最简单的一种,通过PsGetCurrentProcess获取当前进程,然后通过进程结构体的进程双向链表去遍历进程,但是这里不一定可以得到被隐藏的进程
代码
#include<ntifs.h>
VOID DriverUnload(PDRIVER_OBJECT pDriverObject) {
DbgPrint("Unload Driver Success! ");
}
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegPath) {
DbgPrint("Load Driver Success!");
pDriverObject->DriverUnload = DriverUnload;
DWORD_PTR pEprocess = NULL;
//存放进程ID的地址
ULONG ulProcessID = 0;
//存放名字地址
ULONG ulProcessName = 0;
//获取当前进程
pEprocess=(DWORD_PTR)PsGetCurrentProcess();
//通过进程结构体,在进程地址+0xb8的地址为进程链表
PLIST_ENTRY pActiveProcessLinks = (PLIST_ENTRY*)(pEprocess + 0xb8);
PLIST_ENTRY pNextLinks = pActiveProcessLinks->Flink;
while (pNextLinks->Flink != pActiveProcessLinks->Flink)//遍历链表
{
//回到进程结构体头部
pEprocess = ((DWORD_PTR)pNextLinks - 0xb8);
//进程结构体+0xb4的地方为进程ID
ulProcessID = *((ULONG*)(pEprocess + 0xb4));
//进程结构体+0x16c的地方为进程名
ulProcessName = (ULONG)(pEprocess + 0x16c);
DbgPrint("进程ID:%d 进程名称:%s\n", ulProcessID, ulProcessName);
pNextLinks = pNextLinks->Flink;
}
return STATUS_SUCCESS;
}

|