标签:
方法1: ZwQuerySystemInformation
这个方法网上一搜一大堆,不举例了
方法2:暴力枚举PID枚举进程,代码:
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObj, PUNICODE_STRING pRegStr) { pDriverObj->DriverUnload = MyUnload; DbgPrint("DriverEntry...\n"); //1.暴力枚举PID,枚举进程 for (ULONG i = 0; i < 65535; i += 4) { SearchProcessPID(i); } return STATUS_SUCCESS; } //暴力枚举PID,枚举进程 NTSTATUS SearchProcessPID(ULONG pid) { NTSTATUS status = STATUS_SUCCESS; PEPROCESS process = NULL; PUCHAR processName; status = PsLookupProcessByProcessId((HANDLE)pid, &process); processName = ExAllocatePool(NonPagedPool, sizeof(process)); if (NT_SUCCESS(status)) { processName = PsGetProcessImageFileName(process); DbgPrint("PID:%d,processName:%s\n", pid, processName); }
//通过EPROCESS枚举进程 NTSTATUS SearchProcessEPROCESS() { PEPROCESS process=NULL,firstProcess=NULL; NTSTATUS status = STATUS_SUCCESS; PLIST_ENTRY plist; process = firstProcess = PsGetCurrentProcess(); do { PUCHAR ProcessNmae = NULL; ProcessNmae = PsGetProcessImageFileName(process); DbgPrint("PID:%d,ProcessName:%s\n", (HANDLE)PsGetProcessId(process), ProcessNmae); plist = (PLIST_ENTRY)((ULONG)process + ACTIVE_PROCESS_LINK); process = (PEPROCESS)((ULONG)plist->Flink - ACTIVE_PROCESS_LINK); if (process == firstProcess) { break; } } while (process != NULL); return status; }
jpg 改 rar
标签:
原文地址:http://www.cnblogs.com/kuangke/p/5761484.html