驅動遍歷程序的方法
阿新 • • 發佈:2018-12-17
/*#include <ntddk.h> #define DEVICE_OBJECT_NAME L"\\Device\\BufferedIODeviceObjectName" #define DEVICE_LINK_NAME L"\\DosDevices\\BufferedIODevcieLinkName" void dirver(IN PDRIVER_OBJECT pDriveObject) { KdPrint(("驅動已經解除安裝!\n")); DbgPrint("解除安裝成功!\\n"); } NTSTATUS pass(IN PDEVICE_OBJECT DeviceObject, IN PIRP pIrp) { pIrp->IoStatus.Status = STATUS_SUCCESS; pIrp->IoStatus.Information = 0; IoCompleteRequest(pIrp, IO_NO_INCREMENT); return STATUS_SUCCESS; } NTSTATUS Read(IN PDEVICE_OBJECT DeviceObject, IN PIRP pIrp) { KdPrint(("程式已經開始執行!\n")); NTSTATUS flag = STATUS_SUCCESS; PIO_STACK_LOCATION stack = IoGetCurrentIrpStackLocation(pIrp); ULONG u_len = stack->Parameters.Read.Length; pIrp->IoStatus.Status = flag; pIrp->IoStatus.Information = u_len; memset(pIrp->AssociatedIrp.SystemBuffer, 0xAA, u_len);; IoCompleteRequest(pIrp, IO_NO_INCREMENT); KdPrint(("程式已經結束\n")); return flag; } NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriveObject, IN PUNICODE_STRING RegisterPath) { PDEVICE_OBJECT DeviceObject = NULL; UNICODE_STRING DeviceObjectName; UNICODE_STRING DeviceObjectLink; NTSTATUS flag = STATUS_SUCCESS; RtlInitUnicodeString(&DeviceObjectName, DEVICE_OBJECT_NAME); flag = IoCreateDevice(DriveObject, 0, &DeviceObjectName, FILE_DEVICE_UNKNOWN, 0, FALSE, &DeviceObject); if (!NT_SUCCESS(flag)) { return flag; } DeviceObject->Flags |= DO_DIRECT_IO; RtlInitUnicodeString(&DeviceObjectLink, DEVICE_LINK_NAME); flag = IoCreateSymbolicLink(&DeviceObjectLink, &DeviceObjectName); if (!NT_SUCCESS(flag)) { IoDeleteDevice(DeviceObject); } for (ULONG i = 0; i < IRP_MJ_MAXIMUM_FUNCTION; i++) { DriveObject->MajorFunction[i] = pass; } DriveObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = Read; DriveObject->DriverUnload = dirver; return STATUS_SUCCESS; }*/ #include <ntifs.h> NTSTATUS ZwQuerySystemInformation( ULONG SystemClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG RetLength ); typedef struct _SYSTEM_THREADS { LARGE_INTEGER KernelTime; LARGE_INTEGER UserTime; LARGE_INTEGER CreateTime; ULONG WaitTime; PVOID StartAddress; CLIENT_ID ClientID; KPRIORITY Priority; KPRIORITY BasePriority; ULONG ContextSwitchCount; ULONG ThreadState; KWAIT_REASON WaitReason; ULONG Reserved; //Add }SYSTEM_THREADS, *PSYSTEM_THREADS; typedef struct _SYSTEM_PROCESS_INFORMATION { ULONG NextEntryOffset; ULONG NumberOfThreads; LARGE_INTEGER Reserved[3]; LARGE_INTEGER CreateTime; LARGE_INTEGER UserTime; LARGE_INTEGER KernelTime; UNICODE_STRING ImageName; KPRIORITY BasePriority; HANDLE ProcessId; HANDLE InheritedFromProcessId; ULONG HandleCount; ULONG Reserved2[2]; ULONG PrivatePageCount; VM_COUNTERS VirtualMemoryCounters; IO_COUNTERS IoCounters; SYSTEM_THREADS Threads[0]; } SYSTEM_PROCESS_INFORMATION, *PSYSTEM_PROCESS_INFORMATION; CHAR* PsGetProcessImageFileName(PEPROCESS Process); void driveunload(PDRIVER_OBJECT pDriveObject) { KdPrint(("解除安裝結束!\n")); } void EumProcessByQueyInformation() { NTSTATUS status; ULONG Retlength; PVOID Buffer = NULL; PSYSTEM_PROCESS_INFORMATION SystemProcess = NULL; status = ZwQuerySystemInformation(5, NULL,0,&Retlength); if (status == STATUS_INFO_LENGTH_MISMATCH) { KdPrint(("開始執行!\n")); Buffer = ExAllocatePool(PagedPool, Retlength); if (Buffer) { RtlZeroMemory(Buffer, Retlength); status = ZwQuerySystemInformation(5, Buffer, Retlength, &Retlength); if (NT_SUCCESS(status)) { SystemProcess = Buffer; do{ KdPrint(("%wZ\n", SystemProcess->ImageName)); SystemProcess = ((ULONG64)SystemProcess) + SystemProcess->NextEntryOffset; } while (SystemProcess->NextEntryOffset); } ExFreePool(Buffer); } } } void EumProcessByLookUpProcessId() { ULONG Pid; NTSTATUS status; PEPROCESS Process; for (Pid = 0; Pid <= 240000; Pid += 4) { status = PsLookupProcessByProcessId(Pid, &Process); if (NT_SUCCESS(status)) { KdPrint(("%s\n", PsGetProcessImageFileName(Process))); ObDereferenceObject(Process); } } } NTSTATUS DriverEntry(PDRIVER_OBJECT DriveObject,PUNICODE_STRING RegisterPath) { //EumProcessByQueyInformation(); EumProcessByLookUpProcessId(); DriveObject->DriverUnload = driveunload; return STATUS_SUCCESS; }