Esempio n. 1
0
        private static NT.ProcessContext FindProcessInfo(uint targetProcessId)
        {
            NT.ProcessContext processContext = new NT.ProcessContext()
            {
                ProcessId = 0
            };

            // GET POINTER TO THE SYSTEM EPROCESS
            ulong eprocessPointer = (ulong)FindKernelProcedure("PsInitialSystemProcess");

            // READ EPROCESS ADDRESS
            ulong ntosEntry = Driver.ReadSystemAddress <ulong>(eprocessPointer);

            var listHead = ntosEntry + g_OffsetProcessLinks;
            var lastLink = Driver.ReadSystemAddress <ulong>(listHead + sizeof(ulong));

            // ITERATE ALL PROCESSES
            for (var currentLink = listHead; currentLink != lastLink; currentLink = Driver.ReadSystemAddress <ulong>(currentLink))
            {
                var currentEntry = currentLink - g_OffsetProcessLinks;

                var processId = Driver.ReadSystemAddress <ulong>(currentEntry + g_OffsetProcessId);

                // PID is a match
                if (processId == targetProcessId)
                {
                    processContext.ProcessId     = targetProcessId;
                    processContext.DirectoryBase = Driver.ReadSystemAddress <ulong>(currentEntry + g_OffsetDirectoryTable);
                    processContext.KernelEntry   = currentEntry;
                    break;
                }
            }

            return(processContext);
        }
        private static NT.ProcessContext FindProcessInfo(uint targetProcessId)
        {
            NT.ProcessContext processContext = new NT.ProcessContext()
            {
                ProcessId = 0
            };

            ulong eprocessPointer = (ulong)FindKernelProcedure("PsInitialSystemProcess");


            ulong ntosEntry = Driver.ReadSystemAddress <ulong>(eprocessPointer);

            var listHead = ntosEntry + g_OffsetProcessLinks;
            var lastLink = Driver.ReadSystemAddress <ulong>(listHead + sizeof(ulong));


            for (var currentLink = listHead; currentLink != lastLink; currentLink = Driver.ReadSystemAddress <ulong>(currentLink))
            {
                var currentEntry = currentLink - g_OffsetProcessLinks;

                var processId = Driver.ReadSystemAddress <ulong>(currentEntry + g_OffsetProcessId);
                if (processId == targetProcessId)
                {
                    processContext.ProcessId     = targetProcessId;
                    processContext.DirectoryBase = Driver.ReadSystemAddress <ulong>(currentEntry + g_OffsetDirectoryTable);
                    processContext.KernelEntry   = currentEntry;
                    break;
                }
            }

            return(processContext);
        }