1.driverbase-枚举进程，枚举模块，操作注册表随手代码

#include <ntifs.h>
#include <ntimage.h>
 
#define SystemModuleInformation 11
#define SystemProcessesAndThreadsInformation 5
 
//要以编程的角度去理解代码，而不是以内核层或者应用层调度
//就当成是应用层的 SYSTEMTIME
typedef struct _SYSTEM_PROCESSES
{
	ULONG NextEntryDelta;
	ULONG ThreadCount;
	ULONG Reserved[6];
	LARGE_INTEGER CreateTime;
	LARGE_INTEGER UserTime;
	LARGE_INTEGER KernelTime;
	UNICODE_STRING ProcessName;
	KPRIORITY BasePriority;
	ULONG ProcessId;
	ULONG InheritedFromProcessId;
	ULONG HandleCount;
	ULONG Reserved2[2];
	VM_COUNTERS VmCounters;
	IO_COUNTERS IoCounters;
} _SYSTEM_PROCESSES,*PSYSTEM_PROCESSES;
 
typedef struct _SYSTEM_MODULE_INFORMATION  // 系统模块信息
{
	ULONG  Reserved[2];
	ULONG  Base;
	ULONG  Size;
	ULONG  Flags;
	USHORT Index;
	USHORT Unknown;
	USHORT LoadCount;
	USHORT ModuleNameOffset;
	CHAR   ImageName[256];
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
 
typedef struct _tagSysModuleList {		  //模块链结构
	ULONG ulCount;
	SYSTEM_MODULE_INFORMATION smi[1];
} MODULES, *PMODULES;
 
//函数导出了，但是未文档化，所以要手动声明
NTSTATUS __stdcall ZwQuerySystemInformation(
	ULONG_PTR SystemInformationClass,
	PVOID SystemInformation,
	ULONG SystemInformationLength,
	PULONG ReturnLength
	);
 
VOID DriverUnload(IN PDRIVER_OBJECT DriverObject)
{
	DbgPrint("卸载完成!\n");
}
//创建或者设置注册表键值的函数
BOOLEAN Safe_CreateValueKey(PWCHAR SafeKey,ULONG_PTR Reg_Type,PWCHAR ValueName,PWCHAR Value)
{
	//变量的声明
	OBJECT_ATTRIBUTES objectAttributes;
	UNICODE_STRING RegUnicodeString,Unicode_ValueName;
	NTSTATUS ntStatus;
	HANDLE hRegister;
	ULONG_PTR ulValue_DWORD;
	ULONG_PTR ulResult=0;
	BOOLEAN bRetOK = FALSE;
 
	//WCHAR --》 UNICODE_STRING
	RtlInitUnicodeString(&Unicode_ValueName,ValueName);
	RtlInitUnicodeString(&RegUnicodeString,SafeKey);
 
	//初始化objectAttributes
	InitializeObjectAttributes(
		&objectAttributes,
		&RegUnicodeString,
		OBJ_CASE_INSENSITIVE,//对大小写敏感
		NULL,
		NULL
		);
	//创建或带开注册表项目
	ntStatus = ZwCreateKey(
		&hRegister,
		KEY_ALL_ACCESS,
		&objectAttributes,
		0,
		NULL,
		REG_OPTION_NON_VOLATILE,
		&ulResult
		);
	if (NT_SUCCESS(ntStatus))
	{
		bRetOK = TRUE;
 
		//根据传入参数Reg_Type来实现各种功能
		//调用ZwSetValueKey这个函数来设置注册表
		switch (Reg_Type)
		{
		case REG_SZ:
			ZwSetValueKey(
				hRegister,
				&Unicode_ValueName,
				0,
				Reg_Type,
				Value,
				wcslen(Value)*2
				);
			break;
		case REG_EXPAND_SZ:
			ZwSetValueKey(
				hRegister,
				&Unicode_ValueName,
				0,
				Reg_Type,
				Value,
				wcslen(Value)*2
				);
			break;
		case REG_DWORD:
			ulValue_DWORD = sizeof(REG_DWORD);
			ZwSetValueKey(
				hRegister,
				&Unicode_ValueName,
				0,
				Reg_Type,
				&Value,
				sizeof(ulValue_DWORD)
				);
			break;
		}
		//关闭句柄
		ZwClose(hRegister);
	}
	return bRetOK;
}
//这个就是我们实现在驱动层下列举进程的函数
void EnumProcessList()
{
	//你不要管是驱动，还是应用层，只需要懂这就是变量的声明
	NTSTATUS status;
	ULONG NeededSize,i;
	PVOID pBuffer = NULL; //用来执行缓冲区
	PSYSTEM_PROCESSES pInfo; //指向SYSTEM_PROCESSES的指针
 
