根据文件名查找进程打开的文件全路径
2013-12-25 14:32
495 查看
#pragma once
#include <iostream>
#include <wtypes.h>
#include <NTSecAPI.h>
#include <winbase.h>
using namespace std;
/*****************************************************************/
typedef enum _SYSTEM_INFORMATION_CLASS {
SystemBasicInformation, // 0 Y N
SystemProcessorInformation, // 1 Y N
SystemPerformanceInformation, // 2 Y N
SystemTimeOfDayInformation, // 3 Y N
SystemNotImplemented1, // 4 Y N
SystemProcessesAndThreadsInformation, // 5 Y N
SystemCallCounts, // 6 Y N
SystemConfigurationInformation, // 7 Y N
SystemProcessorTimes, // 8 Y N
SystemGlobalFlag, // 9 Y Y
SystemNotImplemented2, // 10 Y N
SystemModuleInformation, // 11 Y N
SystemLockInformation, // 12 Y N
SystemNotImplemented3, // 13 Y N
SystemNotImplemented4, // 14 Y N
SystemNotImplemented5, // 15 Y N
SystemHandleInformation, // 16 Y N
SystemObjectInformation, // 17 Y N
SystemPagefileInformation, // 18 Y N
SystemInstructionEmulationCounts, // 19 Y N
SystemInvalidInfoClass1, // 20
SystemCacheInformation, // 21 Y Y
SystemPoolTagInformation, // 22 Y N
SystemProcessorStatistics, // 23 Y N
SystemDpcInformation, // 24 Y Y
SystemNotImplemented6, // 25 Y N
SystemLoadImage, // 26 N Y
SystemUnloadImage, // 27 N Y
SystemTimeAdjustment, // 28 Y Y
SystemNotImplemented7, // 29 Y N
SystemNotImplemented8, // 30 Y N
SystemNotImplemented9, // 31 Y N
SystemCrashDumpInformation, // 32 Y N
SystemExceptionInformation, // 33 Y N
SystemCrashDumpStateInformation, // 34 Y Y/N
SystemKernelDebuggerInformation, // 35 Y N
SystemContextSwitchInformation, // 36 Y N
SystemRegistryQuotaInformation, // 37 Y Y
SystemLoadAndCallImage, // 38 N Y
SystemPrioritySeparation, // 39 N Y
SystemNotImplemented10, // 40 Y N
SystemNotImplemented11, // 41 Y N
SystemInvalidInfoClass2, // 42
SystemInvalidInfoClass3, // 43
SystemTimeZoneInformation, // 44 Y N
SystemLookasideInformation, // 45 Y N
SystemSetTimeSlipEvent, // 46 N Y
SystemCreateSession, // 47 N Y
SystemDeleteSession, // 48 N Y
SystemInvalidInfoClass4, // 49
SystemRangeStartInformation, // 50 Y N
SystemVerifierInformation, // 51 Y Y
SystemAddVerifier, // 52 N Y
SystemSessionProcessesInformation // 53 Y N
}SYSTEM_INFORMATION_CLASS, *PSYSTEM_INFORMATION_CLASS;
typedef struct _SYSTEM_HANDLE_INFORMATION {
ULONG ProcessId;
UCHAR ObjectTypeNumber;
UCHAR Flags;
USHORT Handle;
PVOID Object;
ACCESS_MASK GrantedAccess;
} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;
typedef enum _OBJECT_INFORMATION_CLASS {
ObjectBasicInformation,
ObjectNameInformation,
ObjectTypeInformation,
ObjectAllInformation,
ObjectDataInformation
} OBJECT_INFORMATION_CLASS, *POBJECT_INFORMATION_CLASS;
typedef enum _POOL_TYPE {
NonPagedPool,
PagedPool,
NonPagedPoolMustSucceed,
DontUseThisType,
NonPagedPoolCacheAligned,
PagedPoolCacheAligned,
NonPagedPoolCacheAlignedMustS
} POOL_TYPE;
typedef struct _OBJECT_TYPE_INFORMATION {
UNICODE_STRING TypeName;
ULONG TotalNumberOfHandles;
ULONG TotalNumberOfObjects;
WCHAR Unused1[8];
ULONG HighWaterNumberOfHandles;
ULONG HighWaterNumberOfObjects;
WCHAR Unused2[8];
ACCESS_MASK InvalidAttributes;
GENERIC_MAPPING GenericMapping;
ACCESS_MASK ValidAttributes;
BOOLEAN SecurityRequired;
BOOLEAN MaintainHandleCount;
USHORT MaintainTypeList;
POOL_TYPE PoolType;
ULONG DefaultPagedPoolCharge;
ULONG DefaultNonPagedPoolCharge;
} OBJECT_TYPE_INFORMATION, *POBJECT_TYPE_INFORMATION;
typedef struct _OBJECT_ALL_INFORMATION {
ULONG NumberOfObjectsTypes;
OBJECT_TYPE_INFORMATION ObjectTypeInformation[1];
} OBJECT_ALL_INFORMATION, *POBJECT_ALL_INFORMATION;
