[note]贴个能获取Csrss.exe PID的函数

 

  1 ////////////////////////////////////////////////////////////
  2  //
  3  // ¹¦ÄÜÃèÊö: »ñȡϵͳÐÅÏ¢
  4 // ÊäÈë²ÎÊý: Òª»ñȡϵͳÐÅÏ¢µÄÀàÐÍ
  5 // Êä³ö²ÎÊý: ·µ»Ø´æ·Å»ñÈ¡µÄÐÅÏ¢µÄ»º³åÇøµÄÖ¸Õë
  6 //
  7 //////////////////////////////////////////////////////////
  8 PVOID
  9 GetInfoTable( IN ULONG ATableType )
 10 {
 11  ULONG mSize = 0x4000;
 12  PVOID mPtr = NULL;
 13  NTSTATUS Status;
 14 
 15  KdPrint(("[GetInfoTable]»ñÈ¡¾ä±ú±íÐÅÏ¢\n"));
 16  do 
 17  {
 18   mPtr = ExAllocatePool(PagedPool,mSize);
 19   RtlZeroMemory(mPtr,mSize);
 20   if (mPtr)
 21   {
 22    Status = ZwQuerySystemInformation(ATableType,(PVOID)mPtr,mSize,NULL);  
 23   }
 24   else
 25   {
 26    return NULL;
 27   }
 28   if (Status == STATUS_INFO_LENGTH_MISMATCH)
 29   {
 30    ExFreePool(mPtr);
 31    mSize = mSize*2;
 32   }
 33  } while (Status == STATUS_INFO_LENGTH_MISMATCH);
 34 
 35  if (Status == STATUS_SUCCESS)
 36  {
 37   KdPrint(("[GetInfoTable]»ñÈ¡¾ä±ú±íÐÅÏ¢³É¹¦\n"));
 38   return mPtr;
 39  }
 40 
 41  KdPrint(("[GetInfoTable] »ñÈ¡¾ä±ú±íÐÅϢʧ°Ü\n"));
 42  ExFreePool(mPtr);
 43  return NULL;
 44 
 45 }
 46 
 47 /////////////////////////////////////////////////////
 48 //
 49 // ¹¦ÄÜÃèÊö: ö¾ÙCSRSS.EXE½ø³ÌPID
 50 // ÊäÈë²ÎÊý: ÎÞ
 51 // Êä³ö²ÎÊý: ·µ»ØCSRSS.EXE½ø³ÌµÄPID
 52 //
 53 /////////////////////////////////////////////////////
 54 HANDLE
 55 GetCsrPid()
 56 {
 57  HANDLE Process,hObject;
 58  HANDLE CsrId = (HANDLE)0;
 59  OBJECT_ATTRIBUTES obj;
 60  CLIENT_ID cid;
 61  UCHAR Buff[0x100];
 62  POBJECT_NAME_INFORMATION ObjName = (PVOID)&Buff;
 63  PSYSTEM_HANDLE_INFORMATION_EX Handles;
 64  ULONG r;
 65 
 66  KdPrint(("[GetCsrPid] ö¾ÙCsrss.exe½ø³ÌPID\n"));
 67  //»ñÈ¡¾ä±úÐÅÏ¢
 68  Handles = GetInfoTable(SystemHandleInformation);
 69 
 70  if (!Handles)
 71  {
 72   return CsrId;
 73  }
 74 
 75  for (r = 0; r<Handles->NumberOfHandles;r++)
 76  {
 77   if (Handles->Information[r].ObjectTypeNumber == 21)
 78   {
 79    InitializeObjectAttributes(&obj,NULL,OBJ_KERNEL_HANDLE,NULL,NULL);
 80    
 81    cid.UniqueProcess = (HANDLE)Handles->Information[r].ProcessId;
 82    cid.UniqueThread = 0;
 83 
 84    if (NT_SUCCESS(NtOpenProcess(&Process,PROCESS_DUP_HANDLE,&obj,&cid)))
 85    {
 86     if (NT_SUCCESS(ZwDuplicateObject(Process,(HANDLE)Handles->Information[r].Handle,NtCurrentProcess(),&hObject,0,0,DUPLICATE_SAME_ACCESS)))
 87     {
 88      if (NT_SUCCESS(ZwQueryObject(hObject,ObjectNameInformation,ObjName,0x100,NULL)))
 89      {
 90       if (ObjName->Name.Buffer && !wcsncmp(L"Name.Buffer,20" _mce_href="file://\\Windows\\ApiPort",ObjName->Name.Buffer,20">\\Windows\\ApiPort",ObjName->Name.Buffer,20))
 91       {
 92        CsrId = (HANDLE)Handles->Information->ProcessId;
 93       }
 94      }
 95      ZwClose(hObject);
 96     }
 97     ZwClose(Process);
 98    }
 99   }
100  }
101  KdPrint(("[GetCsrPid] ö¾ÙCSRSS.EXE½ø³ÌPID³É¹¦\n"));
102  ExFreePool(Handles);
103  return CsrId;
104 }
105

 

posted @ 2010-11-08 20:39  Tbit  阅读(605)  评论(0编辑  收藏  举报