#include <ntifs.h>
#include <ntddk.h>
UCHAR * PsGetProcessImageFileName(__in PEPROCESS Process);
HANDLE PsGetProcessInheritedFromUniqueProcessId(__in PEPROCESS Process);
VOID HelloDDKUnload(IN PDRIVER_OBJECT pDriverObject)
{
}
NTSTATUS DriverEntry(IN PDRIVER_OBJECT pDriverObject, IN PUNICODE_STRING pRegistryPath)
{
pDriverObject->DriverUnload = HelloDDKUnload;
DbgBreakPoint();
PUCHAR pCurrentProcessName;
HANDLE InheritedFromUniqueProcessId;
HANDLE UniqueProcessId;
PEPROCESS pEprocess;
PEPROCESS CurrentProcess;
PLIST_ENTRY ListEntry;
NTSTATUS ntstatus;
static int SessionProcessLinks = 0x0b4; //测试用(这里是XP系统)
PLIST_ENTRY pProcessSessionProcessLinks = 0;
//1.附加到一个用户进程
//2.或者寻找一个有SessionProcessLinks的
for (int i=4;i<=PAGE_SIZE;i+=4)
{
ntstatus = PsLookupProcessByProcessId((HANDLE)i, &pEprocess);
if (NT_SUCCESS(ntstatus))
{
ObfDereferenceObject(pEprocess);
pProcessSessionProcessLinks = (PLIST_ENTRY)((ULONG_PTR)pEprocess + SessionProcessLinks);
if (pProcessSessionProcessLinks && pProcessSessionProcessLinks->Blink && pProcessSessionProcessLinks->Flink)
{
break;
}
}
}
CurrentProcess = pEprocess;
for (ListEntry = pProcessSessionProcessLinks->Flink; ListEntry != pProcessSessionProcessLinks; ListEntry = ListEntry->Flink)
{
CurrentProcess = (PEPROCESS)(*(ULONG_PTR*)((ULONG_PTR)CurrentProcess + SessionProcessLinks) - SessionProcessLinks);
if (MmIsAddressValid(CurrentProcess)==FALSE)
{
continue;
}
UniqueProcessId = PsGetProcessId(CurrentProcess);
pCurrentProcessName = PsGetProcessImageFileName(CurrentProcess);
InheritedFromUniqueProcessId = PsGetProcessInheritedFromUniqueProcessId(CurrentProcess);
KdPrint(("%d %d %s\n", UniqueProcessId, InheritedFromUniqueProcessId, pCurrentProcessName));
}
return STATUS_SUCCESS;
}
遍历_EPROCESS->SessionProcessLinks链表枚举进程
猜你喜欢
转载自blog.csdn.net/qq1841370452/article/details/81231100
今日推荐
周排行