|
|
本帖最后由 wl1383838438 于 2020-2-14 21:28 编辑
#include<ntddk.h>
//---------------------------------------
//GetProcAddress(LoadLibry("kernel32.lib","ZwQuerySystemInformation")
typedef enum _SYSTEM_INFORMATION_CLASS {
SystemBasicInformation,// 0 Y N
SystemProcessorInformation,// 1 Y N
SystemPerformanceInformation,// 2 Y N
SystemTimeOfDayInformation,// 3 Y N
SystemNotImplemented1,// 4 Y N // SystemPathInformation
SystemProcessesAndThreadsInformation,// 5 Y N
SystemCallCounts,// 6 Y N
SystemConfigurationInformation,// 7 Y N
SystemProcessorTimes,// 8 Y N
SystemGlobalFlag,// 9 Y Y
SystemNotImplemented2,// 10 YN // SystemCallTimeInformation
SystemModuleInformation,// 11 YN
SystemLockInformation,// 12 YN
SystemNotImplemented3,// 13 YN // SystemStackTraceInformation
SystemNotImplemented4,// 14 YN // SystemPagedPoolInformation
SystemNotImplemented5,// 15 YN // SystemNonPagedPoolInformation
SystemHandleInformation,// 16 YN
SystemObjectInformation,// 17 YN
SystemPagefileInformation,// 18 YN
SystemInstructionEmulationCounts,// 19 YN
SystemInvalidInfoClass1,// 20
SystemCacheInformation,// 21 YY
SystemPoolTagInformation,// 22 YN
SystemProcessorStatistics,// 23 YN
SystemDpcInformation,// 24 YY
SystemNotImplemented6,// 25 YN // SystemFullMemoryInformation
SystemLoadImage,// 26 NY // SystemLoadGdiDriverInformation
SystemUnloadImage,// 27 NY
SystemTimeAdjustment,// 28 YY
SystemNotImplemented7,// 29 YN // SystemSummaryMemoryInformation
SystemNotImplemented8,// 30 YN // SystemNextEventIdInformation
SystemNotImplemented9,// 31 YN // SystemEventIdsInformation
SystemCrashDumpInformation,// 32 YN
SystemExceptionInformation,// 33 YN
SystemCrashDumpStateInformation,// 34 YY/N
SystemKernelDebuggerInformation,// 35 YN
SystemContextSwitchInformation,// 36 YN
SystemRegistryQuotaInformation,// 37 YY
SystemLoadAndCallImage,// 38 NY // SystemExtendServiceTableInformation
SystemPrioritySeparation,// 39 NY
SystemNotImplemented10,// 40 YN // SystemPlugPlayBusInformation
SystemNotImplemented11,// 41 YN // SystemDockInformation
SystemInvalidInfoClass2,// 42 // SystemPowerInformation
SystemInvalidInfoClass3,// 43 // SystemProcessorSpeedInformation
SystemTimeZoneInformation,// 44 YN
SystemLookasideInformation,// 45 YN
SystemSetTimeSlipEvent,// 46 NY
SystemCreateSession,// 47 NY
SystemDeleteSession,// 48 NY
SystemInvalidInfoClass4,// 49
SystemRangeStartInformation,// 50 YN
SystemVerifierInformation,// 51 YY
SystemAddVerifier,// 52 NY
SystemSessionProcessesInformation// 53 YN
} SYSTEM_INFORMATION_CLASS;
typedef class SYSTEM_THREAD_INFORMATION{
public:
LARGE_INTEGER KerneTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER CreateTime;
ULONG WaitTime;
PVOID StarAddress;
CLIENT_ID ClientId;
KPRIORITY Priority;
KPRIORITY BasePriority;
ULONG ContextSwitchcount;
LONG State;
LONG WaitReason;
}SYSTEM_THREAD_INFORMATION,*PSYSTEM_THREAD_INFORMATION;
typedef class SYSTEM_PROCESS_INFORMATION{
public:
ULONG NexEntryDeleta;
ULONG ThreadCount;
ULONG Reserved[6];
LARGE_INTEGER CreateTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER KerneTime;
UNICODE_STRING ProcessName;
KPRIORITY BasePriority;
ULONG ProcessId;
ULONG InheritedFromProcessId;
ULONG HandleCount;
ULONG Reserved2[2];
VM_COUNTERS VmCounters;
IO_COUNTERS IoCounters;
SYSTEM_THREAD_INFORMATION Tahread[1];
}SYSTEM_PROCESS_INFORMATION,*PSSYSTEM_PROCESS_INFORMATION;
NTSYSAPI
NTSTATUS
NTAPI
ZwQuerySystemInformation(
IN SYSTEM_INFORMATION_CLASS Systeminformation,
OUT PVOID SystemInformation,
IN ULONG SystemInformatonLenght,
OUT PULONG ReturLenght OPTIONAL
);
NTSTATUS RingEnumProcess()
{
ULONG cbuffer=0x8000;
PVOID pbuffer=NULL;
NTSTATUS Status;
PSSYSTEM_PROCESS_INFORMATION pInfo;
do
{
pbuffer=ExAllocatePool(NonPagedPool,cbuffer);
if (pbuffer==NULL)
{
return 1;
Status=ZwQuerySystemInformation(SystemProcessesAndThreadsInformation,pbuffer,cbuffer,NULL);
if (Status==STATUS_INFO_LENGTH_MISMATCH)
{
ExFreePool(pbuffer);
cbuffer*=2;
}
else if(!NT_SUCCESS(Status))
{
ExFreePool(pbuffer);
return 1;
}
}
} while (Status==STATUS_INFO_LENGTH_MISMATCH);
pInfo=(PSSYSTEM_PROCESS_INFORMATION)pbuffer;
for (;;)
{
LPWSTR pszProcessName=pInfo->ProcessName.Buffer;
if (pszProcessName==NULL)
{
pszProcessName=L"null";
DbgPrint("pid %d 进程 %S",pInfo->ProcessId,pInfo->ProcessName.Buffer);
if (pInfo->NexEntryDeleta==0)
{
break;
}
pInfo=(PSSYSTEM_PROCESS_INFORMATION)(((PUCHAR)pInfo)+pInfo->NexEntryDeleta);
}
}
ExFreePool(pbuffer);
return 0;
}
void Unload(PDRIVER_OBJECT drivdr_object)//卸载驱动例程
{
KdPrint(("卸载成功"));
}
/*
在进入DriverEntry函数之前会调用iopinvalid_deruver_object地址填满真个majorfuntion数组,该数组是在Driver_object的函数指针数组它里面的每一个地址对应着相应的irp我们可以通过简单的设置这个数组,
将IRP与相应的派遣函数关联起来
*/
NTSTATUS DriverEntry(IN PDRIVER_OBJECT pdriver_object,IN PUNICODE_STRING punicode_string)
{
RingEnumProcess();
pdriver_object->DriverUnload=Unload;// 指向驱动的卸载回调函数,每一个驱动框架都有一个该函数 可以为空 但是一定要写否则驱动无法下载
return STATUS_SUCCESS;//返回执行状态
}
一直提示连接错误
尝试过加载头文件了
|
上一篇: 今日一贴!驱动环境下的字符串拼接!(1)下一篇: 今日头一贴!修改MBR引导区,让你的电脑嗝屁!嗝屁!
|
/2 
发表于 2020-2-14 14:09:29
发表于 2020-2-14 23:19:49
楼主
发表于 2020-2-14 14:53:04
