至于EPROCESS有何作用，呵呵，不用明说了，获取方式由如下代码，大牛莫见笑
.586p
.model flat, stdcall
option casemap:none

include PidToEprocess.inc

EXP_PsLookupProcessByProcessId typedef proto :HANDLE,:PEPROCESS
FUN_EXP_PsLookupProcessByProcessId typedef ptr EXP_PsLookupProcessByProcessId

.data
        FUN_PsLookupProcessByProcessId FUN_EXP_PsLookupProcessByProcessId ?
       
.code

DriverUnload proc pDriverObject:PDRIVER_OBJECT
       
        invoke DbgPrint,$CTA0("Unload Driver Success\n")
        ret

DriverUnload endp

GetKernelExpFunAddr proc uniFunName:PUNICODE_STRING
        LOCAL retFunAddr:dword
        cli
        invoke MmGetSystemRoutineAddress,uniFunName
        mov retFunAddr,eax
        sti
        mov eax,retFunAddr
       
        ret

GetKernelExpFunAddr endp

PidToEprocess proc imgPid:DWORD
        LOCAL funAddr:DWORD
        LOCAL imgEprocess:PEPROCESS
        LOCAL funName:UNICODE_STRING
        invoke RtlInitUnicodeString,addr funName,$CCOUNTED_UNICODE_STRING("PsLookupProcessByProcessId")
        invoke GetKernelExpFunAddr,$CCOUNTED_UNICODE_STRING("PsLookupProcessByProcessId")
        ;invoke MmGetSystemRoutineAddress,$CCOUNTED_UNICODE_STRING("PsLookupProcessByProcessId")
        mov funAddr,eax
        mov FUN_PsLookupProcessByProcessId,eax
        .if funAddr==0
                invoke DbgPrint,$CTA0("Get PsLookupProcessByProcessId Address Failed.\n")
                ret
        .endif
        ;lea eax,imgEprocess
        ;push eax
        ;push imgPid
        ;call funAddr
        invoke FUN_PsLookupProcessByProcessId,imgPid,addr imgEprocess
        mov eax,dword ptr [imgEprocess]
       
        ret

PidToEprocess endp

DriverEntry proc pDriverObject:PDRIVER_OBJECT,pusRegistryPath:PUNICODE_STRING
        mov esi,pDriverObject
        mov [esi+34h],offset DriverUnload
        invoke PidToEprocess,1676
        invoke DbgPrint,$CTA0("EPROCESS Address: 0x%08X\n"),eax
        mov eax,STATUS_SUCCESS
       
    ret

DriverEntry endp

end DriverEntry

[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入！