Как получить список процессов в режиме ядра Windows?

Че-то туплю, как в ядре получить список всех процессов?

Читайте также:

One thought on “Как получить список процессов в режиме ядра Windows?

  1. anonim

    вот например документированный способ получения списка всех процессов через ZwQuerySystemInformation:
    NTSTATUS
    GetAllProcesses()
    {
         NTSTATUS Status;
         PVOID Buffer = NULL;
         ULONG BufferSize, ReturnLength;
         PSYSTEM_PROCESS_INFORMATION ProcInfo;

         BufferSize = sizeof(SYSTEM_PROCESS_INFORMATION);
         Buffer = ExAllocatePool(NonPagedPool,BufferSize);
         if (!Buffer)
         {
              return Status;
         }

         //в первом вызове узнаем необходимый размер
         Status = ZwQuerySystemInformation(
              SystemProcessInformation,
              Buffer,
              BufferSize,
              &ReturnLength
              );
         if ((Status!=STATUS_INFO_LENGTH_MISMATCH)&&(Status!=STATUS_SUCCESS))
         {
              if (Buffer)
         ExFreePool(Buffer);
              return Status;
         }

         while(Status==STATUS_INFO_LENGTH_MISMATCH)
         {
              if (Buffer)
                   ExFreePool(Buffer);

              // делаем повторный вызов
              BufferSize = ReturnLength;
              Buffer = ExAllocatePool(NonPagedPool,BufferSize);
              if (!Buffer)
              {
                   return Status;
              }
              Status = ZwQuerySystemInformation(
                   SystemProcessInformation,
                   Buffer,
                   BufferSize,
                   &ReturnLength
                   );
         }

         if (!NT_SUCCESS(Status))
         {
              if (Buffer)
         ExFreePool(Buffer);
              return Status;
         }

         ProcInfo = (PSYSTEM_PROCESS_INFORMATION)Buffer;

         i=0;

         //выводим информацию о первом процессе
         i++;
         PrintProcessInfo(ProcInfo,i);

         while(ProcInfo->NextEntryOffset!=0)
         {
              //берем следующий элемент списка
              ProcInfo = (PSYSTEM_PROCESS_INFORMATION)
    ((ULONG_PTR)ProcInfo + (ULONG_PTR)ProcInfo->NextEntryOffset);

              //выводим информацию о процессе
              i++;
              PrintProcessInfo(ProcInfo,i);
         }

         if (Buffer)
              ExFreePool(Buffer);

         return Status;
    }

    // необходимые объявления:

    NTKERNELAPI
    NTSTATUS
    NTAPI
    ZwQuerySystemInformation (
    IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
    OUT PVOID SystemInformation,
    IN ULONG SystemInformationLength,
    OUT PULONG ReturnLength OPTIONAL
    );
    typedef struct _SYSTEM_PROCESS_INFORMATION { ULONG NextEntryOffset; ULONG NumberOfThreads; BYTE Reserved1[48]; PVOID Reserved2[3]; HANDLE UniqueProcessId; PVOID Reserved3; ULONG HandleCount; BYTE Reserved4[4]; PVOID Reserved5[11]; SIZE_T PeakPagefileUsage; SIZE_T PrivatePageCount; LARGE_INTEGER Reserved6[6];} SYSTEM_PROCESS_INFORMATION,*PSYSTEM_PROCESS_INFORMATION; typedef enum _SYSTEM_INFORMATION_CLASS { SystemBasicInformation, SystemProcessorInformation, // obsolete…delete SystemPerformanceInformation, SystemTimeOfDayInformation, SystemPathInformation, SystemProcessInformation, SystemCallCountInformation, SystemDeviceInformation, SystemProcessorPerformanceInformation, SystemFlagsInformation, SystemCallTimeInformation, SystemModuleInformation, SystemLocksInformation, SystemStackTraceInformation, SystemPagedPoolInformation, SystemNonPagedPoolInformation, SystemHandleInformation, SystemObjectInformation, SystemPageFileInformation, SystemVdmInstemulInformation, SystemVdmBopInformation, SystemFileCacheInformation, SystemPoolTagInformation, SystemInterruptInformation, SystemDpcBehaviorInformation, SystemFullMemoryInformation, SystemLoadGdiDriverInformation, SystemUnloadGdiDriverInformation, SystemTimeAdjustmentInformation, SystemSummaryMemoryInformation, SystemMirrorMemoryInformation, SystemPerformanceTraceInformation, SystemObsolete0, SystemExceptionInformation, SystemCrashDumpStateInformation, SystemKernelDebuggerInformation, SystemContextSwitchInformation, SystemRegistryQuotaInformation, SystemExtendServiceTableInformation, SystemPrioritySeperation, SystemVerifierAddDriverInformation, SystemVerifierRemoveDriverInformation, SystemProcessorIdleInformation, SystemLegacyDriverInformation, SystemCurrentTimeZoneInformation, SystemLookasideInformation, SystemTimeSlipNotification, SystemSessionCreate, SystemSessionDetach, SystemSessionInformation, SystemRangeStartInformation, SystemVerifierInformation, SystemVerifierThunkExtend, SystemSessionProcessInformation, SystemLoadGdiDriverInSystemSpace, SystemNumaProcessorMap, SystemPrefetcherInformation, SystemExtendedProcessInformation, SystemRecommendedSharedDataAlignment, SystemComPlusPackage, SystemNumaAvailableMemory, SystemProcessorPowerInformation, SystemEmulationBasicInformation, SystemEmulationProcessorInformation, SystemExtendedHandleInformation, SystemLostDelayedWriteInformation, SystemBigPoolInformation, SystemSessionPoolTagInformation, SystemSessionMappedViewInformation, SystemHotpatchInformation, SystemObjectSecurityMode, SystemWatchdogTimerHandler, SystemWatchdogTimerInformation, SystemLogicalProcessorInformation, SystemWow64SharedInformation, SystemRegisterFirmwareTableInformationHandler, SystemFirmwareTableInformation, SystemModuleInformationEx, SystemVerifierTriageInformation, SystemSuperfetchInformation, SystemMemoryListInformation, SystemFileCacheInformationEx, MaxSystemInfoClass // MaxSystemInfoClass should always be the last enum} SYSTEM_INFORMATION_CLASS;
     
     
     

    Reply