D017-C,C++保护特定名字的进程【瑞客论坛 www.ruike1.com】.txt

C,C++只保护特定的名字的进程 2021在线班 郁金香灬老师 QQ 150330575 交流群:158280115 学习目标: C,C++只保护特定的名字的进程 驱动中进程间的切换 保护特定进程时 条件选择 名字 PID PsGetCurrentProcess() PsGetProcessImageFileName //11个有效的字符 PsGetCurrentProcessId() //获取当前进程PID const char* GetProcessName(ULONG dwPid) { HANDLE ProcessHandle; NTSTATUS status; OBJECT_ATTRIBUTES ObjectAttributes; CLIENT_ID myCid; PEPROCESS EProcess; InitializeObjectAttributes(&ObjectAttributes,0,0,0,0); myCid.UniqueProcess = (HANDLE)dwPid; myCid.UniqueThread = 0; //打开进程，获取句柄 status = ZwOpenProcess (&ProcessHandle,PROCESS_ALL_ACCESS,&ObjectAttributes,&myCid); if (!NT_SUCCESS(status)) { DbgPrint("打开进程出错\n"); return; } //得到EPROCESS，结构中取进程名 status = ObReferenceObjectByHandle(ProcessHandle,FILE_READ_DATA,0,KernelMode,&EProcess, 0); if (status == STATUS_SUCCESS) { // char *ProcessName = (char*)EProcess + 0x174; //ImageFileName[11] char *PsName = PsGetProcessImageFileName(EProcess); DbgPrint("ProcessName is %s\n",ProcessName); DbgPrint("PsName is %s\n",PsName); ZwClose(ProcessHandle); } else { DbgPrint("Get ProcessName error"); } return PsName; }