使用EPROCESS结构在内核模式中枚举进程ID [英] Enumerating process id in kernel mode with EPROCESS structure
问题描述
我想通过使用EPROCESS结构枚举在我的系统上运行的所有进程ID,但问题是,我不知道如何访问EPROCESS结构中的UniqueProcessId字段。现在,我已经通过这个函数获得了EPROCESS结构的指针
PEPROCESS过程;
PsLookupProcessByProcessId(_ProcessID,& Process);
并计算UniqueProcessId字段的偏移量,即0x0b4。我尝试使用此代码*(Process + 0x0b4(UniqueProcessId offset))来获取UniqueProcessId字段的值,但总是带来错误和无效的值/数据。任何人都可以帮助我知道如何访问UniqueProcessId字段?我的系统是Windows7 / x86。提前致谢!
我的尝试:
- -------------------------------------------------- ---------------------
如何PEPROCESS已定义?
如果您拥有完整的结构,只需访问该成员:
PVOID UniqueProcessId = Process-> UniqueProcessId;
如果您知道偏移量和类型,请将处理强制转换为一个字节或者char指针,添加偏移量,将结果转换为指向字段类型的指针,并获取值:
LPBYTE pUpi =((LPBYTE)过程)+ 0xb4 ;
// 编辑:添加缺失*
// PVOID UniqueProcessId = *((PVOID)pUpi);
PVOID UniqueProcessId = *((PVOID *)pUpi);
I want to enumerate all of the process id running on my system by using EPROCESS structure but the problem here is, I do not know how to access to the UniqueProcessId field in EPROCESS structure. Now, I've got the pointer to EPROCESS structure by this function
PEPROCESS Process;
PsLookupProcessByProcessId(_ProcessID,&Process);
and calculated the offset of UniqueProcessId field which is 0x0b4. I attempted this code "*(Process+0x0b4(UniqueProcessId offset))" to get the value of UniqueProcessId field but always it brought wrong and invalid value/data. Could anyone help me know how to access to the UniqueProcessId field? My system is Windows7/x86. Thanks in advance!
What I have tried:
-------------------------------------------------------------------------
How isPEPROCESSdefined?
If you have the full structure just access the member:
PVOID UniqueProcessId = Process->UniqueProcessId;
If you know the offset and the type, castProcessto a byte or char pointer, add the offset, cast the result as pointer to the field type, and get the value:
LPBYTE pUpi = ((LPBYTE)Process) + 0xb4; // EDIT: Added missing * //PVOID UniqueProcessId = *((PVOID)pUpi); PVOID UniqueProcessId = *((PVOID*)pUpi);
这篇关于使用EPROCESS结构在内核模式中枚举进程ID的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
