一、上图来看看效果:
二、程序代码
#include <ntddk.h> void DriverUnload(PDRIVER_OBJECT pDriverObject) { KdPrint(("Stop Driver! ")); } NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegistryPath) { PEPROCESS pEprocess = NULL; PEPROCESS pFirstEprocess = NULL; ULONG ulProcessName = 0; ULONG ulProcessId = 0; pDriverObject->DriverUnload = DriverUnload; pEprocess = PsGetCurrentProcess(); if (pEprocess == 0) { KdPrint(("PsGetCurrentProcess Error ! ")); return STATUS_SUCCESS; } pFirstEprocess = pEprocess; while (pEprocess != NULL) { ulProcessName = (ULONG)pEprocess + 0x174; ulProcessId = *(ULONG*)((ULONG)pEprocess + 0x84); KdPrint(("ProcessName = %s, ProcessId = %d ", ulProcessName, ulProcessId)); pEprocess = (ULONG)(*(ULONG*)((ULONG)pEprocess + 0x88) - 0x88); if (pEprocess == pFirstEprocess || (*(LONG*)((LONG)pEprocess + 0x84)) < 0) { break; } } return STATUS_SUCCESS; }
三、显示
先打开DbgView,开启内核监控。用KmdManager加载编译出来的驱动文件,运行,会看到DbgView输出进程信息。停止,卸载。