枚举进程

一、上图来看看效果：

二、程序代码

#include <ntddk.h>



void DriverUnload(PDRIVER_OBJECT pDriverObject)

{

    KdPrint(("Stop Driver! \r\n"));

}



NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegistryPath)

{

    PEPROCESS pEprocess = NULL;

    PEPROCESS pFirstEprocess = NULL;

    ULONG ulProcessName = 0;

    ULONG ulProcessId = 0;



    pDriverObject->DriverUnload = DriverUnload;

    pEprocess = PsGetCurrentProcess();



    if (pEprocess == 0)

    {

        KdPrint(("PsGetCurrentProcess Error ! \r\n"));

        return STATUS_SUCCESS;

    }



    pFirstEprocess = pEprocess;



    while (pEprocess != NULL)

    {

        ulProcessName = (ULONG)pEprocess + 0x174;

        ulProcessId = *(ULONG*)((ULONG)pEprocess + 0x84);

        KdPrint(("ProcessName = %s, ProcessId = %d \r\n", ulProcessName, ulProcessId));

        pEprocess = (ULONG)(*(ULONG*)((ULONG)pEprocess + 0x88) - 0x88);



        if (pEprocess == pFirstEprocess || (*(LONG*)((LONG)pEprocess + 0x84)) < 0)

        {

            break;

        }

    }



    return STATUS_SUCCESS;

}

三、显示

先打开DbgView，开启内核监控。用KmdManager加载编译出来的驱动文件，运行，会看到DbgView输出进程信息。停止，卸载。