typedef struct _OBJECT_NAME_INFORMATION {
UNICODE_STRING Name;
WCHAR NameBuffer[0];
} OBJECT_NAME_INFORMATION, *POBJECT_NAME_INFORMATION;
typedef NTSTATUS (NTAPI *ZWQUERYSYSTEMINFORMATION )(
IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
OUT PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength OPTIONAL );
typedef NTSTATUS (NTAPI *NTQUERYOBJECT)(
IN HANDLE ObjectHandle,
IN OBJECT_INFORMATION_CLASS ObjectInformationClass,
OUT PVOID ObjectInformation,
IN ULONG Length,
OUT PULONG ResultLength );
#define NT_SUCCESS(x) ((x)>=0)
#define _UNICODE
bool IsDirectory(const wstring& filename)
{
DWORD dwAttr = ::GetFileAttributesW(filename.c_str()); //得到文件属性
if (dwAttr == 0xFFFFFFFF) // 文件或目录不存在
return false;
else if (dwAttr&FILE_ATTRIBUTE_DIRECTORY) // 如果是目录
return true;
else
return false;
}
HANDLE GetProcessKernelObject(DWORD ProcessId, const wstring& fileName, wstring& fullFilePath)
{
HMODULE hNtDll = NULL;
ZWQUERYSYSTEMINFORMATION pfnZwQuerySystemInformation = NULL;
NTQUERYOBJECT pfnNtQueryObject = NULL;
PSYSTEM_HANDLE_INFORMATION pSysHandleInfo = NULL;
POBJECT_ALL_INFORMATION pAllInfo =NULL;
POBJECT_NAME_INFORMATION pNameInfo = NULL;
ULONG nNumberHandle =0;
NTSTATUS ntStatus = 0;
ULONG ulSize,ulCount;
char cInfoBuffer[0x10000];
char *cBuffer = new char[0x100000]; //这个需要足够大,否则会返回STATUS_INFO_LENGTH_MISMATCH(0xC0000004)
hNtDll = GetModuleHandle(TEXT("ntdll.dll"));
pfnZwQuerySystemInformation = (ZWQUERYSYSTEMINFORMATION)GetProcAddress(hNtDll,"ZwQuerySystemInformation");
pfnNtQueryObject = (NTQUERYOBJECT)GetProcAddress(hNtDll,"NtQueryObject");
ntStatus = pfnZwQuerySystemInformation(SystemHandleInformation,cBuffer,0x100000,&ulSize);
HANDLE hSelectedObject = NULL;
if(NT_SUCCESS(ntStatus))
{
DWORD n = ulSize/sizeof(SYSTEM_HANDLE_INFORMATION);
nNumberHandle = *(PULONG)cBuffer;
pSysHandleInfo = (PSYSTEM_HANDLE_INFORMATION)(cBuffer +4);
ulCount = 0;
for(ULONG i=0;i!=nNumberHandle;++i)
{
if(pSysHandleInfo[i].ProcessId != ProcessId)
continue;
ntStatus = pfnNtQueryObject((HANDLE)pSysHandleInfo[i].Handle,ObjectNameInformation,cInfoBuffer,0x10000,&ulSize);
if(NT_SUCCESS(ntStatus))
{
pNameInfo = (POBJECT_NAME_INFORMATION)cInfoBuffer;
wchar_t outstr[1000] = L"A:";
if (pNameInfo->Name.Length > 23 && memicmp(pNameInfo->Name.Buffer,L"\\Device\\HardDiskVolume",44) == 0)
{
wstring wstrNameBuffer = pNameInfo->Name.Buffer;
#ifdef _DEBUG
MessageBoxW(NULL,wstrNameBuffer.c_str(),L"GetProcessKernelObject",0);
#endif
bool cond = wstrNameBuffer.find(fileName) != wstring::npos;
if (cond )
{
outstr[0] = pNameInfo->Name.Buffer[22] - L'1' + L'C';
memcpy(&outstr[2], &pNameInfo->Name.Buffer[23], pNameInfo->Name.Length-23*2);
outstr[pNameInfo->Name.Length/2-21] = 0;
fullFilePath = outstr;
hSelectedObject = (HANDLE)pSysHandleInfo[i].Handle;
break;
}
}
}
}
}
if (cBuffer)
{
delete[] cBuffer;
cBuffer = NULL;
}
return hSelectedObject;
}
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- linux中根据进程的PID值来查找执行文件的及其路径
- linux中根据进程的PID值来查找执行文件的及其路径
- 【VC++】根据文件名,查找文件的全路径。。
- 根据EBS请求ID查找输出文件及LOG在服务器的位置和路径
- 根据文件名取文件【含相对路径和绝对路径处理】
- Python实现的根据文件名查找数据文件功能示例
- 根据进程查找该进行的执行位置和完整执行指令和检查文件开始生成时间
- 为什么文件名(以及路径名)里含 # 字符的 CHM 文件会不能正常打开?
- 根据当前目录查找相对路径的文件
- 根据提供的文件名文本,查找指定目录下的该文件,找到后复制到指定文件夹--bash
- 【.Net】C# 根据绝对路径获取 带后缀文件名、后缀名、文件名、不带文件名的文件路径
- C#中根据注册表查找字体与字体文件路径对应关系
- 根据打开文件句柄查找文件
- C++中根据HKey查找当前打开的注册表路径Key Name
- 根据pid查找进程运行路径
- linux如何根据进程ID查找启动程序的路径
- Linux 根据进程ID查看文件路径(转)
- node 根据文件名查找其在指定目录中的路径
- 在当前目录以及当前目录的所有子目录下查找文件名包含指定字符串的文件,并打印出相对路径
- C# 打开以对话框,获取文件夹路径 、文件的路径、文件名