尝试在内核模式下打印出进程及其PID的所有名称



我正在尝试打印进程的所有名称及其PID。但当我打印PID时,它不会打印它。

它确实打印了所有其他的东西,其他的都在工作。

我认为问题是我正在尝试将fileName转换为wchar_t*

有人能帮我吗?

int getPIDByName(wchar_t* name) {
PEPROCESS ep;
if (::PsLookupProcessByProcessId(::PsGetCurrentProcessId(), &ep) == STATUS_INVALID_PARAMETER) {
ObDereferenceObject(ep);
DbgPrint("Can't get EPROCESS");
return STATUS_INVALID_PARAMETER;
}
PUNICODE_STRING Path = NULL;
::SeLocateProcessImageName(ep, &Path);
PLIST_ENTRY Process_List_Entry = ((LIST_ENTRY*)((LPBYTE)ep + 0x448));
PLIST_ENTRY List_Entry = Process_List_Entry->Flink;
LPBYTE pUpi;
DbgPrint("Starting with buffer path: %wZ", Path);
while (Path->Buffer == NULL) {
DbgPrint("The buffer is null so going forward to next process: %wZ", Path);
pUpi = ((LPBYTE)List_Entry) - 0x448;
ep = ((PEPROCESS)pUpi);
::SeLocateProcessImageName(ep, &Path);
List_Entry = List_Entry->Flink;
}
DbgPrint("1.The path is: %wZ", Path);
while (wcsstr(Path->Buffer, name) == NULL && Process_List_Entry != List_Entry->Flink) {
pUpi = ((LPBYTE)List_Entry) - 0x448;
ep = ((PEPROCESS)pUpi);
::SeLocateProcessImageName(ep, &Path);
DbgPrint("2. The path is: %wZ", (const wchar_t*)Path);
List_Entry = List_Entry->Flink;
}
if (Process_List_Entry == List_Entry->Flink) {
DbgPrint("%wZ isn't running quiting!", name);
return STATUS_SUCCESS;
}
pUpi = ((LPBYTE)List_Entry->Blink) - 0x448 + 0x440;
int UniqueProcessId = *((int*)pUpi); //Notepad PID
DbgPrint("The PID of %ls is %dn", name, UniqueProcessId);
return UniqueProcessId;
}

NTSTATUS PrintPID() {
PEPROCESS EP;
if (::PsLookupProcessByProcessId(::PsGetCurrentProcessId(), &EP) == STATUS_INVALID_PARAMETER) {
ObDereferenceObject(EP);
DbgPrint("Can't get EPROCESS");
return STATUS_INVALID_PARAMETER;
}
UCHAR* fileName = { 0 };
UCHAR* processFileName;
LIST_ENTRY list_entry = *((LIST_ENTRY*)((LPBYTE)EP + 0x448));
processFileName = ((UCHAR*)(LPBYTE)list_entry.Flink - 0x448 + 0x5a8);
DbgPrint("%s", processFileName);
list_entry = *list_entry.Flink;
while (fileName != processFileName) {
fileName = ((UCHAR*)(LPBYTE)list_entry.Flink - 0x448 + 0x5a8);
if (fileName[0] == 'N' || fileName[0] == 'n') {
DbgPrint("Test");
DbgPrint("The PID is %dn" , getPIDByName((wchar_t*)fileName));
}
list_entry = *list_entry.Flink;
}
return STATUS_SUCCESS;
}

您可以使用ZwQuerySystemInformation来获取所有进程的列表。从该列表中,您可以获得所有的名称和进程ID。

相关内容

  • 没有找到相关文章

最新更新