win驅動下進程操作相關函數
阿新 • • 發佈:2018-06-21
ces read lena ceo bool pep 循環 boolean sre 1。先要聲名一些函數(已經導出)
// 1. 聲明要使函數 NTKERNELAPI NTSTATUS PsSuspendProcess(PEPROCESS pEProcess); NTKERNELAPI UCHAR* PsGetProcessImageFileName(IN PEPROCESS pEProcess); NTKERNELAPI NTSTATUS PsResumeProcess(PEPROCESS pEProcess); NTKERNELAPI HANDLE PsGetProcessInheritedFromUniqueProcessId(IN PEPROCESS pEProcess);
// 根據PID返回進程EPROCESS,失敗返回NULL PEPROCESS LookupProcess(HANDLE hPid) { PEPROCESS pEProcess = NULL; if (NT_SUCCESS(PsLookupProcessByProcessId( hPid, &pEProcess))) return pEProcess; return NULL; } //掛起進程 BOOLEAN KernelSuspendProcess(ULONG Id) { //1. 先根據ID得到EPORCESS PEPROCESS pEProcess; if ((pEProcess = LookupProcess((HANDLE)Id) )!= NULL) { //2. 暫停進程 if (NT_SUCCESS(PsSuspendProcess(pEProcess))) return FALSE; } return TRUE; } //恢復進程 BOOLEAN KernelResumeProcess(ULONG Id) { //1. 先根據ID得到EPORCESS PEPROCESS pEProcess; if ((pEProcess = LookupProcess((HANDLE)Id)) != NULL) { //2. 暫停進程 if (NT_SUCCESS(PsResumeProcess(pEProcess))) return FALSE; } return TRUE; } //結束進程 void KernelKillProcess() { HANDLE hProcess = NULL; CLIENT_ID ClientId = { 0 }; OBJECT_ATTRIBUTES objAttribut = { sizeof(OBJECT_ATTRIBUTES) }; ClientId.UniqueProcess = (HANDLE)1234; // PID ClientId.UniqueThread = 0; // 打開進程,如果句柄有效,則結束進程 ZwOpenProcess( &hProcess, // 返回打開後的句柄 1, // 訪問權限 &objAttribut, // 對象屬性 &ClientId); // 進程ID結構 if (hProcess) { ZwTerminateProcess(hProcess, 0); ZwClose(hProcess); }; } //遍歷進程 VOID EnumProcess() { PEPROCESS pEProc = NULL; // 循環遍歷進程(假設線程的最大值不超過0x25600) ULONG i = 0; for (i = 4; i<0x25600; i = i + 4) { // a.根據PID返回PEPROCESS pEProc = LookupProcess((HANDLE)i); if (!pEProc) continue; // b. 打印進程信息 DbgPrint("EPROCESS=%p PID=%ld PPID=%ld Name=%s\n", pEProc, (UINT32)PsGetProcessId(pEProc), (UINT32)PsGetProcessInheritedFromUniqueProcessId(pEProc), PsGetProcessImageFileName(pEProc)); // c. 將進程對象引用計數減1 ObDereferenceObject(pEProc); DbgPrint("\n"); } }
註意這裏不是那種普通的通過鏈遍歷得到的。因為有可能故意斷鏈。這裏通過暴力的遍歷(同時進程id都是偶數)
win驅動下進程操作相關函數