typedef enum _SYSTEM_INFORMATION_CLASS { SystemBasicInformation, // 0 SystemProcessorInformation, // 1 SystemPerformanceInformation, // 2 SystemTimeOfDayInformation, // 3 SystemNotImplemented1, // 4 SystemProcessesAndThreadsInformation, // 5 SystemCallCounts, // 6 SystemConfigurationInformation, // 7 SystemProcessorTimes, // 8 SystemGlobalFlag, // 9 SystemNotImplemented2, // 10 SystemModuleInformation, // 11 SystemLockInformation, // 12 SystemNotImplemented3, // 13 SystemNotImplemented4, // 14 SystemNotImplemented5, // 15 SystemHandleInformation, // 16 SystemObjectInformation, // 17 SystemPagefileInformation, // 18 SystemInstructionEmulationCounts, // 19 SystemInvalidInfoClass1, // 20 SystemCacheInformation, // 21 SystemPoolTagInformation, // 22 SystemProcessorStatistics, // 23 SystemDpcInformation, // 24 SystemNotImplemented6, // 25 SystemLoadImage, // 26 SystemUnloadImage, // 27 SystemTimeAdjustment, // 28 SystemNotImplemented7, // 29 SystemNotImplemented8, // 30 SystemNotImplemented9, // 31 SystemCrashDumpInformation, // 32 SystemExceptionInformation, // 33 SystemCrashDumpStateInformation, // 34 SystemKernelDebuggerInformation, // 35 SystemContextSwitchInformation, // 36 SystemRegistryQuotaInformation, // 37 SystemLoadAndCallImage, // 38 SystemPrioritySeparation, // 39 SystemNotImplemented10, // 40 SystemNotImplemented11, // 41 SystemInvalidInfoClass2, // 42 SystemInvalidInfoClass3, // 43 SystemTimeZoneInformation, // 44 SystemLookasideInformation, // 45 SystemSetTimeSlipEvent, // 46 SystemCreateSession, // 47 SystemDeleteSession, // 48 SystemInvalidInfoClass4, // 49 SystemRangeStartInformation, // 50 SystemVerifierInformation, // 51 SystemAddVerifier, // 52 SystemSessionProcessesInformation // 53 } SYSTEM_INFORMATION_CLASS; typedef struct _SYSTEM_THREAD_INFORMATION { LARGE_INTEGER KernelTime; LARGE_INTEGER UserTime; LARGE_INTEGER CreateTime; ULONG WaitTime; PVOID StartAddress; CLIENT_ID ClientId; KPRIORITY Priority; KPRIORITY BasePriority; ULONG ContextSwitchCount; LONG State; LONG WaitReason; } SYSTEM_THREAD_INFORMATION, * PSYSTEM_THREAD_INFORMATION; typedef struct _SYSTEM_PROCESS_INFORMATION { ULONG NextEntryDelta;//构成结构系列的偏移量也就是下一个进程 ULONG ThreadCount;//线程的数目 ULONG Reserved1[6];// 暂时未知 LARGE_INTEGER CreateTime;//创建时间 LARGE_INTEGER UserTime;//用户模式的CPU时间 LARGE_INTEGER KernelTime;//内核模式下的时间 UNICODE_STRING ProcessName;//进程的名称 KPRIORITY BasePriority;//进程的优先权 ULONG ProcessId;//进程的标识符 ULONG InheritedFromProcessId;//父进程的标识符 ULONG HandleCount;//句柄数目 ULONG Reserved2[2];// VM_COUNTERS VmCounters;//虚拟存储器的机构 IO_COUNTERS IoCounters;//io计数器 //SYSTEM_THREAD_INFORMATION Threads[1];//进程相关的线程结构数组这里我们不使用 } SYSTEM_PROCESS_INFORMATION, * PSYSTEM_PROCESS_INFORMATION; extern "C"NTSYSAPI NTSTATUS NTAPI ZwQuerySystemInformation( IN SYSTEM_INFORMATION_CLASS SystemInformationClass, OUT PVOID SystemInformation, IN ULONG SystemInformationLength, OUT PULONG ReturnLength OPTIONAL ); //-------------------------------------------------------------- //----------------------------------------------------------------- NTSTATUS Ring0EnumProcess() { ULONG cbuffer=0x8000; PVOID pBuffer=NULL; NTSTATUS Status; PSYSTEM_PROCESS_INFORMATION pInfo; do { pBuffer=ExAllocatePool(NonPagedPool,cbuffer); if (pBuffer==NULL) { return 1; } Status=ZwQuerySystemInformation(SystemProcessesAndThreadsInformation,pBuffer,cbuffer,NULL); if (Status==STATUS_INFO_LENGTH_MISMATCH) { ExFreePool(pBuffer); cbuffer*=2; }else if (!NT_SUCCESS(Status)) { ExFreePool(pBuffer); return 1; } } while (Status==STATUS_INFO_LENGTH_MISMATCH); pInfo=(PSYSTEM_PROCESS_INFORMATION)pBuffer; for (;;) { LPWSTR pszProcessName=pInfo->ProcessName.Buffer; if (pszProcessName==NULL) { pszProcessName=L"null"; } DbgPrint("ProcessID%d 进程名::%S 父进程ID%d",pInfo->ProcessId,pInfo->ProcessName.Buffer,pInfo->InheritedFromProcessId); if (pInfo->NextEntryDelta==0) { break; } pInfo=(PSYSTEM_PROCESS_INFORMATION)(((PUCHAR)pInfo)+pInfo->NextEntryDelta); } ExFreePool(pBuffer); return 0; } VOID Unload(IN PDRIVER_OBJECT DriverObject) { } NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath) { DriverObject->DriverUnload = Unload; Ring0EnumProcess(); return STATUS_SUCCESS; } 相关文章: