EnumProcessThread(枚举进程线程)
2017-07-13 10:30
573 查看
#pragma once
#ifndef MAX_PATH
#define MAX_PATH 260
#endif
typedef enum _SYSTEM_INFORMATION_CLASS {
SystemBasicInformation,
SystemProcessorInformation, // obsolete...delete
SystemPerformanceInformation,
SystemTimeOfDayInformation,
SystemPathInformation,
SystemProcessInformation,
SystemCallCountInformation,
SystemDeviceInformation,
SystemProcessorPerformanceInformation,
SystemFlagsInformation,
SystemCallTimeInformation,
SystemModuleInformation,
SystemLocksInformation,
SystemStackTraceInformation,
SystemPagedPoolInformation,
SystemNonPagedPoolInformation,
SystemHandleInformation,
SystemObjectInformation,
SystemPageFileInformation,
SystemVdmInstemulInformation,
SystemVdmBopInformation,
SystemFileCacheInformation,
SystemPoolTagInformation,
SystemInterruptInformation,
SystemDpcBehaviorInformation,
SystemFullMemoryInformation,
SystemLoadGdiDriverInformation,
SystemUnloadGdiDriverInformation,
SystemTimeAdjustmentInformation,
SystemSummaryMemoryInformation,
SystemMirrorMemoryInformation,
SystemPerformanceTraceInformation,
SystemObsolete0,
SystemExceptionInformation,
SystemCrashDumpStateInformation,
SystemKernelDebuggerInformation,
SystemContextSwitchInformation,
SystemRegistryQuotaInformation,
SystemExtendServiceTableInformation,
SystemPrioritySeperation,
SystemVerifierAddDriverInformation,
SystemVerifierRemoveDriverInformation,
SystemProcessorIdleInformation,
SystemLegacyDriverInformation,
SystemCurrentTimeZoneInformation,
SystemLookasideInformation,
SystemTimeSlipNotification,
SystemSessionCreate,
SystemSessionDetach,
SystemSessionInformation,
SystemRangeStartInformation,
SystemVerifierInformation,
SystemVerifierThunkExtend,
SystemSessionProcessInformation,
SystemLoadGdiDriverInSystemSpace,
SystemNumaProcessorMap,
SystemPrefetcherInformation,
SystemExtendedProcessInformation,
SystemRecommendedSharedDataAlignment,
SystemComPlusPackage,
SystemNumaAvailableMemory,
SystemProcessorPowerInformation,
SystemEmulationBasicInformation,
SystemEmulationProcessorInformation,
SystemExtendedHandleInformation,
SystemLostDelayedWriteInformation,
SystemBigPoolInformation,
SystemSessionPoolTagInformation,
SystemSessionMappedViewInformation,
SystemHotpatchInformation,
SystemObjectSecurityMode,
SystemWatchdogTimerHandler,
SystemWatchdogTimerInformation,
SystemLogicalProcessorInformation,
SystemWow64SharedInformation,
SystemRegisterFirmwareTableInformationHandler,
SystemFirmwareTableInformation,
SystemModuleInformationEx,
SystemVerifierTriageInformation,
SystemSuperfetchInformation,
SystemMemoryListInformation,
SystemFileCacheInformationEx,
MaxSystemInfoClass // MaxSystemInfoClass should always be the last enum
} SYSTEM_INFORMATION_CLASS;
typedef struct _SYSTEM_THREAD_INFORMATION
{
LARGE_INTEGER KernelTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER CreateTime;
ULONG WaitTime;
PVOID StartAddress;
