PLIST_ENTRY PsActiveProcessHead NULL typedef struct _ProcessInfo PVOID

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
PLIST_ENTRY PsActiveProcessHead = NULL;
typedef struct _ProcessInfo
{
PVOID NextItem;
BOOLEAN Present;
ULONG ProcessId;
ULONG ParentId;
PLIST_ENTRY pEPROCESS;
CHAR ProcessName[256];
BOOLEAN Hidden;
BOOLEAN Protect;
ULONG SignalState;
} TProcessInfo, *PProcessInfo;
//==========================================================================
PVOID GetEprocessProcessList(ULONG *MemSize)
{
PLIST_ENTRY Process;
ULONG PsCount = 0;
PVOID Mem = NULL;
PProcessInfo Data;
if (!PsActiveProcessHead) return NULL;
Process = PsActiveProcessHead->Flink;
while (Process != PsActiveProcessHead)
{
PsCount++;
Process = Process->Flink;
}
PsCount++;
*MemSize = PsCount * sizeof(TProcessInfo);
Mem = ExAllocatePool(PagedPool, *MemSize);
memset(Mem, 0, *MemSize);
if (!Mem) return NULL; else Data = Mem;
Process = PsActiveProcessHead->Flink;
while (Process != PsActiveProcessHead)
{
Data->Present = TRUE;
Data->ProcessId = *(PULONG)((ULONG)Process - ActivePsListOffset + pIdOffset);
Data->ParentId = *(PULONG)((ULONG)Process - ActivePsListOffset + ppIdOffset);
Data->SignalState = *(PULONG)((ULONG)Process - ActivePsListOffset + 4);
Data->pEPROCESS = (PEPROCESS)((ULONG)Process - ActivePsListOffset);
strncpy(Data->ProcessName, (PVOID)((ULONG)Process - ActivePsListOffset + NameOffset), 16);
Data++;
Process = Process->Flink;
}
return Mem;
}
//==========================================================================
//====================Это положить в DriverEntry===========
PEPROCESS SysProc;
SysProc = PsGetCurrentProcess(); //получаем указатель на EPROCESS System
//Получаем указатель на начало списка процессов
PsActiveProcessHead = *(PVOID *)((PUCHAR)SysProc + ActivePsListOffset + 4);
//=========================================================