在"遍历进程"的基础上做结束进程的操作:
参考:http://blog.csdn.net/u013761036/article/details/67768262
实现结束notepad.exe进程代码:
#pragma once
#include <ntifs.h>
#include <ntstrsafe.h>
//win7x86
#define FLINKOFFSET 0x00b8
#define PEBOFFSET 0x01a8
#define NAMEOFFSET 0x016c
#define PIDOFFSET 0x00b4
//结束进程
void ZwKillProcess(HANDLE hdPid)
{
__try {
HANDLE hProcess = NULL;
CLIENT_ID ClientId = { 0 };
OBJECT_ATTRIBUTES oa = { 0 };
ClientId.UniqueProcess = (HANDLE)hdPid;
ClientId.UniqueThread = 0;
oa.Length = sizeof(oa);
oa.RootDirectory = 0;
oa.ObjectName = 0;
oa.Attributes = 0;
oa.SecurityDescriptor = 0;
oa.SecurityQualityOfService = 0;
ZwOpenProcess(&hProcess, 1, &oa, &ClientId);
if (hProcess)
{
ZwTerminateProcess(hProcess, 0);
ZwClose(hProcess);
};
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
;
}
}
//进程信息
VOID EnumProcessInformations()
{
//第一个进程环境块
PEPROCESS eprocess_first = PsGetCurrentProcess();
PLIST_ENTRY pTempList = (PLIST_ENTRY)((PUCHAR)eprocess_first + FLINKOFFSET);
PEPROCESS eprocess = NULL;
PUCHAR lpname = NULL;
ULONG pID = 0;
//用于调试 KdBreakPoint();
while (eprocess != eprocess_first)
{
if (eprocess == NULL)
{
eprocess = (PEPROCESS)((PUCHAR)pTempList - FLINKOFFSET);
}
lpname = (PUCHAR)eprocess + NAMEOFFSET;
pID = *(PULONG *)((ULONG_PTR)eprocess + PIDOFFSET);
KdPrint(("process %s--%d\n", lpname, pID));
if (_strnicmp(lpname, "notepad.exe", 11) == 0) //_wcsicmp(lpname, L"notepad.exe")
ZwKillProcess(pID);
pTempList = pTempList->Flink;
eprocess = (PEPROCESS)((PUCHAR)pTempList - FLINKOFFSET);
}
}
//卸载函数很简单
VOID unload(PDRIVER_OBJECT p)
{
DbgPrint("UnloadDriver...");
}
//驱动入口函数
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriver_Obj, PUNICODE_STRING pRegisterPath)
{
DbgPrint("DriverEntry...");
pDriver_Obj->DriverUnload = unload;
DbgPrint("DriverName:%wZ RegisterPath:%wZ \n ",
&pDriver_Obj->DriverName,
pRegisterPath);
//这里调用
EnumProcessInformations();
return STATUS_SUCCESS;
}