通过函数 ExEnumHandleTable 得到进程的 EPROCESS
Driver.h- #ifdef __cplusplus
- extern "C"
- {
- #endif
- #include <ntddk.h>
- NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath);
- #ifdef __cplusplus
- }
- #endif
- #define PAGEDCODE code_seg("PAGE")
- #define LOCKEDCODE code_seg()
- #define INITCODE code_seg("INIT")
- #define PAGEDDATA data_seg("PAGE")
- #define LOCKEDDATA data_seg()
- #define INITDATA data_seg("INIT")
- #define arraysize(p) (sizeof(p)/sizeof((p)[0]))
- VOID DriverUnload(IN PDRIVER_OBJECT DriverObject);
- #define HANDLE_TRACE_DB_MAX_STACKS 65536
- #define HANDLE_TRACE_DB_MIN_STACKS 128
- #define HANDLE_TRACE_DB_DEFAULT_STACKS 4096
- #define HANDLE_TRACE_DB_STACK_SIZE 16
- typedef struct _HANDLE_TRACE_DB_ENTRY {
- CLIENT_ID ClientId;
- HANDLE Handle;
- #define HANDLE_TRACE_DB_OPEN 1
- #define HANDLE_TRACE_DB_CLOSE 2
- #define HANDLE_TRACE_DB_BADREF 3
- ULONG Type;
- PVOID StackTrace[HANDLE_TRACE_DB_STACK_SIZE];
- } HANDLE_TRACE_DB_ENTRY, *PHANDLE_TRACE_DB_ENTRY;
- typedef struct _HANDLE_TRACE_DEBUG_INFO {
- LONG RefCount;
- ULONG TableSize;
- #define HANDLE_TRACE_DEBUG_INFO_CLEAN_DEBUG_INFO 0x1
- #define HANDLE_TRACE_DEBUG_INFO_COMPACT_CLOSE_HANDLE 0x2
- #define HANDLE_TRACE_DEBUG_INFO_BREAK_ON_WRAP_AROUND 0x4
- #define HANDLE_TRACE_DEBUG_INFO_WAS_WRAPPED_AROUND 0x40000000
- #define HANDLE_TRACE_DEBUG_INFO_WAS_SOMETIME_CLEANED 0x80000000
- ULONG BitMaskFlags;
- FAST_MUTEX CloseCompactionLock;
- ULONG CurrentStackIndex;
- HANDLE_TRACE_DB_ENTRY TraceDb[1];
- } HANDLE_TRACE_DEBUG_INFO, *PHANDLE_TRACE_DEBUG_INFO;
- typedef struct _HANDLE_TABLE {
- ULONG_PTR TableCode;
- struct _EPROCESS *QuotaProcess;
- HANDLE UniqueProcessId;
- #define HANDLE_TABLE_LOCKS 4
- ULONG HandleTableLock[HANDLE_TABLE_LOCKS];
- LIST_ENTRY HandleTableList;
- ULONG HandleContentionEvent;
- PHANDLE_TRACE_DEBUG_INFO DebugInfo;
- LONG ExtraInfoPages;
- ULONG FirstFree;
- ULONG LastFree;
- ULONG NextHandleNeedingPool;
- LONG HandleCount;
- union {
- ULONG Flags;
- BOOLEAN StrictFIFO : 1;
- };
- } HANDLE_TABLE, *PHANDLE_TABLE;
- typedef struct _HANDLE_TABLE_ENTRY_INFO {
- ACCESS_MASK AuditMask;
- } HANDLE_TABLE_ENTRY_INFO, *PHANDLE_TABLE_ENTRY_INFO;
- typedef struct _HANDLE_TABLE_ENTRY {
- union {
- PVOID Object;
- ULONG ObAttributes;
- PHANDLE_TABLE_ENTRY_INFO InfoTable;
- ULONG_PTR Value;
- };
- union {
- union {
- ACCESS_MASK GrantedAccess;
- struct {
- USHORT GrantedAccessIndex;
- USHORT CreatorBackTraceIndex;
- };
- };
- LONG NextFreeTableEntry;
- };
- } HANDLE_TABLE_ENTRY, *PHANDLE_TABLE_ENTRY;
- typedef BOOLEAN (*EX_ENUMERATE_HANDLE_ROUTINE)(
- IN PHANDLE_TABLE_ENTRY HandleTableEntry,
- IN HANDLE Handle,
- IN PVOID EnumParameter
- );
- EXTERN_C NTKERNELAPI BOOLEAN ExEnumHandleTable (
- __in PHANDLE_TABLE HandleTable,
- __in EX_ENUMERATE_HANDLE_ROUTINE EnumHandleProcedure,
- __in PVOID EnumParameter,
- __out_opt PHANDLE Handle
- );
- EXTERN_C NTKERNELAPI NTSTATUS PsLookupProcessByProcessId(
- __in HANDLE ProcessId,
- __deref_out PEPROCESS *Process
- );
- typedef struct _OBJECT_CREATE_INFORMATION {
- ULONG Attributes;
- HANDLE RootDirectory;
- PVOID ParseContext;
- KPROCESSOR_MODE ProbeMode;
- ULONG PagedPoolCharge;
- ULONG NonPagedPoolCharge;
- ULONG SecurityDescriptorCharge;
- PSECURITY_DESCRIPTOR SecurityDescriptor;
