Recently wrote Ark, found that windows in the kernel does not directly provide such a kernel API, no way, do it manually. I searched a bunch of them on the Internet and wrote a function.
defined in the header file
typedef NTSTATUS (*zwqueryinformationprocess) (__in HANDLE processhandle,__in Processinfoclass Processinformationclass,__out_bcount (processinformationlength) PVOID processinformation,__in ULONG Processinformationlength,__out_opt Pulong returnlength); extern Zwqueryinformationprocess zwqueryinformationprocess;
In CPP
// the core API definitions to use Zwqueryinformationprocess zwqueryinformationprocess;
// //function: Gets the current process path, but only implements the Get DOS path name, need to manually convert the path to NT path//Code by LthisVOID Getprocesspath (in HANDLE hprocess, out PCHAR pszprocesspath) {NTSTATUS status; Ansi_string astring; PVOID pbuffer=NULL; ULONG Ullen=0; //Get zwqueryinformationprocess if(NULL = =zwqueryinformationprocess) {unicode_string routinename; Rtlinitunicodestring (&routinename, L"zwqueryinformationprocess"); Zwqueryinformationprocess=(zwqueryinformationprocess) mmgetsystemroutineaddress (&routinename); if(NULL = =zwqueryinformationprocess) {Dbgprint ("cannot resolve zwqueryinformationprocess\n"); return; } //Kdprint (("Zwqueryinformationprocess Address---0x%08x\n", zwqueryinformationprocess)); } //Start QueryStatus =zwqueryinformationprocess (hprocess, Processimagefilename, NULL,0, &Ullen); if(Status! =Status_info_length_mismatch) {Dbgprint ("query Process name length failed Ullen:%d,status = 0x%08x\n", Ullen, status); return; } pbuffer=ExAllocatePool (PagedPool, Ullen); if(pbuffer = =NULL) {Dbgprint ("ExAllocatePool failed\n"); return; } Status=zwqueryinformationprocess (hprocess, Processimagefilename, pbuffer, Ullen,&Ullen); if(nt_success (status)) {rtlunicodestringtoansistring (&astring, (punicode_string) pbuffer, TRUE); strncpy (Pszprocesspath, astring. Buffer, astring. Length); if(astring. Length >=MAX_PATH) Pszprocesspath[max_path-1] =' /'; Else* (Pszprocesspath + astring. Length) =' /'; Rtlfreeansistring (&astring); } if(pbuffer) {exfreepool (pbuffer); }}
For a DOS path to NT path, refer to this article: http://www.cnblogs.com/Lthis/p/4693118.html
(RING0) Windows kernel gets process full path based on PID