驅動程式設計獲取系統正在執行的程序
阿新 • • 發佈:2018-12-03
直接貼程式碼了,在VS2010上面執行通過,記得用Dbgview檢視輸出
#include "ntddk.h" #define SYSTEMPROCESSINFORMATION 5 //處理程序資訊,需要用到這兩個結構體 typedef struct _SYSTEM_THREADS { LARGE_INTEGER KernelTime; LARGE_INTEGER UserTime; LARGE_INTEGER CreateTime; ULONG WaitTime; PVOID StartAddress; CLIENT_ID ClientIs; KPRIORITY Priority; KPRIORITY BasePriority; ULONG ContextSwitchCount; ULONG ThreadState; KWAIT_REASON WaitReason; }SYSTEM_THREADS,*PSYSTEM_THREADS; //程序資訊結構體 typedef struct _SYSTEM_PROCESSES { ULONG NextEntryDelta; //連結串列下一個結構和上一個結構的偏移 ULONG ThreadCount; ULONG Reserved[6]; LARGE_INTEGER CreateTime; LARGE_INTEGER UserTime; LARGE_INTEGER KernelTime; UNICODE_STRING ProcessName; //程序名字 KPRIORITY BasePriority; ULONG ProcessId; //程序的pid號 ULONG InheritedFromProcessId; ULONG HandleCount; ULONG Reserved2[2]; VM_COUNTERS VmCounters; IO_COUNTERS IoCounters; //windows 2000 only struct _SYSTEM_THREADS Threads[1]; }SYSTEM_PROCESSES,*PSYSTEM_PROCESSES; //宣告ZqQueryAyatemInformation extern "C" {NTSTATUS ZwQuerySystemInformation( IN ULONG SystemInformationClass, //處理程序資訊,只需要處理類別為5的即可 OUT PVOID SystemInformation, IN ULONG SystemInformationLength, OUT PULONG ReturnLength );} NTSTATUS PsProcessList() { NTSTATUS nStatus; ULONG retLength; //緩衝區長度 PVOID pProcInfo; PSYSTEM_PROCESSES pProcIndex; //呼叫函式,獲取程序資訊 nStatus = ZwQuerySystemInformation( SYSTEMPROCESSINFORMATION, //獲取程序資訊,巨集定義為5 NULL, 0, &retLength //返回的長度,即為我們需要申請的緩衝區的長度 ); if(!retLength) { DbgPrint("ZwQuerySystemInformation error!\n"); return nStatus; } DbgPrint("retLength = %u\n",retLength); //申請空間 pProcInfo = ExAllocatePool(NonPagedPool,retLength); if(!pProcInfo) { DbgPrint("ExAllocatePool error!\n"); return STATUS_UNSUCCESSFUL; } nStatus = ZwQuerySystemInformation( SYSTEMPROCESSINFORMATION, //獲取程序資訊,巨集定義為5 pProcInfo, retLength, &retLength ); if(NT_SUCCESS(nStatus)/*STATUS_INFO_LENGTH_MISMATCH == nStatus*/) { pProcIndex = (PSYSTEM_PROCESSES)pProcInfo; //第一個程序應該是 pid 為 0 的程序 if(pProcIndex->ProcessId == 0) DbgPrint("PID 0 System Idle Process\n"); //迴圈列印所有程序資訊,因為最後一天程序的NextEntryDelta值為0,所以先列印後判斷 do { pProcIndex = (PSYSTEM_PROCESSES)((char*)pProcIndex + pProcIndex->NextEntryDelta); //程序名字字串處理,防止列印時,出錯 if(pProcIndex->ProcessName.Buffer == NULL) pProcIndex->ProcessName.Buffer = L"NULL"; DbgPrint("ProcName: %-20ws pid: %u\n",pProcIndex->ProcessName.Buffer,pProcIndex->ProcessId); }while(pProcIndex->NextEntryDelta != 0); } else { DbgPrint("error code : %u!!!\n",nStatus); } ExFreePool(pProcInfo); return nStatus; } //解除安裝驅動 VOID OnUnload(IN PDRIVER_OBJECT driver) { DbgPrint("Driver has been unloaded!!!\n"); } //驅動入口函式 NTSTATUS DriverEntry(IN PDRIVER_OBJECT driver,IN PUNICODE_STRING reg_path) { PsProcessList(); driver->DriverUnload = OnUnload; return STATUS_SUCCESS; }