	__try
	{
		status=ZwQuerySystemInformation(
			SystemProcessesAndThreadsInformation,
			NULL,
			0,
			&NeededSize);
		if (status!=STATUS_INFO_LENGTH_MISMATCH)
		{
			DbgPrint("!= STATUS_INFO_LENGTH_MISMATCH");
			return;
		}
		//得到结构体大小NeededSize 可以当成是ring3的 new
		pBuffer=(PMODULES)ExAllocatePool(NonPagedPool,NeededSize);
		if (pBuffer)
		{
			DbgPrint("NeededSize:%d\r\n",NeededSize);
 
			//使用5号功能来完成列举进程
			status = ZwQuerySystemInformation(
				SystemProcessesAndThreadsInformation,
				pBuffer,
				NeededSize,
				NULL);
			if (NT_SUCCESS(status)) //如果调用成功
			{
				DbgPrint("ZwQuerySystemInformation() success\r\n");
 
				pInfo = (PSYSTEM_PROCESSES)pBuffer;
				//这时，缓冲区里就是返回来的进程信息了
 
				while (TRUE)
				{
					//PID是0，系统的
					if (pInfo->ProcessId == 0){
						DbgPrint("PID %5d System Idle Process\r\n", pInfo->ProcessId);
					}
					else{	//输出PID和进程名
						DbgPrint("PID %d %ws\r\n", pInfo->ProcessId,pInfo->ProcessName.Buffer);//这里是unicode
					}
					//如果没有下一个就结束
					if (pInfo->NextEntryDelta == 0){
						break;
					}
					//指向下一个
					pInfo = (PSYSTEM_PROCESSES)(((PUCHAR)pInfo) + pInfo->NextEntryDelta);
				}
			}
		}
 
	}__except(EXCEPTION_EXECUTE_HANDLER){
		DbgPrint("%08x\r\n",GetExceptionCode());
	}
	//全部结束，释放内存
	//delete buf[];
	if (pBuffer)
		ExFreePool(pBuffer);
}
//根据上面我的注释，试着理解注释这个函数
void GetKernelModuleInfo()
{
	NTSTATUS status;
	ULONG NeededSize,i;
	PMODULES pModuleList = NULL;
 
	__try
	{
		status=ZwQuerySystemInformation(
			SystemModuleInformation,
			NULL,
			0,
			&NeededSize);
		if (status!=STATUS_INFO_LENGTH_MISMATCH)
		{
			DbgPrint("!= STATUS_INFO_LENGTH_MISMATCH");
			return;
		}
		pModuleList=(PMODULES)ExAllocatePool(NonPagedPool,NeededSize);
		if (pModuleList)
		{
			status=ZwQuerySystemInformation(
				SystemModuleInformation,
				pModuleList,
				NeededSize,
				&NeededSize);
 
			if (NT_SUCCESS(status))
			{
				//打印，要这样子
				for (i = 0;i<pModuleList->ulCount;i++)
				{
					DbgPrint("0x%08X:%d:%s\r\n",pModuleList->smi[i].Base,pModuleList->smi[i].Size,pModuleList->smi[i].ImageName);
				}
			}
			ExFreePool(pModuleList);
			pModuleList = NULL;
		}
	}
	__except(EXCEPTION_EXECUTE_HANDLER)
	{
		DbgPrint("%08x\r\n",GetExceptionCode());
	}
	if (pModuleList)
		ExFreePool(pModuleList);
}
NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject,PUNICODE_STRING RegistryPath)
{
	DriverObject->DriverUnload = DriverUnload;
 
	//就是列举进程列表
	EnumProcessList();
 
	//获取驱动模块的函数
	GetKernelModuleInfo();
 
	//创建注册表
	Safe_CreateValueKey(L"\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Services\\",REG_DWORD,L"Start",(PWCHAR)0x3);
	Safe_CreateValueKey(L"\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Services\\",REG_SZ,L"Start_String",L"hi~i am wrk");
 
	return STATUS_SUCCESS;
}