CLIENT_ID ClientId;
KPRIORITY Priority;
LONG BasePriority;
ULONG ContextSwitches;
ULONG ThreadState;
KWAIT_REASON WaitReason;
}SYSTEM_THREAD_INFORMATION, *PSYSTEM_THREAD_INFORMATION;
typedef struct _SYSTEM_PROCESS_INFO
{
ULONG NextEntryOffset;
ULONG NumberOfThreads;
LARGE_INTEGER WorkingSetPrivateSize;
ULONG HardFaultCount;
ULONG NumberOfThreadsHighWatermark;
ULONGLONG CycleTime;
LARGE_INTEGER CreateTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER KernelTime;
UNICODE_STRING ImageName;
KPRIORITY BasePriority;
HANDLE UniqueProcessId;
HANDLE InheritedFromUniqueProcessId;
ULONG HandleCount;
ULONG SessionId;
ULONG_PTR UniqueProcessKey;
SIZE_T PeakVirtualSize;
SIZE_T VirtualSize;
ULONG PageFaultCount;
SIZE_T PeakWorkingSetSize;
SIZE_T WorkingSetSize;
SIZE_T QuotaPeakPagedPoolUsage;
SIZE_T QuotaPagedPoolUsage;
SIZE_T QuotaPeakNonPagedPoolUsage;
SIZE_T QuotaNonPagedPoolUsage;
SIZE_T PagefileUsage;
SIZE_T PeakPagefileUsage;
SIZE_T PrivatePageCount;
LARGE_INTEGER ReadOperationCount;
LARGE_INTEGER WriteOperationCount;
LARGE_INTEGER OtherOperationCount;
LARGE_INTEGER ReadTransferCount;
LARGE_INTEGER WriteTransferCount;
LARGE_INTEGER OtherTransferCount;
SYSTEM_THREAD_INFORMATION Threads[1];
}SYSTEM_PROCESS_INFO, *PSYSTEM_PROCESS_INFO;
typedef struct _RTL_PROCESS_MODULE_INFORMATION {
HANDLE Section; // Not filled in
PVOID MappedBase;
PVOID ImageBase;
ULONG ImageSize;
ULONG Flags;
USHORT LoadOrderIndex;
USHORT InitOrderIndex;
USHORT LoadCount;
USHORT OffsetToFileName;
UCHAR ImageName[MAXIMUM_FILENAME_LENGTH];
} RTL_PROCESS_MODULE_INFORMATION, *PRTL_PROCESS_MODULE_INFORMATION;
typedef struct _RTL_PROCESS_MODULES {
ULONG NumberOfModules;
RTL_PROCESS_MODULE_INFORMATION Modules[1];
} RTL_PROCESS_MODULES, *PRTL_PROCESS_MODULES;
#include <ntifs.h>
#include <ntddk.h>
#include <ntintsafe.h>
#include "Header.h"
//删除指针
#define SafeFreeDelete(pData) { if(pData){ExFreePool(pData);pData=NULL;} }
NTSTATUS ZwQueryInformationThread(HANDLE ThreadHandle,THREADINFOCLASS ThreadInformationClass,PVOID ThreadInformation,ULONG ThreadInformationLength,PULONG ReturnLength);
NTSTATUS ZwQuerySystemInformation(SYSTEM_INFORMATION_CLASS SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength);
PETHREAD GetThread(HANDLE ThreadId)
{
PETHREAD Thread = NULL;
PETHREAD Result = NULL;
if (PsLookupThreadByThreadId(ThreadId, &Thread) == STATUS_SUCCESS)
{
Result = Thread;
ObDereferenceObject(Thread);
}
return Result;
}
HANDLE OpenThread(ULONG ThreadId)
{
NTSTATUS status;
PETHREAD Thread = NULL;
HANDLE hThread = NULL;
UNICODE_STRING Unicode;
status = PsLookupThreadByThreadId(ThreadId, &Thread);
if (NT_SUCCESS(status))
{
if (PsThreadType)
{
status = ObOpenObjectByPointer(Thread,NULL,NULL,THREAD_ALL_ACCESS,(PVOID)*PsThreadType,KernelMode,&hThread);
if (NT_SUCCESS(status))
{
ObDereferenceObject(Thread);
return hThread;
}
}
}
return 0;
}
void GetModuleName(PVOID dwBase,PCHAR strName, PCHAR strPath)
