#include "ntddk.h"
//#include "ntifs.h"
#include "1.h"
#define table_offset 0xc4
#define list_entry_offset 0x1c
#define id_offset 0x08
#include "kernel_struct.h"
#ifdef __cplusplus
extern "C"
{
#endif
NTSTATUS PsLookupProcessByProcessId(
IN ULONG ulProcId,
OUT PEPROCESS * pEProcess
);
#ifdef __cplusplus
}
#endif
ULONG GetLocationOfProcessName()
{
ULONG ul_offset;
PEPROCESS CurrentProc;
CurrentProc=PsGetCurrentProcess();
for(ul_offset=0;ul_offset<PAGE_SIZE;ul_offset++)
{
if(!strncmp("System",(PCHAR)CurrentProc+ul_offset,strlen
("System")))
{
return ul_offset;
}
}
return (ULONG)0;
}
NTSTATUS Unload()
{
return STATUS_SUCCESS;
}
void ListProcess(void)
{
PEPROCESS currentproc,ps;
ULONG current_proc;
PHANDLE_TABLE handle_table;
PLIST_ENTRY table_list,table1_list;
ULONG * PID;
ULONG id;
ULONG table,table1;
ULONG temp;
currentproc=PsGetCurrentProcess();
current_proc=(ULONG)currentproc;
table=current_proc+table_offset;
DbgPrint("%u",*((ULONG *)(table+id_offset)));
temp=table+list_entry_offset;
table1=(ULONG)(((PLIST_ENTRY)temp)->Flink);
temp=table1-list_entry_offset;
DbgPrint("%u",*((ULONG *)(temp+id_offset)));
}
NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject,
PUNICODE_STRING str)
{
ListProcess();
DriverObject->DriverUnload = Unload;
return STATUS_SUCCESS;
}
为什么输出的两个ID会是一样的呢,按理说应该不一样啊,求教哪里有问题
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法