keprocessm_drv.h

驱动枚举进程,控制线程AFFINITY,通过修改EPROCESS,ETHREAD ,KTHREAD 等结构,修改AFFINITY

/************************************************************************
* 文件名称:KeProcessM_Drv.h                                             
* 作    者:李骥
*************************************************************************/


#include "NtFunctions.h"


#ifdef __cplusplus
extern "C"
{
#endif

	NTKERNELAPI
		NTSTATUS
		ObReferenceObjectByName(
		IN PUNICODE_STRING ObjectName,
		IN ULONG Attributes,
		IN PACCESS_STATE PassedAccessState OPTIONAL,
		IN ACCESS_MASK DesiredAccess OPTIONAL,
		IN POBJECT_TYPE ObjectType,
		IN KPROCESSOR_MODE AccessMode,
		IN OUT PVOID ParseContext OPTIONAL,
		OUT PVOID *Object
		);
	NTKERNELAPI
		PDEVICE_OBJECT
		NTAPI
		IoGetBaseFileSystemDeviceObject (
		IN PFILE_OBJECT FileObject
		);
	extern POBJECT_TYPE IoDeviceObjectType;
	extern POBJECT_TYPE *IoDriverObjectType;

#ifdef __cplusplus
}
#endif 

	





#define arraysize(p) (sizeof(p)/sizeof((p)[0]))







typedef struct _DEVICE_EXTENSION {
	PDEVICE_OBJECT pDevice;
	UNICODE_STRING ustrDeviceName;	//设备名称
	UNICODE_STRING ustrSymLinkName;	//符号链接名

	PUCHAR buffer;//缓冲区
	ULONG file_length;//模拟的文件长度，必须小于MAX_FILE_LENGTH
} DEVICE_EXTENSION, *PDEVICE_EXTENSION;

// 函数声明

NTSTATUS CreateDevice (IN PDRIVER_OBJECT pDriverObject);
VOID Unload (IN PDRIVER_OBJECT pDriverObject);
NTSTATUS DispatchRoutin(IN PDEVICE_OBJECT pDevObj,IN PIRP pIrp);
NTSTATUS DeviceIOControl(IN PDEVICE_OBJECT pDevObj,IN PIRP pIrp);
NTSTATUS IoDeviceControlProcess( IN PFILE_OBJECT FileObject,IN BOOLEAN Wait, IN PVOID InputBuffer,IN ULONG InputBufferLength, OUT PVOID OutputBuffer,IN ULONG OutputBufferLength,IN ULONG IoControlCode,OUT PIO_STATUS_BLOCK IoStatus,IN PDEVICE_OBJECT DeviceObject );
NTSTATUS IoDeviceControlInterrupt(  IN PDEVICE_OBJECT pDeviceObject, IN PIRP pIrp );

typedef struct _OBJECT_CREATE_INFORMATION
{
	ULONG Attributes;
	HANDLE RootDirectory;
	PVOID ParseContext;
	KPROCESSOR_MODE ProbeMode;
	ULONG PagedPoolCharge;
	ULONG NonPagedPoolCharge;
	ULONG SecurityDescriptorCharge;
	PSECURITY_DESCRIPTOR SecurityDescriptor;
	PSECURITY_QUALITY_OF_SERVICE SecurityQos;
	SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService;
} OBJECT_CREATE_INFORMATION, * POBJECT_CREATE_INFORMATION;

typedef struct _OBJECT_HEADER
{
	LONG PointerCount;
	union
	{
		LONG HandleCount;
		PSINGLE_LIST_ENTRY SEntry;
	};
	POBJECT_TYPE Type;
	UCHAR NameInfoOffset;
	UCHAR HandleInfoOffset;
	UCHAR QuotaInfoOffset;
	UCHAR Flags;
	union
	{
		POBJECT_CREATE_INFORMATION ObjectCreateInfo;
		PVOID QuotaBlockCharged;
	};

	PSECURITY_DESCRIPTOR SecurityDescriptor;
	QUAD Body;
} OBJECT_HEADER, * POBJECT_HEADER;

