    ULONG32 ProcessID = 0;
    WCHAR BufferData[MAX_PATH] = { 0 };
    printf("Input Process ID\r\n");
    scanf_s("%d", &ProcessID);
    bOk = GetProcessFullPathByProcessID(ProcessID, BufferData, MAX_PATH);
    if (bOk == TRUE)
    {
        printf("%S\r\n", BufferData);
    }
    return 0;
}