内核从 PID 获得进程信息
typedef struct PROCESSINFO
{
HANDLE hProcess;
PCLIENT_ID cidThreads;
unsigned long ulNumberOfThreads;
} PROCESSINFO, * PPROCESSINFO;
NTSTATUS GetProcInfoByPid(unsigned long pid, PPROCESSINFO procInfoOut)
{
#define SYS_INFO_PROCESSES_SIZE 256
#define SystemProcessesAndThreadsInformation 5
NTSTATUS status = STATUS_UNSUCCESSFUL;
SYSTEM_PROCESSES * sysProcInfo;
HANDLE hHandleBuffer;
OBJECT_ATTRIBUTES objAttrib;
void* allocationBase;
unsigned long bufSize;
ULONG i;
bufSize = SYS_INFO_PROCESSES_SIZE;
do
{
allocationBase = (SYSTEM_PROCESSES *) kmalloc(bufSize);
if(!allocationBase)
return status;
status = ZwQuerySystemInformation(SystemProcessesAndThreadsInformation, allocationBase, bufSize, &i);
if(status == STATUS_INFO_LENGTH_MISMATCH)
{
kfree(allocationBase);
bufSize += SYS_INFO_PROCESSES_SIZE;
} else if (!NT_SUCCESS(status)) {
kfree(allocationBase);
return status;
}
} while (status == STATUS_INFO_LENGTH_MISMATCH);
status = STATUS_UNSUCCESSFUL;
sysProcInfo = (SYSTEM_PROCESSES*) allocationBase;
while(TRUE)
{
if(pid == sysProcInfo->ProcessId)
{
if((unsigned long)sysProcInfo->ThreadCount != 0)
{
InitializeObjectAttributes(&objAttrib, 0, OBJ_KERNEL_HANDLE, 0, 0);
status = ZwOpenProcess(&hHandleBuffer, PROCESS_ALL_ACCESS,
&objAttrib, &sysProcInfo->Threads[0].ClientId);
if (!NT_SUCCESS(status)) {
break;
}
procInfoOut->hProcess = hHandleBuffer;
procInfoOut->ulNumberOfThreads = sysProcInfo->ThreadCount;
i = sysProcInfo->ThreadCount * sizeof(CLIENT_ID);
if(i)
{
procInfoOut->cidThreads = (PCLIENT_ID)kmalloc(i);
for(i = 0; i < sysProcInfo->ThreadCount; i++) {
RtlCopyMemory((PCHAR)procInfoOut->cidThreads + (i * sizeof(CLIENT_ID)),
&(sysProcInfo->Threads[i].ClientId), sizeof(CLIENT_ID));
}
}
else
procInfoOut->cidThreads = NULL;
status = STATUS_SUCCESS;
}
break;
}
if(sysProcInfo->NextEntryDelta) {
(unsigned long)sysProcInfo += (unsigned long)sysProcInfo->NextEntryDelta;
} else {
break;
}
}
kfree(allocationBase);
return status;
}
free2000fly 内核编程
近期评论