#define NUMBER_HASH_BUCKETS 37

typedef struct _OBJECT_DIRECTORY
{
	struct _OBJECT_DIRECTORY_ENTRY* HashBuckets[NUMBER_HASH_BUCKETS];
	struct _OBJECT_DIRECTORY_ENTRY** LookupBucket;
	BOOLEAN LookupFound;
	USHORT SymbolicLinkUsageCount;
	struct _DEVICE_MAP* DeviceMap;
} OBJECT_DIRECTORY, * POBJECT_DIRECTORY;

typedef struct _OBJECT_HEADER_NAME_INFO
{
	POBJECT_DIRECTORY Directory;
	UNICODE_STRING Name;
	ULONG Reserved;
#if DBG
	ULONG Reserved2 ;
	LONG DbgDereferenceCount ;
#endif
} OBJECT_HEADER_NAME_INFO, * POBJECT_HEADER_NAME_INFO;

#define OBJECT_TO_OBJECT_HEADER( o ) \
	CONTAINING_RECORD( (o), OBJECT_HEADER, Body )

#define OBJECT_HEADER_TO_NAME_INFO( oh ) ((POBJECT_HEADER_NAME_INFO) \
	((oh)->NameInfoOffset == 0 ? NULL : ((PCHAR)(oh) - (oh)->NameInfoOffset)))










































//int ShowProcess(void)
//{
//	NTSTATUS status;
//	DWORD retlen,truelen;
//	char *buf=NULL,*p=NULL;
//	ANSI_STRING ansiStr;
//	int cnt=0;
//	PSYSTEM_PROCESSES pSysProcess;
//	PSYSTEM_THREADS pSysThread;
//	status=ZwQuerySystemInformation(SystemProcessInformation,NULL,0,&retlen);
//	truelen=retlen;
//	status=ZwAllocateVirtualMemory(NtCurrentProcess(),(PVOID*)&buf,0,&retlen,MEM_COMMIT,PAGE_READWRITE);
//	printf("Size of SYSTEM_THREAD:%d\n",sizeof(SYSTEM_THREADS));
//	p=buf;
//	status=ZwQuerySystemInformation(SystemProcessInformation,buf,truelen,&retlen);
//	do
//	{
//		cnt++;
//		pSysProcess=(PSYSTEM_PROCESSES)buf;
//		RtlUnicodeStringToAnsiString(&ansiStr,&pSysProcess->ProcessName,TRUE);
//		printf("Name:%s\n",ansiStr.Buffer);
//		RtlFreeAnsiString(&ansiStr);
//		printf("ThreadCnt:%d\t",pSysProcess->ThreadCount);
//		printf("Priority:%d\t",pSysProcess->BasePriority);
//		printf("PID:%4d\t",pSysProcess->ProcessId);
//		printf("PPID:%d\n",pSysProcess->InheritedFromProcessId);
//		printf("HandleCnt:%d\n",pSysProcess->HandleCount);
//		//在每一项SYSTEM_PROCESS结构的最后是一个接一个的SYSTEM_THREAD结构
//		//输出每个线程的信息
//		if (pSysProcess->ThreadCount&&pSysProcess->ProcessId)
//		{
//			DWORD i=0;
//			pSysThread=pSysProcess->Threads;
//			for (;i<pSysProcess->ThreadCount;i++)
//			{
//				printf("Thread[%d] StartAddr:0x%08x\t",i+1,pSysThread->StartAddress);
//				printf("TID:%d\t",pSysThread->ClientId.UniqueThread);
//				printf("SwitchCnt:%d\n",pSysThread->ContextSwitchCount);
//				pSysThread++;
//			}
//		}
//		//若NextEntryDelta为0,则表明已结束
//		if (pSysProcess->NextEntryDelta==0)
//		{
//			break;
//		}
//		buf=buf+pSysProcess->NextEntryDelta;
//		printf("===============================================================\n");
//	}while (1);
//	printf("Total:%d\n",cnt);
//	status=ZwFreeVirtualMemory(NtCurrentProcess(),(PVOID*)&p,&truelen,MEM_RELEASE);
//	return 0;
//}