透过EPROCESS获取进程名
通过EPROCESS获取进程名
VOID DisplayItsProcessName()
{
// 得到当前进程
PEPROCESS pEprocess = PsGetCurrentProcess();
// 得到当前进程名称
PTSTR ProcessName = (PTSTR)((ULONG)pEprocess + 0x174);
KdPrint(("%s \r\n", ProcessName));
}
lkd> ! process 0 0
……
PROCESS 887ae768 SessionId: 0 Cid: 0d84 Peb: 7ffdd000 ParentCid: 0780
DirBase: 0ebc0580 ObjectTable: e1697608 HandleCount: 60.
Image: windbg.exe
lkd> dt _eprocess 887ae768
……
+0x174 ImageFileName : [16] "windbg.exe"
……