{
NTSTATUS status;
ULONG size = 0, index = 0;
PRTL_PROCESS_MODULES ProcessModules = NULL;
PRTL_PROCESS_MODULE_INFORMATION pModuleInformation = NULL;
do
{
status = ZwQuerySystemInformation(SystemModuleInformation, NULL, NULL, &size);
if (STATUS_INFO_LENGTH_MISMATCH != status || size <= 0)
{
ASSERT(FALSE);
break;
}
size *= 4;
if ((ProcessModules = (PULONG_PTR)ExAllocatePool(NonPagedPool, size)) == NULL)
{
ASSERT(FALSE);
break;
}
RtlZeroMemory(ProcessModules, size);
status = ZwQuerySystemInformation(SystemModuleInformation, ProcessModules, size, NULL);
if (!NT_SUCCESS(status))
{
ASSERT(FALSE);
break;
}
pModuleInformation = (PRTL_PROCESS_MODULE_INFORMATION)(ProcessModules->Modules);
for (index = 0; index < ProcessModules->NumberOfModules; index++)
{
PVOID ImageBaseAddress;
ULONG_PTR ImageSize;
ULONG_PTR ImageEnd;
ImageBaseAddress = pModuleInformation[index].ImageBase;
ImageSize = pModuleInformation[index].ImageSize;
ImageEnd = ImageSize + (ULONG_PTR)ImageBaseAddress;
if (ImageBaseAddress <= dwBase && dwBase <= ImageEnd)
{
strcpy(strName, pModuleInformation[index].ImageName + pModuleInformation[index].OffsetToFileName);
strcpy(strPath, pModuleInformation[index].ImageName);
break;
}
}
} while (FALSE);
SafeFreeDelete(ProcessModules);
return;
}
void EnumProcessThread(ULONG ProcessId)
{
NTSTATUS Status;
PSYSTEM_PROCESS_INFO ProcessInfo = NULL;
PVOID pBuffer = NULL;
ULONG size = 0;
//切换当前模式为内核模式
do
{
Status = ZwQuerySystemInformation(SystemProcessInformation, NULL, 0, &size);
if (Status != STATUS_INFO_LENGTH_MISMATCH || size <= 0)
{
ASSERT(FALSE);
break;
}
size *= 2;
pBuffer = ExAllocatePool(NonPagedPool, size); //分配内存缓冲区
if (pBuffer==NULL)
{
ASSERT(FALSE);
break;
}
RtlZeroMemory(pBuffer, size);
Status = ZwQuerySystemInformation(SystemProcessInformation, pBuffer, size, &size);
if (!NT_SUCCESS(Status))
{
ASSERT(FALSE);
break;
}
ProcessInfo = (PSYSTEM_PROCESS_INFO)pBuffer;
while (TRUE)
{
if (ProcessInfo->UniqueProcessId == ProcessId)
{
for (ULONG_PTR i = 0; i < ProcessInfo->NumberOfThreads; i++)
{
HANDLE hThread = NULL;
PVOID Win32StartAddress = 0;
PETHREAD Thread;
HANDLE ThreadId;
ULONG Priority;
ULONG ContextSwitches;
ULONG ThreadState;
ULONG WaitReason;
char* pModuleName = ExAllocatePool(NonPagedPool, MAX_PATH);
char* pImagePath = ExAllocatePool(NonPagedPool, MAX_PATH);
ASSERT(pModuleName);
ASSERT(pImagePath);
RtlZeroMemory(pModuleName, MAX_PATH);
RtlZeroMemory(pImagePath, MAX_PATH);
ThreadId = ProcessInfo->Threads[i].ClientId.UniqueThread; // 进程ID 与 线程ID
Thread = GetThread(ThreadId); // 线程 PETHREAD
Priority= (ULONG)ProcessInfo->Threads[i].Priority; // 线程优先级
ContextSwitches = ProcessInfo->Threads[i].ContextSwitches; // 切换数
ThreadState = ProcessInfo->Threads[i].ThreadState; // 当前状态
WaitReason = ProcessInfo->Threads[i].WaitReason; //等待原因
//Suspended
hThread = OpenThread(ProcessInfo->Threads[i].ClientId.UniqueThread);
if (hThread)
{
