Public Function GetProcessPath(ByVal dwProcessId As Long) As String
Dim ntStatus As Long
Dim objBasic As PROCESS_BASIC_INFORMATION
Dim objFlink As Long
Dim objPEB As Long, objLdr As Long
Dim objBaseAddress As Long
Dim bytName(260 * 2 - 1) As Byte
Dim strModuleName As String, objName As Long
Dim objCid As CLIENT_ID
Dim objOa As OBJECT_ATTRIBUTES
Dim i As Integer
Dim hProcess As Long
objOa.Length = Len(objOa)
objCid.UniqueProcess = dwProcessId
ntStatus = NtOpenProcess(hProcess, PROCESS_QUERY_INFORMATION Or PROCESS_VM_READ, objOa, objCid)
If hProcess = 0 Then
hProcess = GetHandleByProcessId(dwProcessId)
If hProcess = 0 Then
GetProcessPath = ""
Exit Function
End If
End If
Dim lngRet As Long, lngReturn As Long
ntStatus = NtQueryInformationProcess(hProcess, ProcessBasicInformation, VarPtr(objBasic), Len(objBasic), ByVal 0&)
If (NT_SUCCESS(ntStatus)) Then
objPEB = objBasic.PebBaseAddress
lngRet = ReadProcessMemory(hProcess, ByVal objPEB + &HC, objLdr, 4, ByVal 0&)
lngRet = ReadProcessMemory(hProcess, ByVal objLdr + &HC, objFlink, 4, ByVal 0&)
lngRet = ReadProcessMemory(hProcess, ByVal objFlink + &H18, objBaseAddress, 4, ByVal 0&)
If objBaseAddress > 0 Then
lngRet = ReadProcessMemory(hProcess, ByVal objFlink + &H28, objName, 4, ByVal 0&)
lngRet = ReadProcessMemory(hProcess, ByVal objName, bytName(0), 260 * 2, ByVal 0&)
If ERROR_PARTIAL_COPY = lngRet Then
Start:
i = i + 1
If ERROR_PARTIAL_COPY = ReadProcessMemory(hProcess, ByVal objName, bytName(0), 260 * 2 - i, ByVal 0&) Then
GoTo Start
End If
End If
strModuleName = bytName
strModuleName = Left(strModuleName & Chr(0), InStr(strModuleName & Chr(0), Chr(0)) - 1)
GetProcessPath = strModuleName
End If
End If
NtClose hProcess
End Function
看这里objBaseAddress 这个就是你要的东西