From 5123e4c19507acfdc83d21c398c92e54d1d059a7 Mon Sep 17 00:00:00 2001
From: hhh <783859431@qq.com>
Date: Thu, 15 Sep 2022 13:41:08 +0800
Subject: [PATCH] =?UTF-8?q?=E6=B7=BB=E5=8A=A0=E9=A1=B9=E7=9B=AE=E6=96=87?=
 =?UTF-8?q?=E4=BB=B6=E3=80=82?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 DriverProcess.sln                           |  51 +++++++
 DriverProcess/DriverProcess.inf             |  87 +++++++++++
 DriverProcess/DriverProcess.vcxproj         | 155 ++++++++++++++++++++
 DriverProcess/DriverProcess.vcxproj.filters |  31 ++++
 DriverProcess/processDriver.c               |  56 +++++++
 5 files changed, 380 insertions(+)
 create mode 100644 DriverProcess.sln
 create mode 100644 DriverProcess/DriverProcess.inf
 create mode 100644 DriverProcess/DriverProcess.vcxproj
 create mode 100644 DriverProcess/DriverProcess.vcxproj.filters
 create mode 100644 DriverProcess/processDriver.c

diff --git a/DriverProcess.sln b/DriverProcess.sln
new file mode 100644
index 0000000..780cfe0
--- /dev/null
+++ b/DriverProcess.sln
@@ -0,0 +1,51 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio Version 16
+VisualStudioVersion = 16.0.32901.82
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "DriverProcess", "DriverProcess\DriverProcess.vcxproj", "{80F51F20-33D7-4F2A-8615-9E556E8567B7}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|ARM = Debug|ARM
+		Debug|ARM64 = Debug|ARM64
+		Debug|x64 = Debug|x64
+		Debug|x86 = Debug|x86
+		Release|ARM = Release|ARM
+		Release|ARM64 = Release|ARM64
+		Release|x64 = Release|x64
+		Release|x86 = Release|x86
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{80F51F20-33D7-4F2A-8615-9E556E8567B7}.Debug|ARM.ActiveCfg = Debug|ARM
+		{80F51F20-33D7-4F2A-8615-9E556E8567B7}.Debug|ARM.Build.0 = Debug|ARM
+		{80F51F20-33D7-4F2A-8615-9E556E8567B7}.Debug|ARM.Deploy.0 = Debug|ARM
+		{80F51F20-33D7-4F2A-8615-9E556E8567B7}.Debug|ARM64.ActiveCfg = Debug|ARM64
+		{80F51F20-33D7-4F2A-8615-9E556E8567B7}.Debug|ARM64.Build.0 = Debug|ARM64
+		{80F51F20-33D7-4F2A-8615-9E556E8567B7}.Debug|ARM64.Deploy.0 = Debug|ARM64
+		{80F51F20-33D7-4F2A-8615-9E556E8567B7}.Debug|x64.ActiveCfg = Debug|x64
+		{80F51F20-33D7-4F2A-8615-9E556E8567B7}.Debug|x64.Build.0 = Debug|x64
+		{80F51F20-33D7-4F2A-8615-9E556E8567B7}.Debug|x64.Deploy.0 = Debug|x64
+		{80F51F20-33D7-4F2A-8615-9E556E8567B7}.Debug|x86.ActiveCfg = Debug|Win32
+		{80F51F20-33D7-4F2A-8615-9E556E8567B7}.Debug|x86.Build.0 = Debug|Win32
+		{80F51F20-33D7-4F2A-8615-9E556E8567B7}.Debug|x86.Deploy.0 = Debug|Win32
+		{80F51F20-33D7-4F2A-8615-9E556E8567B7}.Release|ARM.ActiveCfg = Release|ARM
+		{80F51F20-33D7-4F2A-8615-9E556E8567B7}.Release|ARM.Build.0 = Release|ARM
+		{80F51F20-33D7-4F2A-8615-9E556E8567B7}.Release|ARM.Deploy.0 = Release|ARM
+		{80F51F20-33D7-4F2A-8615-9E556E8567B7}.Release|ARM64.ActiveCfg = Release|ARM64
