在驱动里面枚举进程列表源码
typedef enum _SYSTEM_INFORMATION_CLASS {
SystemBasicInformation, // 0
SystemProcessorInformation, // 1
SystemPerformanceInformation, // 2
SystemTimeOfDayInformation, // 3
SystemNotImplemented1, // 4
SystemProcessesAndThreadsInformation, // 5
SystemCallCounts, // 6
SystemConfigurationInformation, // 7
SystemProcessorTimes, // 8
SystemGlobalFlag, // 9
SystemNotImplemented2, // 10
SystemModuleInformation, // 11
SystemLockInformation, // 12
SystemNotImplemented3, // 13
SystemNotImplemented4, // 14
SystemNotImplemented5, // 15
SystemHandleInformation, // 16
SystemObjectInformation, // 17
SystemPagefileInformation, // 18
SystemInstructionEmulationCounts, // 19
SystemInvalidInfoClass1, // 20
SystemCacheInformation, // 21
SystemPoolTagInformation, // 22
SystemProcessorStatistics, // 23
SystemDpcInformation, // 24
SystemNotImplemented6, // 25
SystemLoadImage, // 26
SystemUnloadImage, // 27
SystemTimeAdjustment, // 28
SystemNotImplemented7, // 29
SystemNotImplemented8, // 30
SystemNotImplemented9, // 31
SystemCrashDumpInformation, // 32
SystemExceptionInformation, // 33
SystemCrashDumpStateInformation, // 34
SystemKernelDebuggerInformation, // 35
SystemContextSwitchInformation, // 36
SystemRegistryQuotaInformation, // 37
SystemLoadAndCallImage, // 38
SystemPrioritySeparation, // 39
SystemNotImplemented10, // 40
SystemNotImplemented11, // 41
SystemInvalidInfoClass2, // 42
SystemInvalidInfoClass3, // 43
SystemTimeZoneInformation, // 44
SystemLookasideInformation, // 45
SystemSetTimeSlipEvent, // 46
SystemCreateSession, // 47
SystemDeleteSession, // 48
SystemInvalidInfoClass4, // 49
SystemRangeStartInformation, // 50
SystemVerifierInformation, // 51
SystemAddVerifier, // 52
SystemSessionProcessesInformation // 53
} SYSTEM_INFORMATION_CLASS;
//查询系统信息的nt服务函数
NTSTATUS ZwQuerySystemInformation(
IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
OUT PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength OPTIONAL
);
//在驱动里面枚举进程列表
VOID EnumProcess()
{
//初始化大小
ULONG ulSize = 0x1000;
PVOID pBuffer;
NTSTATUS status;
//保存进程信息的结构体指针
PSYSTEM_PROCESS_INFORMATION pSystemProcessInformation;
//循环
do
{
pBuffer = ExAllocatePool (NonPagedPool, ulSize);
status = ZwQuerySystemInformation(SystemProcessesAndThreadsInformation, pBuffer, ulSize, NULL);
//如果缓冲区空间过小
if (status == STATUS_INFO_LENGTH_MISMATCH)
{
ExFreePool(pBuffer);
//以2倍于自身的大小增长
ulSize=ulSize*2;
}
}
while (status == STATUS_INFO_LENGTH_MISMATCH);
//指针类型转换
pSystemProcessInformation = (PSYSTEM_PROCESS_INFORMATION)pBuffer;
//遍历列表
for (;;)
{
//在这里打印
DbgPrint("pid %d ps %S\n",pSystemProcessInformation->ProcessId,pSystemProcessInformation->ProcessName.Buffer);
//如果下一个节点指针为空,则跳出循环
if (pSystemProcessInformation->NextEntryDelta == 0)
break;
//移动指针到下一个节点处
pSystemProcessInformation = (PSYSTEM_PROCESS_INFORMATION)(((PUCHAR)pSystemProcessInformation)+ pSystemProcessInformation->NextEntryDelta);
}
//最后释放
ExFreePool(pBuffer);
}
页:
[1]