|
ess = PID;
clientid.UniqueThread = 0;
// 属性初始化
InitializeObjectAttributes(&obj, 0, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, 0, 0);
NTSTATUS status = ZwOpenProcess(&hProcessHandle, PROCESS_ALL_ACCESS, &obj, &clientid);
if (status == STATUS_SUCCESS)
{
// DbgPrint("[*] 已打开 \n");
ZwClose(&hProcessHandle);
return hProcessHandle;
}
return 0;
}
// 将Handle转换为EProcess结构
PEPROCESS HandleToEprocess(HANDLE handle)
{
PEPROCESS pEprocess;
NTSTATUS status = ObReferenceObjectByHandle(handle, GENERIC_ALL, *PsProcessType, KernelMode, &pEprocess, NULL);
if (status == STATUS_SUCCESS)
{
return pEprocess;
}
return 0;
}
// EProcess转换为Handle句柄
HANDLE EprocessToHandle(PEPROCESS eprocess)
{
HANDLE hProcessHandle = (HANDLE)-1;
NTSTATUS status = ObOpenObjectByPointer(
eprocess,
OBJ_KERNEL_HANDLE,
0,
0,
*PsProcessType,
KernelMode,
&hProcessHandle
);
if (status == STATUS_SUCCESS)
{
return hProcessHandle;
}
return 0;
}
VOID UnDriver(PDRIVER_OBJECT driver)
{
DbgPrint("[-] 驱动卸载 \n");
}
NTSTATUS DriverEntry(IN PDRIVER_OBJECT Driver, PUNICODE_STRING RegistryPath)
{
DbgPrint("Hello LyShark \n");
// 将Handle转换为EProcess结构
PEPROCESS eprocess = HandleToEprocess(PidToHandle(6932));
DbgPrint("[*] HANDLE --> EProcess = %p \n", eprocess);
// 将EProcess结构转换为Handle
HANDLE handle = EprocessToHandle(eprocess);
DbgPrint("[*] EProcess --> HANDLE = %p \n", handle);
Driver->DriverUnload = UnDriver;
return STATUS_SUCCESS;
}
编译并运行如上这段代码片段,将把进程HANDLE与EProcess结构互转,输出效果图如下所示;
|