Status = ZwQueryInformationThread(hThread, ThreadQuerySetWin32StartAddress, (PVOID)Win32StartAddress, sizeof(PVOID), NULL);
ZwClose(hThread);
if (!NT_SUCCESS(Status))
{
Win32StartAddress = ProcessInfo->Threads[i].StartAddress;
}
GetModuleName(Win32StartAddress, pModuleName, pImagePath);
}
KdPrint(("ThreadId=%d Thread=%p Priority=%d ContextSwitches=%d ThreadState=%d WaitReason=%d Win32StartAddress=%p ModuleName=%s ImagePath=%s\n", ThreadId, Thread, Priority, ContextSwitches, ThreadState, WaitReason,Win32StartAddress, pModuleName, pImagePath));
SafeFreeDelete(pModuleName);
SafeFreeDelete(pImagePath);
}
break;
}
if (ProcessInfo==NULL)
{
break;
}
if (ProcessInfo->NextEntryOffset == 0)
{
break;
}
ProcessInfo = (PSYSTEM_PROCESS_INFO)(((PUCHAR)ProcessInfo) + ProcessInfo->NextEntryOffset);
}
} while (FALSE);
SafeFreeDelete(pBuffer);
return;
}
VOID DriverUnload(IN PDRIVER_OBJECT DriverObject)
{
return;
}
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath)
{
DriverObject->DriverUnload = DriverUnload;
DbgBreakPoint();
EnumProcessThread(PsGetCurrentProcessId());
return STATUS_SUCCESS;
}
#ifndef MAX_PATH
#define MAX_PATH 260
#endif
typedef enum _SYSTEM_INFORMATION_CLASS {
SystemBasicInformation,
SystemProcessorInformation, // obsolete...delete
SystemPerformanceInformation,
SystemTimeOfDayInformation,
SystemPathInformation,
SystemProcessInformation,
SystemCallCountInformation,
SystemDeviceInformation,
SystemProcessorPerformanceInformation,
SystemFlagsInformation,
SystemCallTimeInformation,
SystemModuleInformation,
SystemLocksInformation,
SystemStackTraceInformation,
SystemPagedPoolInformation,
SystemNonPagedPoolInformation,
SystemHandleInformation,
SystemObjectInformation,
SystemPageFileInformation,
SystemVdmInstemulInformation,
SystemVdmBopInformation,
SystemFileCacheInformation,
SystemPoolTagInformation,
SystemInterruptInformation,
SystemDpcBehaviorInformation,
SystemFullMemoryInformation,
SystemLoadGdiDriverInformation,
SystemUnloadGdiDriverInformation,
SystemTimeAdjustmentInformation,
SystemSummaryMemoryInformation,
SystemMirrorMemoryInformation,
SystemPerformanceTraceInformation,
SystemObsolete0,
SystemExceptionInformation,
SystemCrashDumpStateInformation,
SystemKernelDebuggerInformation,
SystemContextSwitchInformation,
SystemRegistryQuotaInformation,
SystemExtendServiceTableInformation,
SystemPrioritySeperation,
SystemVerifierAddDriverInformation,
SystemVerifierRemoveDriverInformation,
SystemProcessorIdleInformation,
SystemLegacyDriverInformation,
SystemCurrentTimeZoneInformation,
SystemLookasideInformation,
SystemTimeSlipNotification,
SystemSessionCreate,
SystemSessionDetach,
SystemSessionInformation,
SystemRangeStartInformation,
SystemVerifierInformation,
SystemVerifierThunkExtend,
SystemSessionProcessInformation,
SystemLoadGdiDriverInSystemSpace,
SystemNumaProcessorMap,
SystemPrefetcherInformation,
SystemExtendedProcessInformation,
