ring0获取指定进程的PEB

#ifndef TYPEDEF_H
#define TYPEDEF_H

typedef PPEB (__stdcall *P_PsGetProcessPeb)(PEPROCESS);

typedef unsigned char       BYTE;

typedef struct _RTL_USER_PROCESS_PARAMETERS {
BYTE Reserved1[16];
PVOID Reserved2[10];
UNICODE_STRING ImagePathName;
UNICODE_STRING CommandLine;
} RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS;

typedef struct _PEB_LDR_DATA {
BYTE Reserved1[8];
PVOID Reserved2[3];
LIST_ENTRY InMemoryOrderModuleList;
} PEB_LDR_DATA, *PPEB_LDR_DATA;

typedef
VOID
(NTAPI *PPS_POST_PROCESS_INIT_ROUTINE) (
VOID
);

typedef struct _PEB {
BYTE Reserved1[2];
BYTE BeingDebugged;
BYTE Reserved2[1];
PVOID Reserved3[2];
PPEB_LDR_DATA Ldr;
PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
BYTE Reserved4[104];
PVOID Reserved5[52];
PPS_POST_PROCESS_INIT_ROUTINE PostProcessInitRoutine;
BYTE Reserved6[128];
PVOID Reserved7[1];
ULONG SessionId;
} PEB, *PPEB;

#endif

#include <Ntifs.h>
#include <ntddk.h>
#include <Ntstrsafe.h>
#include "typedef.h"

DRIVER_INITIALIZE       DriverEntry;
DRIVER_UNLOAD           UnloadDevice;
DRIVER_DISPATCH         DispatchGen;

VOID ProcessMon(HANDLE In_hParentId, HANDLE In_hProcessId, BOOLEAN In_BIsCreate)
{
ANSI_STRING         astrProcessImage    = {0};
ANSI_STRING         astrProcessParam    = {0};
PPEB                            pPEB    = NULL;
PRTL_USER_PROCESS_PARAMETERS    pParam  = NULL;
UNICODE_STRING                  unstrFunName    = {0};
PEPROCESS                       pEProcess       = NULL;
P_PsGetProcessPeb               PsGetProcessPeb = NULL;
KAPC_STATE                      KAPC            = {0};
BOOLEAN                         BIsAttached     = FALSE;

if (In_BIsCreate == FALSE)
{
goto fun_ret;
}

if (!NT_SUCCESS(PsLookupProcessByProcessId(In_hProcessId, &pEProcess)))
{
goto fun_ret;
}
//__debugbreak();
RtlInitUnicodeString(&unstrFunName, L"PsGetProcessPeb");
PsGetProcessPeb = MmGetSystemRoutineAddress(&unstrFunName);
if (PsGetProcessPeb == NULL)
{
goto fun_ret;
}
pPEB = PsGetProcessPeb(pEProcess);
if (pPEB == NULL)
{
goto fun_ret;
}
KeStackAttachProcess(pEProcess, &KAPC);
BIsAttached = TRUE;
pParam = pPEB->ProcessParameters;
if (pParam == NULL)
{
goto fun_ret;
}
if (NT_SUCCESS(RtlUnicodeStringToAnsiString(&astrProcessImage, &(pParam->ImagePathName), TRUE)))
{
DbgPrint("PID::%u\t%s\n", In_hProcessId, astrProcessImage.Buffer);
}
if (NT_SUCCESS(RtlUnicodeStringToAnsiString(&astrProcessParam, &(pParam->CommandLine), TRUE)))
{
DbgPrint("PID::%u\t%s\n", In_hProcessId, astrProcessParam.Buffer);
}

fun_ret:
if (BIsAttached != FALSE)
{
KeUnstackDetachProcess(&KAPC);
}
if (pEProcess != NULL)
{
ObDereferenceObject(pEProcess);
pEProcess = NULL;
}
RtlFreeAnsiString(&astrProcessImage);
RtlFreeAnsiString(&astrProcessParam);
return;
}

NTSTATUS DispatchGen(PDEVICE_OBJECT In_pDevObj, PIRP In_pIRP)
{
if (In_pDevObj == NULL || In_pIRP == NULL)
{
return STATUS_SEVERITY_ERROR;
}

In_pIRP->IoStatus.Information = 0;
In_pIRP->IoStatus.Status = STATUS_SUCCESS;
IoCompleteRequest(In_pIRP, IO_NO_INCREMENT);
return STATUS_SUCCESS;
}

VOID UnloadDevice(PDRIVER_OBJECT In_pDriObj)
{
PsSetCreateProcessNotifyRoutine(ProcessMon, TRUE);
if (In_pDriObj != NULL)
{
IoDeleteDevice(In_pDriObj->DeviceObject);
}
}

NTSTATUS DriverEntry(PDRIVER_OBJECT In_pDriObj, PUNICODE_STRING In_punstrRegPath)
{
ULONG       uli         = 0;
NTSTATUS    stRetVal    = STATUS_SUCCESS;
PDEVICE_OBJECT  pDevObj = NULL;

if (In_pDriObj == NULL || In_punstrRegPath == NULL)
{
stRetVal = STATUS_SEVERITY_ERROR;
goto fun_ret;
}

for (uli = 0; uli <= IRP_MJ_MAXIMUM_FUNCTION; uli ++)
{
In_pDriObj->MajorFunction[uli] = DispatchGen;
}
In_pDriObj->DriverUnload = UnloadDevice;

stRetVal = IoCreateDevice(In_pDriObj, 0, NULL, FILE_DEVICE_UNKNOWN, 0, FALSE, &pDevObj);
if (!NT_SUCCESS(stRetVal))
{
goto fun_ret;
}

stRetVal = PsSetCreateProcessNotifyRoutine(ProcessMon, FALSE);

fun_ret:
return stRetVal;
}