[windows 驱动开发] r0 枚举进程

#include "ntddk.h"
typedef enum _SYSTEM_INFORMATION_CLASS { 
    SystemBasicInformation,                 // 0 
    SystemProcessorInformation,             // 1 
    SystemPerformanceInformation,             // 2
    SystemTimeOfDayInformation,             // 3
    SystemNotImplemented1,                 // 4
    SystemProcessesAndThreadsInformation,         // 5
    SystemCallCounts,                     // 6
    SystemConfigurationInformation,             // 7
    SystemProcessorTimes,                 // 8
    SystemGlobalFlag,                     // 9
    SystemNotImplemented2,                 // 10
    SystemModuleInformation,                 // 11
    SystemLockInformation,                 // 12
    SystemNotImplemented3,                 // 13
    SystemNotImplemented4,                 // 14
    SystemNotImplemented5,                 // 15
    SystemHandleInformation,                 // 16
    SystemObjectInformation,                 // 17
    SystemPagefileInformation,                 // 18
    SystemInstructionEmulationCounts,             // 19
    SystemInvalidInfoClass1,                 // 20
    SystemCacheInformation,                 // 21
    SystemPoolTagInformation,                 // 22
    SystemProcessorStatistics,                 // 23
    SystemDpcInformation,                 // 24
    SystemNotImplemented6,                 // 25
    SystemLoadImage,                     // 26
    SystemUnloadImage,                 // 27
    SystemTimeAdjustment,                 // 28
    SystemNotImplemented7,                 // 29
    SystemNotImplemented8,                 // 30
    SystemNotImplemented9,                 // 31
    SystemCrashDumpInformation,             // 32
    SystemExceptionInformation,             // 33
    SystemCrashDumpStateInformation,             // 34
    SystemKernelDebuggerInformation,             // 35
    SystemContextSwitchInformation,             // 36
    SystemRegistryQuotaInformation,             // 37
    SystemLoadAndCallImage,                 // 38
    SystemPrioritySeparation,                 // 39
    SystemNotImplemented10,                 // 40
    SystemNotImplemented11,                 // 41
    SystemInvalidInfoClass2,                 // 42
    SystemInvalidInfoClass3,                 // 43
    SystemTimeZoneInformation,                 // 44
    SystemLookasideInformation,             // 45
    SystemSetTimeSlipEvent,                 // 46
    SystemCreateSession,                 // 47
    SystemDeleteSession,                 // 48
    SystemInvalidInfoClass4,                 // 49
    SystemRangeStartInformation,             // 50
    SystemVerifierInformation,                 // 51
    SystemAddVerifier,                 // 52
    SystemSessionProcessesInformation             // 53
} SYSTEM_INFORMATION_CLASS;
typedef struct _SYSTEM_THREAD_INFORMATION {
    LARGE_INTEGER KernelTime;
    LARGE_INTEGER UserTime;
    LARGE_INTEGER CreateTime;
    ULONG WaitTime;
    PVOID StartAddress;
    CLIENT_ID ClientId;
    KPRIORITY Priority;
    KPRIORITY BasePriority;
    ULONG ContextSwitchCount;
    LONG State;
    LONG WaitReason;
} SYSTEM_THREAD_INFORMATION, * PSYSTEM_THREAD_INFORMATION;
typedef struct _SYSTEM_PROCESS_INFORMATION {
    ULONG NextEntryDelta;//构成结构系列的偏移量也就是下一个进程
    ULONG ThreadCount;//线程的数目
    ULONG Reserved1[6];//   暂时未知
    LARGE_INTEGER CreateTime;//创建时间
    LARGE_INTEGER UserTime;//用户模式的CPU时间
    LARGE_INTEGER KernelTime;//内核模式下的时间
    UNICODE_STRING ProcessName;//进程的名称
    KPRIORITY BasePriority;//进程的优先权
    ULONG ProcessId;//进程的标识符
    ULONG InheritedFromProcessId;//父进程的标识符
    ULONG HandleCount;//句柄数目
    ULONG Reserved2[2];//
    VM_COUNTERS VmCounters;//虚拟存储器的机构
    IO_COUNTERS IoCounters;//io计数器
    //SYSTEM_THREAD_INFORMATION Threads[1];//进程相关的线程结构数组这里我们不使用
} SYSTEM_PROCESS_INFORMATION, * PSYSTEM_PROCESS_INFORMATION;
extern "C"NTSYSAPI
    NTSTATUS
    NTAPI
    ZwQuerySystemInformation(
    IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
    OUT PVOID SystemInformation,
    IN ULONG SystemInformationLength,
    OUT PULONG ReturnLength OPTIONAL
    );
//--------------------------------------------------------------
//-----------------------------------------------------------------
NTSTATUS Ring0EnumProcess()
{
    ULONG cbuffer=0x8000;
    PVOID pBuffer=NULL;
    NTSTATUS Status;
    PSYSTEM_PROCESS_INFORMATION pInfo;
    do 
    {
        pBuffer=ExAllocatePool(NonPagedPool,cbuffer);
        if (pBuffer==NULL)
        {
            return 1;
        }
        Status=ZwQuerySystemInformation(SystemProcessesAndThreadsInformation,pBuffer,cbuffer,NULL);
        if (Status==STATUS_INFO_LENGTH_MISMATCH)
        {
            ExFreePool(pBuffer);
            cbuffer*=2;
        }else if (!NT_SUCCESS(Status))
        {
            ExFreePool(pBuffer);
                return 1;
        }
    } while (Status==STATUS_INFO_LENGTH_MISMATCH);
    pInfo=(PSYSTEM_PROCESS_INFORMATION)pBuffer;
    for (;;)
    {
        LPWSTR pszProcessName=pInfo->ProcessName.Buffer;
        if (pszProcessName==NULL)
        {
            pszProcessName=L"null";
        }
        DbgPrint("ProcessID%d 进程名：：%S  父进程ID%d",pInfo->ProcessId,pInfo->ProcessName.Buffer,pInfo->InheritedFromProcessId);
        if (pInfo->NextEntryDelta==0)
        {
            break;
        }
        pInfo=(PSYSTEM_PROCESS_INFORMATION)(((PUCHAR)pInfo)+pInfo->NextEntryDelta);
    }
    ExFreePool(pBuffer);
    return 0;
}
VOID Unload(IN PDRIVER_OBJECT DriverObject)
{
}
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath) 
{ 
    DriverObject->DriverUnload = Unload;
    Ring0EnumProcess();
    return STATUS_SUCCESS; 
}