SystemRecommendedSharedDataAlignment,
SystemComPlusPackage,
SystemNumaAvailableMemory,
SystemProcessorPowerInformation,
SystemEmulationBasicInformation,
SystemEmulationProcessorInformation,
SystemExtendedHandleInformation,
SystemLostDelayedWriteInformation,
SystemBigPoolInformation,
SystemSessionPoolTagInformation,
SystemSessionMappedViewInformation,
SystemHotpatchInformation,
SystemObjectSecurityMode,
SystemWatchdogTimerHandler,
SystemWatchdogTimerInformation,
SystemLogicalProcessorInformation,
SystemWow64SharedInformation,
SystemRegisterFirmwareTableInformationHandler,
SystemFirmwareTableInformation,
SystemModuleInformationEx,
SystemVerifierTriageInformation,
SystemSuperfetchInformation,
SystemMemoryListInformation,
SystemFileCacheInformationEx,
MaxSystemInfoClass // MaxSystemInfoClass should always be the last enum
} SYSTEM_INFORMATION_CLASS;
typedef struct _SYSTEM_THREAD_INFORMATION
{
LARGE_INTEGER KernelTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER CreateTime;
ULONG WaitTime;
PVOID StartAddress;
CLIENT_ID ClientId;
KPRIORITY Priority;
LONG BasePriority;
ULONG ContextSwitches;
ULONG ThreadState;
KWAIT_REASON WaitReason;
}SYSTEM_THREAD_INFORMATION, *PSYSTEM_THREAD_INFORMATION;
typedef struct _SYSTEM_PROCESS_INFO
{
ULONG NextEntryOffset;
ULONG NumberOfThreads;
LARGE_INTEGER WorkingSetPrivateSize;
ULONG HardFaultCount;
ULONG NumberOfThreadsHighWatermark;
ULONGLONG CycleTime;
LARGE_INTEGER CreateTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER KernelTime;
UNICODE_STRING ImageName;
KPRIORITY BasePriority;
HANDLE UniqueProcessId;
HANDLE InheritedFromUniqueProcessId;
ULONG HandleCount;
ULONG SessionId;
ULONG_PTR UniqueProcessKey;
SIZE_T PeakVirtualSize;
SIZE_T VirtualSize;
ULONG PageFaultCount;
SIZE_T PeakWorkingSetSize;
SIZE_T WorkingSetSize;
SIZE_T QuotaPeakPagedPoolUsage;
SIZE_T QuotaPagedPoolUsage;
SIZE_T QuotaPeakNonPagedPoolUsage;
SIZE_T QuotaNonPagedPoolUsage;
SIZE_T PagefileUsage;
SIZE_T PeakPagefileUsage;
SIZE_T PrivatePageCount;
LARGE_INTEGER ReadOperationCount;
LARGE_INTEGER WriteOperationCount;
LARGE_INTEGER OtherOperationCount;
LARGE_INTEGER ReadTransferCount;
LARGE_INTEGER WriteTransferCount;
LARGE_INTEGER OtherTransferCount;
SYSTEM_THREAD_INFORMATION Threads[1];
}SYSTEM_PROCESS_INFO, *PSYSTEM_PROCESS_INFO;
typedef struct _RTL_PROCESS_MODULE_INFORMATION {
HANDLE Section; // Not filled in
PVOID MappedBase;
PVOID ImageBase;
ULONG ImageSize;
ULONG Flags;
USHORT LoadOrderIndex;
USHORT InitOrderIndex;
USHORT LoadCount;
USHORT OffsetToFileName;
UCHAR ImageName[MAXIMUM_FILENAME_LENGTH];
} RTL_PROCESS_MODULE_INFORMATION, *PRTL_PROCESS_MODULE_INFORMATION;
typedef struct _RTL_PROCESS_MODULES {
ULONG NumberOfModules;
RTL_PROCESS_MODULE_INFORMATION Modules[1];
} RTL_PROCESS_MODULES, *PRTL_PROCESS_MODULES;
#include <ntifs.h>
#include <ntddk.h>
#include <ntintsafe.h>
#include "Header.h"
//删除指针
