驱动环境下的任务进程获取枚举

Helloworld123

发布日期: 2020-02-16 13:55:01 浏览量: 115
评分:
star star star star star star star star star star_border
*转载请注明来自write-bug.com

驱动环境下的,枚举系统任务,属于新手驱动学习,还望各位大佬,发现失误能够指点一二,辛得指点,感恩各位!

  1. #include "ntddk.h"
  2. typedef enum _SYSTEM_INFORMATION_CLASS {
  3. SystemBasicInformation, // 0
  4. SystemProcessorInformation, // 1
  5. SystemPerformanceInformation, // 2
  6. SystemTimeOfDayInformation, // 3
  7. SystemNotImplemented1, // 4
  8. SystemProcessesAndThreadsInformation, // 5
  9. SystemCallCounts, // 6
  10. SystemConfigurationInformation, // 7
  11. SystemProcessorTimes, // 8
  12. SystemGlobalFlag, // 9
  13. SystemNotImplemented2, // 10
  14. SystemModuleInformation, // 11
  15. SystemLockInformation, // 12
  16. SystemNotImplemented3, // 13
  17. SystemNotImplemented4, // 14
  18. SystemNotImplemented5, // 15
  19. SystemHandleInformation, // 16
  20. SystemObjectInformation, // 17
  21. SystemPagefileInformation, // 18
  22. SystemInstructionEmulationCounts, // 19
  23. SystemInvalidInfoClass1, // 20
  24. SystemCacheInformation, // 21
  25. SystemPoolTagInformation, // 22
  26. SystemProcessorStatistics, // 23
  27. SystemDpcInformation, // 24
  28. SystemNotImplemented6, // 25
  29. SystemLoadImage, // 26
  30. SystemUnloadImage, // 27
  31. SystemTimeAdjustment, // 28
  32. SystemNotImplemented7, // 29
  33. SystemNotImplemented8, // 30
  34. SystemNotImplemented9, // 31
  35. SystemCrashDumpInformation, // 32
  36. SystemExceptionInformation, // 33
  37. SystemCrashDumpStateInformation, // 34
  38. SystemKernelDebuggerInformation, // 35
  39. SystemContextSwitchInformation, // 36
  40. SystemRegistryQuotaInformation, // 37
  41. SystemLoadAndCallImage, // 38
  42. SystemPrioritySeparation, // 39
  43. SystemNotImplemented10, // 40
  44. SystemNotImplemented11, // 41
  45. SystemInvalidInfoClass2, // 42
  46. SystemInvalidInfoClass3, // 43
  47. SystemTimeZoneInformation, // 44
  48. SystemLookasideInformation, // 45
  49. SystemSetTimeSlipEvent, // 46
  50. SystemCreateSession, // 47
  51. SystemDeleteSession, // 48
  52. SystemInvalidInfoClass4, // 49
  53. SystemRangeStartInformation, // 50
  54. SystemVerifierInformation, // 51
  55. SystemAddVerifier, // 52
  56. SystemSessionProcessesInformation // 53
  57. } SYSTEM_INFORMATION_CLASS;
  58. typedef struct _SYSTEM_THREAD_INFORMATION {
  59. LARGE_INTEGER KernelTime;
  60. LARGE_INTEGER UserTime;
  61. LARGE_INTEGER CreateTime;
  62. ULONG WaitTime;
  63. PVOID StartAddress;
  64. CLIENT_ID ClientId;
  65. KPRIORITY Priority;
  66. KPRIORITY BasePriority;
  67. ULONG ContextSwitchCount;
  68. LONG State;
  69. LONG WaitReason;
  70. } SYSTEM_THREAD_INFORMATION, * PSYSTEM_THREAD_INFORMATION;
  71. typedef struct _SYSTEM_PROCESS_INFORMATION {
  72. ULONG NextEntryDelta;//构成结构系列的偏移量也就是下一个进程
  73. ULONG ThreadCount;//线程的数目
  74. ULONG Reserved1[6];// 暂时未知
  75. LARGE_INTEGER CreateTime;//创建时间
  76. LARGE_INTEGER UserTime;//用户模式的CPU时间
  77. LARGE_INTEGER KernelTime;//内核模式下的时间
  78. UNICODE_STRING ProcessName;//进程的名称
  79. KPRIORITY BasePriority;//进程的优先权
  80. ULONG ProcessId;//进程的标识符
  81. ULONG InheritedFromProcessId;//父进程的标识符
  82. ULONG HandleCount;//句柄数目
  83. ULONG Reserved2[2];//
  84. VM_COUNTERS VmCounters;//虚拟存储器的机构
  85. IO_COUNTERS IoCounters;//io计数器
  86. //SYSTEM_THREAD_INFORMATION Threads[1];//进程相关的线程结构数组这里我们不使用
  87. } SYSTEM_PROCESS_INFORMATION, * PSYSTEM_PROCESS_INFORMATION;
  88. extern "C"NTSYSAPI
  89. NTSTATUS
  90. NTAPI
  91. ZwQuerySystemInformation(
  92. IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
  93. OUT PVOID SystemInformation,
  94. IN ULONG SystemInformationLength,
  95. OUT PULONG ReturnLength OPTIONAL
  96. );
  97. //--------------------------------------------------------------
  98. //-----------------------------------------------------------------
  99. NTSTATUS Ring0EnumProcess()
  100. {
  101. ULONG cbuffer=0x8000;
  102. PVOID pBuffer=NULL;
  103. NTSTATUS Status;
  104. PSYSTEM_PROCESS_INFORMATION pInfo;
  105. do
  106. {
  107. pBuffer=ExAllocatePool(NonPagedPool,cbuffer);
  108. if (pBuffer==NULL)
  109. {
  110. return 1;
  111. }
  112. Status=ZwQuerySystemInformation(SystemProcessesAndThreadsInformation,pBuffer,cbuffer,NULL);
  113. if (Status==STATUS_INFO_LENGTH_MISMATCH)
  114. {
  115. ExFreePool(pBuffer);
  116. cbuffer*=2;
  117. }else if (!NT_SUCCESS(Status))
  118. {
  119. ExFreePool(pBuffer);
  120. return 1;
  121. }
  122. } while (Status==STATUS_INFO_LENGTH_MISMATCH);
  123. pInfo=(PSYSTEM_PROCESS_INFORMATION)pBuffer;
  124. for (;;)
  125. {
  126. LPWSTR pszProcessName=pInfo->ProcessName.Buffer;
  127. if (pszProcessName==NULL)
  128. {
  129. pszProcessName=L"null";
  130. }
  131. DbgPrint("ProcessID%d 进程名::%S 父进程ID%d",pInfo->ProcessId,pInfo->ProcessName.Buffer,pInfo->InheritedFromProcessId);
  132. if (pInfo->NextEntryDelta==0)
  133. {
  134. break;
  135. }
  136. pInfo=(PSYSTEM_PROCESS_INFORMATION)(((PUCHAR)pInfo)+pInfo->NextEntryDelta);
  137. }
  138. ExFreePool(pBuffer);
  139. return 0;
  140. }
  141. VOID Unload(IN PDRIVER_OBJECT DriverObject)
  142. {
  143. }
  144. NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath)
  145. {
  146. DriverObject->DriverUnload = Unload;
  147. Ring0EnumProcess();
  148. return STATUS_SUCCESS;
  149. }
上传的附件

发送私信

4
文章数
0
评论数
最近文章
eject