为什么我把一个进程的所有线程从调度链表中断了,该进程还是能运行,不解
我直接用硬编码指定了我机器上的地址(XP sp2):
PLIST_ENTRY KiDispatcherReadyListHead = 0x8055cf60;
PLIST_ENTRY KiWaitListHead = 0x8055c488;
小弟初学驱动,还希望各位大大有时间指点一下,下面是我的代码:
大概就是遍历XP的两个调度链表,如果发现进程名是记事本的就把该线程从调度链表中断开,可发现记事本没死,还是该干嘛就干嘛,郁闷了!!
而且,遍历出的线程总数每次还不一样,总比任务管理器上显示的线程总数要少很多,不解,为什么会这样呢?
VOID SysThreadProc(PVOID pContext)
{
ULONG i;
UCHAR DbgInfo[256];
KIRQL NewIrql, OldIrql;
Interval.QuadPart = -1000;
// OldIrql = KeGetCurrentIrql();
KeRaiseIrql(DESPATCH_LEVEL, &OldIrql);
// NewIrql = KeGetCurrentIrql();
//KeDelayExecutionThread(KernelMode, FALSE, &Interval);
DbgPrint("System Thread Running......\n");
for (i = 0; i < 32; i++)
{
sprintf(DbgInfo, "就绪队列优先级为【%d】\n", i);
DbgPrint(DbgInfo);
DisplayList(KiDispatcherReadyListHead+i);
}
DbgPrint("阻塞线程队列中的线程................................\n");
DisplayList(KiWaitListHead);
sprintf(DbgInfo, "线程总数【%d】\n", PsThreadCount);
DbgPrint(DbgInfo);
KeLowerIrql(OldIrql);
PsTerminateSystemThread(STATUS_SUCCESS);
}
VOID DisplayList(PLIST_ENTRY ListHead)
{
PLIST_ENTRY List, NextList;
PUCHAR lpProcessName = NULL;
List = ListHead->Flink;
if ( List == ListHead )
{
//DbgPrint("KiDispatcherReadyListHead is NULL \n");
return;
}
NextList = List;
while ( NextList != ListHead )
{
/*
0x60处是KTHREAD偏移,0x34是ApcState偏移,0x10是Process偏移
0x174是EPROCESS的ImageFileName偏移
*/
PETHREAD Thread = (PETHREAD)((PUCHAR)NextList - 0x60);
PEPROCESS*pProcess = (PEPROCESS*)((PUCHAR)NextList - 0x60 + 0x34 + 0x10);
PEPROCESS Process = *pProcess;
lpProcessName = (PCHAR)Process+0x174;
DbgPrint("ImageFileName = %s \n",lpProcessName);
if (strstr(lpProcessName, "NOTEPAD"))
{
NextList->Blink->Flink = NextList->Flink;
NextList->Flink->Blink = NextList->Blink;
// NextList->Blink = NextList;
// NextList->Flink = NextList;
}
PsThreadCount++;
NextList = NextList->Flink;
if (NextList == NULL)
{
DbgPrint(".............Flink == NULL........... \n");
break;
}
}
}
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