#define SafeFreeDelete(pData) { if(pData){ExFreePool(pData);pData=NULL;} }
NTSTATUS ZwQueryInformationThread(HANDLE ThreadHandle,THREADINFOCLASS ThreadInformationClass,PVOID ThreadInformation,ULONG ThreadInformationLength,PULONG ReturnLength);
NTSTATUS ZwQuerySystemInformation(SYSTEM_INFORMATION_CLASS SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength);
PETHREAD GetThread(HANDLE ThreadId)
{
PETHREAD Thread = NULL;
PETHREAD Result = NULL;
if (PsLookupThreadByThreadId(ThreadId, &Thread) == STATUS_SUCCESS)
{
Result = Thread;
ObDereferenceObject(Thread);
}
return Result;
}
HANDLE OpenThread(ULONG ThreadId)
{
NTSTATUS status;
PETHREAD Thread = NULL;
HANDLE hThread = NULL;
UNICODE_STRING Unicode;
status = PsLookupThreadByThreadId(ThreadId, &Thread);
if (NT_SUCCESS(status))
{
if (PsThreadType)
{
status = ObOpenObjectByPointer(Thread,NULL,NULL,THREAD_ALL_ACCESS,(PVOID)*PsThreadType,KernelMode,&hThread);
if (NT_SUCCESS(status))
{
ObDereferenceObject(Thread);
return hThread;
}
}
}
return 0;
}
void GetModuleName(PVOID dwBase,PCHAR strName, PCHAR strPath)
{
NTSTATUS status;
ULONG size = 0, index = 0;
PRTL_PROCESS_MODULES ProcessModules = NULL;
PRTL_PROCESS_MODULE_INFORMATION pModuleInformation = NULL;
do
{
status = ZwQuerySystemInformation(SystemModuleInformation, NULL, NULL, &size);
if (STATUS_INFO_LENGTH_MISMATCH != status || size <= 0)
{
ASSERT(FALSE);
break;
}
size *= 4;
if ((ProcessModules = (PULONG_PTR)ExAllocatePool(NonPagedPool, size)) == NULL)
{
ASSERT(FALSE);
break;
}
RtlZeroMemory(ProcessModules, size);
status = ZwQuerySystemInformation(SystemModuleInformation, ProcessModules, size, NULL);
if (!NT_SUCCESS(status))
{
ASSERT(FALSE);
break;
}
pModuleInformation = (PRTL_PROCESS_MODULE_INFORMATION)(ProcessModules->Modules);
for (index = 0; index < ProcessModules->NumberOfModules; index++)
{
PVOID ImageBaseAddress;
ULONG_PTR ImageSize;
ULONG_PTR ImageEnd;
ImageBaseAddress = pModuleInformation[index].ImageBase;
ImageSize = pModuleInformation[index].ImageSize;
ImageEnd = ImageSize + (ULONG_PTR)ImageBaseAddress;
if (ImageBaseAddress <= dwBase && dwBase <= ImageEnd)
{
strcpy(strName, pModuleInformation[index].ImageName + pModuleInformation[index].OffsetToFileName);
strcpy(strPath, pModuleInformation[index].ImageName);
break;
}
}
} while (FALSE);
SafeFreeDelete(ProcessModules);
return;
}
void EnumProcessThread(ULONG ProcessId)
{
NTSTATUS Status;
PSYSTEM_PROCESS_INFO ProcessInfo = NULL;
PVOID pBuffer = NULL;
ULONG size = 0;
//切换当前模式为内核模式
do
{
Status = ZwQuerySystemInformation(SystemProcessInformation, NULL, 0, &size);
if (Status != STATUS_INFO_LENGTH_MISMATCH || size <= 0)
{
ASSERT(FALSE);
break;
}
size *= 2;
pBuffer = ExAllocatePool(NonPagedPool, size); //分配内存缓冲区
if (pBuffer==NULL)
{
ASSERT(FALSE);
break;
}
RtlZeroMemory(pBuffer, size);
Status = ZwQuerySystemInformation(SystemProcessInformation, pBuffer, size, &size);
if (!NT_SUCCESS(Status))
{
ASSERT(FALSE);
break;
