Innovation
Grandmaster Cheater
Reputation: 12
Joined: 14 Aug 2008
Posts: 617
|
 Posted: Sat Apr 09, 2011 8:45 am Post subject: |
|
|
The current process will always be the System process unless the driver's execution of the code was caused by an IOCTL, so you're essentially using PsActiveProcessHead. And, as the definition of LIST_ENTRY dictates, Flink points to the next Flink, not the next EPROCESS.
I was unable to test the following code, but hopefully it will work. Keep in mind that ActiveProcessList is a circular doubly-linked list, so if there are less than ten processes, it will wrap back around.
| Code: | #include <ntddk.h>
VOID Unload(__in PDRIVER_OBJECT pDriverObject)
{
DbgPrint("Driver Unloaded!");
}
NTSTATUS DriverEntry(__in PDRIVER_OBJECT pDriverObject, __in PUNICODE_STRING pRegistryPath)
{
pDriverObject->DriverUnload = Unload;
DbgPrint("Driver Loaded!");
PEPROCESS pProcess = PsGetCurrentProcess();
int nProcessIdentifier;
PLIST_ENTRY pActiveProcessLinks;
for(int nCount = 0; nCount < 10; ++nCount)
{
DbgPrint("EPROCESS Address = %x", (DWORD_PTR)pProcess);
nProcessIdentifier = *(int *)((DWORD_PTR)pProcess + 0x84);
DbgPrint("Process Identifier = %d", nProcessIdentifier);
pActiveProcessLinks = (PLIST_ENTRY)((DWORD_PTR)pProcess + 0x88);
pProcess = (PEPROCESS)((DWORD_PTR)pActiveProcessLinks->Flink - 0x88);
}
return STATUS_SUCCESS;
} |
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