- PSECURITY_QUALITY_OF_SERVICE SecurityQos;
- SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService;
- } OBJECT_CREATE_INFORMATION;
- typedef struct _OBJECT_CREATE_INFORMATION *POBJECT_CREATE_INFORMATION;;
- typedef struct _OBJECT_HEADER {
- LONG_PTR PointerCount;
- union {
- LONG_PTR HandleCount;
- PVOID NextToFree;
- };
- POBJECT_TYPE Type;
- UCHAR NameInfoOffset;
- UCHAR HandleInfoOffset;
- UCHAR QuotaInfoOffset;
- UCHAR Flags;
- union {
- POBJECT_CREATE_INFORMATION ObjectCreateInfo;
- PVOID QuotaBlockCharged;
- };
- PSECURITY_DESCRIPTOR SecurityDescriptor;
- QUAD Body;
- } OBJECT_HEADER, *POBJECT_HEADER;
- #define OBJECT_TO_OBJECT_HEADER( o ) \
- CONTAINING_RECORD( (o), OBJECT_HEADER, Body )
- typedef struct _tagRETENUMHANDLE
- {
- PUCHAR pszName;
- PEPROCESS pEprocess;
- }RETENUMHANDLE, *PRETENUMHANDLE;
复制代码 Driver.cpp- #include "Driver.h"
- ULONG SearchPspCidTable()
- {
- PUCHAR p = (PUCHAR)PsLookupProcessByProcessId;
- ULONG i = 0;
- BOOLEAN bFind = FALSE;
- while(i < 0x100)
- {
- if (*p == 0xff
- && *(p + 1) == 0x35
- && *(p + 6) == 0xe8
- && *(p - 1) == 0x53)
- {
- bFind = TRUE;
- break;
- }
- i++;
- p++;
- }
- if (!bFind)
- {
- KdPrint(("Find faile!\n"));
- return 0;
- }
- ULONG uFindAddr = *(PULONG)*(PULONG)(p + 2);
- return uFindAddr;
- }
- BOOLEAN IsProcess(PVOID Object)
- {
- if (Object == NULL)
- {
- return FALSE;
- }
- if (!MmIsAddressValid(Object))
- {
- return FALSE;
- }
- POBJECT_TYPE ObjectType = ((POBJECT_HEADER)(OBJECT_TO_OBJECT_HEADER(Object)))->Type;
- if (!MmIsAddressValid(Object) || ObjectType == NULL)
- {
- return FALSE;
- }
- if (ObjectType != *PsProcessType)
- {
- return FALSE;
- }
- return TRUE;
- }
- BOOLEAN EnumHandleCallBack(IN PHANDLE_TABLE_ENTRY HandleTableEntry,
- IN HANDLE Handle,
- IN PVOID EnumParameter
- )
- {
- PRETENUMHANDLE pRetEnumHandle = (PRETENUMHANDLE)EnumParameter;
- if (pRetEnumHandle == NULL || pRetEnumHandle->pszName == NULL)
- {
- return TRUE;
- }
- PVOID Object = HandleTableEntry->Object;
- if (Object == NULL)
- {
- return TRUE;
- }
- if (IsProcess(Object))
- {
- UCHAR szProcessName[16] = {0};
- memcpy(szProcessName, (PVOID)((ULONG)Object + 0x174), 16);
- if (strstr((char *)szProcessName, (char *)pRetEnumHandle->pszName) != 0)
- {
- KdPrint(("%s\n", szProcessName));
- pRetEnumHandle->pEprocess = (PEPROCESS)Object;
- return TRUE;
- }
- }
- return FALSE;
- }
- PEPROCESS GetEprocessByName(PUCHAR pszProcessName)
- {
- if (pszProcessName == NULL)
- {
- return NULL;
- }
- PHANDLE_TABLE PspCidTable = (PHANDLE_TABLE)SearchPspCidTable();
- HANDLE rhandle = 0;
- RETENUMHANDLE RetEnumHandle = {0};
- RetEnumHandle.pszName = pszProcessName;
- ExEnumHandleTable(PspCidTable, EnumHandleCallBack, &RetEnumHandle, &rhandle);
- if (RetEnumHandle.pEprocess != NULL)
- {
- return RetEnumHandle.pEprocess;
- }
- return NULL;
- }
- #pragma INITCODE
- NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath)
- {
- NTSTATUS status = STATUS_SUCCESS;
- PEPROCESS pEprocess = GetEprocessByName((PUCHAR)"csrss.exe");
- KdPrint(("%x\n", pEprocess));
- DriverObject->DriverUnload = DriverUnload;
- return status;
- }
- #pragma PAGEDCODE
- VOID DriverUnload(IN PDRIVER_OBJECT DriverObject)
- {
-
- KdPrint(("DriverEntry unLoading...\n"));
-
- }
复制代码 |