#include <ntddk.h> #include "ntifs.h" HANDLE RetrivePID( char* ProcessName ) { PEPROCESS PeProcess = NULL; PLIST_ENTRY pNextEntry, pListHead; PeProcess = PsGetCurrentProcess(); if(!PeProcess) { DbgPrint( "[ALARM] -> Cannot find 'System' process!" ); return (HANDLE)-1; } if( IsListEmpty( &PeProcess->ActiveProcessLinks ) ) DbgPrint("[ALARM] -> No processes found!"); else { pListHead = &PeProcess->ActiveProcessLinks; pNextEntry = pListHead->Flink; while(pNextEntry != pListHead) { PeProcess = CONTAINING_RECORD( pNextEntry,EPROCESS,ActiveProcessLinks ); if(PeProcess->ActiveThreads) if( !IsListEmpty( &PeProcess->ThreadListHead ) ) { //if( _strnicmp( PeProcess->ImageFileName, ProcessName ,strlen(ProcessName) ) == 0 ) // return PsGetProcessId( PeProcess ); DbgPrint("Process name: %s - PID:%d", PeProcess->ImageFileName, PeProcess->UniqueProcessId); } PeProcess = NULL; pNextEntry = pNextEntry->Flink; } } return (HANDLE)-1; } VOID Unload(IN PDRIVER_OBJECT DriverObject) { DbgPrint("Test Driver :: Unload"); } NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject,IN PUNICODE_STRING RegistryPathName) { DbgPrint("Test Driver :: DriverEntry"); // Test function RetrivePID("notepad.exe"); DriverObject->DriverUnload = Unload; return STATUS_SUCCESS; }
扫一扫
1万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
