点击(此处)折叠或打开
-
#include <ntddk.h>
-
-
typedef enum _SYSTEM_INFORMATION_CLASS {
-
SystemBasicInformation,
-
SystemProcessorInformation,
-
SystemPerformanceInformation,
-
SystemTimeOfDayInformation,
-
SystemPathInformation,
-
SystemProcessInformation, //5
-
SystemCallCountInformation,
-
SystemDeviceInformation,
-
SystemProcessorPerformanceInformation,
-
SystemFlagsInformation,
-
SystemCallTimeInformation,
-
SystemModuleInformation,
-
SystemLocksInformation,
-
SystemStackTraceInformation,
-
SystemPagedPoolInformation,
-
SystemNonPagedPoolInformation,
-
SystemHandleInformation,
-
SystemObjectInformation,
-
SystemPageFileInformation,
-
SystemVdmInstemulInformation,
-
SystemVdmBopInformation,
-
SystemFileCacheInformation,
-
SystemPoolTagInformation,
-
SystemInterruptInformation,
-
SystemDpcBehaviorInformation,
-
SystemFullMemoryInformation,
-
SystemLoadGdiDriverInformation,
-
SystemUnloadGdiDriverInformation,
-
SystemTimeAdjustmentInformation,
-
SystemSummaryMemoryInformation,
-
SystemNextEventIdInformation,
-
SystemEventIdsInformation,
-
SystemCrashDumpInformation,
-
SystemExceptionInformation,
-
SystemCrashDumpStateInformation,
-
SystemKernelDebuggerInformation,
-
SystemContextSwitchInformation,
-
SystemRegistryQuotaInformation,
-
SystemExtendServiceTableInformation,
-
SystemPrioritySeperation,
-
SystemPlugPlayBusInformation,
-
SystemDockInformation,
-
SystemPowerInformation2,
-
SystemProcessorSpeedInformation,
-
SystemCurrentTimeZoneInformation,
-
SystemLookasideInformation
-
} SYSTEM_INFORMATION_CLASS, *PSYSTEM_INFORMATION_CLASS;
-
-
typedef struct _SYSTEM_THREAD_INFORMATION {
-
LARGE_INTEGER KernelTime;
-
LARGE_INTEGER UserTime;
-
LARGE_INTEGER CreateTime;
-
ULONG WaitTime;
-
PVOID StartAddress;
-
CLIENT_ID ClientId;
-
KPRIORITY Priority;
-
LONG BasePriority;
-
ULONG ContextSwitchCount;
-
ULONG State;
-
KWAIT_REASON WaitReason;
-
}SYSTEM_THREAD_INFORMATION, *PSYSTEM_THREAD_INFORMATION;
-
-
typedef struct _SYSTEM_PROCESS_INFORMATION {
-
ULONG NextEntryOffset;
-
ULONG NumberOfThreads;
-
LARGE_INTEGER Reserved[3];
-
LARGE_INTEGER CreateTime;
-
LARGE_INTEGER UserTime;
-
LARGE_INTEGER KernelTime;
-
UNICODE_STRING ImageName;
-
KPRIORITY BasePriority;
-
HANDLE ProcessId;
-
HANDLE InheritedFromProcessId;
-
ULONG HandleCount;
-
ULONG Reserved2[2];
-
ULONG PrivatePageCount;
-
VM_COUNTERS VirtualMemoryCounters;
-
IO_COUNTERS IoCounters;
-
SYSTEM_THREAD_INFORMATION Threads[0];
-
} SYSTEM_PROCESS_INFORMATION, *PSYSTEM_PROCESS_INFORMATION;
-
-
//不加extern "C" 一直报link错误
-
extern "C" NTSYSAPI NTSTATUS NTAPI ZwQuerySystemInformation(
-
IN ULONG SystemInformationClass,
-
IN PVOID SystemInformation,
-
IN ULONG SystemInformationLength,
-
OUT PULONG ReturnLength);
-
-
VOID Unload(
-
__in struct _DRIVER_OBJECT *DriverObject
-
)
-
{
-
KdPrint(("unload ....."));
-
}
-
-
NTSTATUS Ring0EnumProcess()
-
{
-
ULONG cbBuffer = 0x8000; //32k
-
PVOID pSystemInfo;
-
NTSTATUS status;
-
PSYSTEM_PROCESS_INFORMATION pInfo;
-
-
//为查找进程分配足够的空间
-
do
-
{
-
pSystemInfo = ExAllocatePool(NonPagedPool, cbBuffer);
-
if (pSystemInfo == NULL) //申请空间失败,返回
-
{
-
return 1;
-
}
-
status = ZwQuerySystemInformation(SystemProcessInformation, pSystemInfo, cbBuffer, NULL );
-
if (status == STATUS_INFO_LENGTH_MISMATCH) //空间不足
-
{
-
ExFreePool(pSystemInfo);
-
cbBuffer *= 2;
-
}
-
else if(!NT_SUCCESS(status))
-
{
-
ExFreePool(pSystemInfo);
-
return 1;
-
}
-
-
} while(status == STATUS_INFO_LENGTH_MISMATCH); //如果是空间不足,就一直循环
-
-
pInfo = (PSYSTEM_PROCESS_INFORMATION)pSystemInfo; //把得到的信息放到pInfo中
-
-
for (;;)
-
{
-
LPWSTR pszProcessName = pInfo->ImageName.Buffer;
-
if (pszProcessName == NULL)
-
{
-
pszProcessName = L"NULL";
-
}
-
KdPrint(("PID:%d, process name:%Sn", pInfo->ProcessId, pszProcessName));
-
if (pInfo->NextEntryOffset == 0) //==0,说明到达进程链的尾部了
-
{
-
break;
-
}
-
pInfo = (PSYSTEM_PROCESS_INFORMATION)(((PUCHAR)pInfo) + pInfo->NextEntryOffset); //遍历
-
-
}
-
return STATUS_SUCCESS;
-
}
-
-
NTSTATUS DriverEntry(
-
__in PDRIVER_OBJECT DriverObject,
-
__in PUNICODE_STRING RegistryPath
-
)
-
{
-
DriverObject->DriverUnload = Unload;
-
Ring0EnumProcess();
-
return STATUS_SUCCESS;
- }