1、C,C+只保护特定的名字的进程 2021在线班郁金香灬老师 QQ 150330575交流群:158280115学习目标: C,C+只保护特定的名字的进程 驱动中进程间的切换 保护特定进程时 条件选择 名字 PID PsGetCurrentProcess() PsGetProcessImageFileName /11个有效的字符 PsGetCurrentProcessId() /获取当前进程PIDconst char* GetProcessName(ULONG dwPid) HANDLE ProcessHandle; NTSTATUS status; OBJECT_ATTRIBUTES Obje
2、ctAttributes; CLIENT_ID myCid; PEPROCESS EProcess; InitializeObjectAttributes(&ObjectAttributes,0,0,0,0); myCid.UniqueProcess = (HANDLE)dwPid; myCid.UniqueThread = 0; /打开进程,获取句柄 status = ZwOpenProcess (&ProcessHandle,PROCESS_ALL_ACCESS,&ObjectAttributes,&myCid); if (!NT_SUCCESS(status) DbgPrint(打开进程
3、出错n); return; /得到EPROCESS,结构中取进程名 status = ObReferenceObjectByHandle(ProcessHandle,FILE_READ_DATA,0,KernelMode,&EProcess, 0); if (status = STATUS_SUCCESS) / char *ProcessName = (char*)EProcess + 0x174; /ImageFileName11 char *PsName = PsGetProcessImageFileName(EProcess); DbgPrint(ProcessName is %sn,ProcessName); DbgPrint(PsName is %sn,PsName); ZwClose(ProcessHandle); else DbgPrint(Get ProcessName error); return PsName;
