系统相关
首页 > 系统相关> > Windows驱动 - 链表 LIST_ENTRY

Windows驱动 - 链表 LIST_ENTRY

作者:互联网

0x00 函数

InitializeListHead //初始化链表头

InsertTailList  //加入到链表尾

RemoveTailList  //从链表尾移除

IsListEmpty //判断链表是否为空

PsSetCreateProcessNotifyRoutine    //设置进程创建/关闭时的回调

ExAllocatePool  //申请内存

RtlZeroMemory   //内存置零

RtlCopyMemory   //拷贝内存

ExFreePool  //释放申请的内存

PsLookupProcessByProcessId //根据ProcessId查询EPROCESS

PsGetProcessImageFileName  //获取进程名

ObDereferenceObject //释放EPROCESS

CONTAINING_RECORD //根据成员指针,结构体,成员获取结构体的地址

 

0x01 结构体

LIST_ENTRY  //链表结构体

 

 

0x01 代码

 

#include <ntifs.h>

#include <ntddk.h>

#include <wdm.h>

 

NTKERNELAPI UCHAR* PsGetProcessImageFileName(__in PEPROCESS Process);

 

 

typedef struct _MY_LIST

{

 

    HANDLE ProcessId;

    LIST_ENTRY ListEntry;

    UCHAR ProcessName[50];

 

 

} MY_LIST, * PMY_LIST;

 

 

LIST_ENTRY ListEntryHead;

 

 

void PcreateProcessNotifyRoutine(HANDLE ParentId, HANDLE ProcessId, BOOLEAN Create)

{

 

    PEPROCESS Process = NULL;

    PCHAR ProcessName = NULL;

 

    if (Create) //创建

    {

        PMY_LIST myList =  ExAllocatePool(NonPagedPool,sizeof(MY_LIST));  //申请内存

 

        if (myList)

        {

 

            RtlZeroMemory(myList, sizeof(MY_LIST));

 

            myList->ProcessId = ProcessId;

 

 

            PsLookupProcessByProcessId(ProcessId,&Process);    //根据进程ID获取EPROCESS

            if (Process)

            {

                ProcessName = PsGetProcessImageFileName(Process);

                if (ProcessName)

                {

                   RtlCopyMemory(myList->ProcessName, ProcessName,strlen(ProcessName));

                }

 

                ObDereferenceObject(Process);  //释放获取的EPROCESS

 

            }

           

            DbgPrint("ProcessId -> %p , ProcessName -> %s", myList->ProcessId, myList->ProcessName);

 

            InsertTailList(&ListEntryHead,&myList->ListEntry); //插入至链表

 

                  

 

        }

 

 

    }

 

    return;

 

}

 

 

 

 

void DriverUnload(PDRIVER_OBJECT DriverObject)

{

    PMY_LIST myList = NULL;

    PLIST_ENTRY temp = NULL;

 

 

    while (!IsListEmpty(&ListEntryHead))

    {

        temp = ListEntryHead.Blink;

 

        RemoveTailList(&ListEntryHead);    //移除

 

        if (temp)

        {

            //查询

            myList = CONTAINING_RECORD(temp, MY_LIST, ListEntry);

 

            if (myList)

            {

 

                //打印

                DbgPrint("DriverUnload -> RemoveTailList -> %p %s ", myList->ProcessId, myList->ProcessName);

 

                //释放

                ExFreePool(myList);

 

 

            }

 

        }

 

    }

 

 

    PsSetCreateProcessNotifyRoutine(PcreateProcessNotifyRoutine, TRUE); //设置进程创建通知例程.TRUE -> 删除例程,也可以理解为关闭例程

    DbgPrint("DriverUnload");

 

 

}

 

 

 

NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject,PUNICODE_STRING RegistryPath)

{

 

    NTSTATUS status = STATUS_SUCCESS;

 

    DriverObject->DriverUnload = DriverUnload;

 

    InitializeListHead(&ListEntryHead);    //初始化链表头

 

    PsSetCreateProcessNotifyRoutine(PcreateProcessNotifyRoutine,FALSE);   //设置进程创建通知例程.FALSE -> 添加例程,也可以理解为启用例程

 

    return status;

 

}

 

0x02 扩展

Lookaside -> 适用于:1 申请的内存空间较小, 2 申请的内存空间长度不定

工具: KernelPoolMonitor -> 查看ExAllocatePoolWithTag根据标记分配的内存

PsGetCurrentProcess //得到当前进程EPROCESS

RtlCompareMemory       //内存比较

RtlEqualMemory  //内存比较

RemoveEntryList //移除链表

标签:ProcessId,myList,Windows,LIST,链表,ProcessName,内存
来源: https://blog.csdn.net/qq726232111/article/details/111534154