private static NT.ProcessContext FindProcessInfo(uint targetProcessId) { NT.ProcessContext processContext = new NT.ProcessContext() { ProcessId = 0 }; // GET POINTER TO THE SYSTEM EPROCESS ulong eprocessPointer = (ulong)FindKernelProcedure("PsInitialSystemProcess"); // READ EPROCESS ADDRESS ulong ntosEntry = Driver.ReadSystemAddress <ulong>(eprocessPointer); var listHead = ntosEntry + g_OffsetProcessLinks; var lastLink = Driver.ReadSystemAddress <ulong>(listHead + sizeof(ulong)); // ITERATE ALL PROCESSES for (var currentLink = listHead; currentLink != lastLink; currentLink = Driver.ReadSystemAddress <ulong>(currentLink)) { var currentEntry = currentLink - g_OffsetProcessLinks; var processId = Driver.ReadSystemAddress <ulong>(currentEntry + g_OffsetProcessId); // PID is a match if (processId == targetProcessId) { processContext.ProcessId = targetProcessId; processContext.DirectoryBase = Driver.ReadSystemAddress <ulong>(currentEntry + g_OffsetDirectoryTable); processContext.KernelEntry = currentEntry; break; } } return(processContext); }
private static NT.ProcessContext FindProcessInfo(uint targetProcessId) { NT.ProcessContext processContext = new NT.ProcessContext() { ProcessId = 0 }; ulong eprocessPointer = (ulong)FindKernelProcedure("PsInitialSystemProcess"); ulong ntosEntry = Driver.ReadSystemAddress <ulong>(eprocessPointer); var listHead = ntosEntry + g_OffsetProcessLinks; var lastLink = Driver.ReadSystemAddress <ulong>(listHead + sizeof(ulong)); for (var currentLink = listHead; currentLink != lastLink; currentLink = Driver.ReadSystemAddress <ulong>(currentLink)) { var currentEntry = currentLink - g_OffsetProcessLinks; var processId = Driver.ReadSystemAddress <ulong>(currentEntry + g_OffsetProcessId); if (processId == targetProcessId) { processContext.ProcessId = targetProcessId; processContext.DirectoryBase = Driver.ReadSystemAddress <ulong>(currentEntry + g_OffsetDirectoryTable); processContext.KernelEntry = currentEntry; break; } } return(processContext); }