}
ProcessInfo = (PSYSTEM_PROCESS_INFO)pBuffer;
while (TRUE)
{
if (ProcessInfo->UniqueProcessId == ProcessId)
{
for (ULONG_PTR i = 0; i < ProcessInfo->NumberOfThreads; i++)
{
HANDLE hThread = NULL;
PVOID Win32StartAddress = 0;
PETHREAD Thread;
HANDLE ThreadId;
ULONG Priority;
ULONG ContextSwitches;
ULONG ThreadState;
ULONG WaitReason;
char* pModuleName = ExAllocatePool(NonPagedPool, MAX_PATH);
char* pImagePath = ExAllocatePool(NonPagedPool, MAX_PATH);
ASSERT(pModuleName);
ASSERT(pImagePath);
RtlZeroMemory(pModuleName, MAX_PATH);
RtlZeroMemory(pImagePath, MAX_PATH);
ThreadId = ProcessInfo->Threads[i].ClientId.UniqueThread; // 进程ID 与 线程ID
Thread = GetThread(ThreadId); // 线程 PETHREAD
Priority= (ULONG)ProcessInfo->Threads[i].Priority; // 线程优先级
ContextSwitches = ProcessInfo->Threads[i].ContextSwitches; // 切换数
ThreadState = ProcessInfo->Threads[i].ThreadState; // 当前状态
WaitReason = ProcessInfo->Threads[i].WaitReason; //等待原因
//Suspended
hThread = OpenThread(ProcessInfo->Threads[i].ClientId.UniqueThread);
if (hThread)
{
Status = ZwQueryInformationThread(hThread, ThreadQuerySetWin32StartAddress, (PVOID)Win32StartAddress, sizeof(PVOID), NULL);
ZwClose(hThread);
if (!NT_SUCCESS(Status))
{
Win32StartAddress = ProcessInfo->Threads[i].StartAddress;
}
GetModuleName(Win32StartAddress, pModuleName, pImagePath);
}
KdPrint(("ThreadId=%d Thread=%p Priority=%d ContextSwitches=%d ThreadState=%d WaitReason=%d Win32StartAddress=%p ModuleName=%s ImagePath=%s\n", ThreadId, Thread, Priority, ContextSwitches, ThreadState, WaitReason,Win32StartAddress, pModuleName, pImagePath));
SafeFreeDelete(pModuleName);
SafeFreeDelete(pImagePath);
}
break;
}
if (ProcessInfo==NULL)
{
break;
}
if (ProcessInfo->NextEntryOffset == 0)
{
break;
}
ProcessInfo = (PSYSTEM_PROCESS_INFO)(((PUCHAR)ProcessInfo) + ProcessInfo->NextEntryOffset);
}
} while (FALSE);
SafeFreeDelete(pBuffer);
return;
}
VOID DriverUnload(IN PDRIVER_OBJECT DriverObject)
{
return;
}
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath)
{
DriverObject->DriverUnload = DriverUnload;
DbgBreakPoint();
EnumProcessThread(PsGetCurrentProcessId());
return STATUS_SUCCESS;
}
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- 【Java并发编程】Process进程 和 Thread线程
- 进程(process)和线程(thread)及其在项目中的应用 协程
- 一个进程(Process)最多可以生成多少个线程(Thread)
- Android task process thread 进程与线程
- [转载]进程,线程,线程池(Process, ProcessThread, Thread, ThreadPool)
- 进程(process)与线程(thread)
- 进程process与线程thread总结
- Android中的进程(Process)和线程(Thread)
- [CareerCup] 16.1 Thread and Process 线程和进程
- Android task process thread 进程与线程
- [Android] 进程(Process)和线程(Thread)
- Python笔记-进程Process、线程Thread、上锁
- 《C#并发编程经典实例》学习笔记-进程(process)和线程(thread)
- 【os学习】之 进程(Process)与线程(Thread)
- 【笔记】【从Android Guide温习Android 一】进程和线程(Process And thread)
- 计算机必知必会:进程process与线程thread
- 理解process(进程)、thread(线程)
- Android中进程(Process)和线程(Thread)
- EnumThreadWindows枚举线程的所有窗口
- Process and Thread 进程和线程