#ifdef __cplusplus
extern "C"
{
#endif
#include <ntddk.h>
#ifdef __cplusplus
}
#endif


#define PROCESSNAME_OFFSET 0x174
#define NTOPENPROCESS_SIGN 0x7a
#define NTOPENPROCESS_OFFSET 0xa014
#define PROCESSLINK_OFFSET 0x88
#define THREADHEAD_OFFSET 0x50
#define THREADLINK_OFFSET 0x1b0
#define STARTADDRESS_OFFSET 0x224
#define PROCESSEXIT_OFFSET 0x78
#define PROCESSID_OFFSET 0x84
#define THREADDEBUGGER_OFFSET 0x248


//=========================================================================
//函数名:EnumThread
//功能 :在驱动内Enum指定进程的所有线程.
//参数:
//  IN pProcess   指定进程块
//返回值:
//  NULL
//
//=========================================================================
VOID EnumThread(IN PEPROCESS pProcess)
{
 PETHREAD pThread = NULL;
 PLIST_ENTRY pFirstEntry = NULL,pLastEntry = NULL;
 PULONG pStartAddress = NULL;
 PCLIENT_ID pClientId = NULL;

 pFirstEntry = (PLIST_ENTRY)((ULONG)pProcess + THREADHEAD_OFFSET);
 pLastEntry = pFirstEntry;

 do{
  pThread = (PETHREAD)((ULONG)pFirstEntry - THREADLINK_OFFSET);

  if (pThread != NULL)
  {
   *(PULONG)((ULONG)pThread + THREADDEBUGGER_OFFSET) &= 0xfffffffb;
  
  }
  pFirstEntry = pFirstEntry->Blink;

 }while(pLastEntry != pFirstEntry);


}


//=========================================================================
//函数名:EnumProcess
//功能 :在驱动内Enum指定进程的指定进程名的进程(可能有多个).
//参数:
//  IN pszProcessName   指定进程名
//返回值:
//  NULL
//
//=========================================================================
VOID EnumProcess(IN PCHAR pszProcessName)
{
 PEPROCESS pProcess = NULL;
 PLIST_ENTRY pFirstEntry = NULL,pLastEntry = NULL;
 PLARGE_INTEGER pExitTime = NULL;

 pProcess = PsGetCurrentProcess();


 pFirstEntry = (PLIST_ENTRY)((ULONG)pProcess + PROCESSLINK_OFFSET);
 pLastEntry = pFirstEntry;

 do{
  pProcess = (PEPROCESS)((ULONG)pFirstEntry - PROCESSLINK_OFFSET);
  pExitTime = (PLARGE_INTEGER)((ULONG)pProcess + PROCESSEXIT_OFFSET);

  if (0 == _stricmp(PsGetProcessImageFileName(pszProcessName), ProcessName))
   {
     EnumThread(pProcess);  
   }
 
  pFirstEntry = pFirstEntry->Blink;
 }while(pFirstEntry != pLastEntry);


}