在LoadImageNotifyRoutine中取加载进程名

在LoadImageNotifyRoutine中有一个参数:ProcessId,如果ImageInfo->SystemModeImage的话ProcessId为0,否则为加载这个程序的ProcessId,可以通过它来取进程名:

NTSTATUS GetProcessNameById(OUT PCHAR ProcessName, IN HANDLE ProcessId)
{
PEPROCESS       curproc;
char            *nameptr;
/if (!gProcessNameOffset || !ProcessId) return STATUS_INVALID_PARAMETER;
if (!NT_SUCCESS(PsLookupProcessByProcessId(ProcessId,&curproc)))
{
   strcpy(ProcessName,"???");
   return STATUS_INVALID_PARAMETER;
}
else
{
nameptr   = (PCHAR) curproc + gProcessNameOffset;
strncpy( ProcessName, nameptr, NT_PROCNAMELEN );
ProcessName[NT_PROCNAMELEN] = 0;
return STATUS_SUCCESS;
}
}