+		{80F51F20-33D7-4F2A-8615-9E556E8567B7}.Release|ARM64.Build.0 = Release|ARM64
+		{80F51F20-33D7-4F2A-8615-9E556E8567B7}.Release|ARM64.Deploy.0 = Release|ARM64
+		{80F51F20-33D7-4F2A-8615-9E556E8567B7}.Release|x64.ActiveCfg = Release|x64
+		{80F51F20-33D7-4F2A-8615-9E556E8567B7}.Release|x64.Build.0 = Release|x64
+		{80F51F20-33D7-4F2A-8615-9E556E8567B7}.Release|x64.Deploy.0 = Release|x64
+		{80F51F20-33D7-4F2A-8615-9E556E8567B7}.Release|x86.ActiveCfg = Release|Win32
+		{80F51F20-33D7-4F2A-8615-9E556E8567B7}.Release|x86.Build.0 = Release|Win32
+		{80F51F20-33D7-4F2A-8615-9E556E8567B7}.Release|x86.Deploy.0 = Release|Win32
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+	GlobalSection(ExtensibilityGlobals) = postSolution
+		SolutionGuid = {E70E2314-2624-44FB-879F-4707FF1D32FB}
+	EndGlobalSection
+EndGlobal
diff --git a/DriverProcess/DriverProcess.inf b/DriverProcess/DriverProcess.inf
new file mode 100644
index 0000000..3d9dbb2
--- /dev/null
+++ b/DriverProcess/DriverProcess.inf
@@ -0,0 +1,87 @@
+;
+; DriverProcess.inf
+;
+
+[Version]
+Signature="$WINDOWS NT$"
+Class=Sample ; TODO: edit Class
+ClassGuid={78A1C341-4539-11d3-B88D-00C04FAD5171} ; TODO: edit ClassGuid
+Provider=%ManufacturerName%
+CatalogFile=DriverProcess.cat
+DriverVer= ; TODO: set DriverVer in stampinf property pages
+PnpLockDown=1
+
+[DestinationDirs]
+DefaultDestDir = 12
+DriverProcess_Device_CoInstaller_CopyFiles = 11
+
+; ================= Class section =====================
+
+[ClassInstall32]
+Addreg=SampleClassReg
+
+[SampleClassReg]
+HKR,,,0,%ClassName%
+HKR,,Icon,,-5
+
+[SourceDisksNames]
+1 = %DiskName%,,,""
+
+[SourceDisksFiles]
+DriverProcess.sys  = 1,,
+WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll=1 ; make sure the number matches with SourceDisksNames
+
+;*****************************************
+; Install Section
+;*****************************************
+
+[Manufacturer]
+%ManufacturerName%=Standard,NT$ARCH$
+
+[Standard.NT$ARCH$]
+%DriverProcess.DeviceDesc%=DriverProcess_Device, Root\DriverProcess ; TODO: edit hw-id
+
+[DriverProcess_Device.NT]
+CopyFiles=Drivers_Dir
+
+[Drivers_Dir]
+DriverProcess.sys
+
+;-------------- Service installation
+[DriverProcess_Device.NT.Services]
+AddService = DriverProcess,%SPSVCINST_ASSOCSERVICE%, DriverProcess_Service_Inst
+
+; -------------- DriverProcess driver install sections
+[DriverProcess_Service_Inst]
+DisplayName    = %DriverProcess.SVCDESC%
+ServiceType    = 1               ; SERVICE_KERNEL_DRIVER
+StartType      = 3               ; SERVICE_DEMAND_START
+ErrorControl   = 1               ; SERVICE_ERROR_NORMAL
+ServiceBinary  = %12%\DriverProcess.sys
+
+;
+;--- DriverProcess_Device Coinstaller installation ------
+;
+
+[DriverProcess_Device.NT.CoInstallers]
+AddReg=DriverProcess_Device_CoInstaller_AddReg
+CopyFiles=DriverProcess_Device_CoInstaller_CopyFiles
+
+[DriverProcess_Device_CoInstaller_AddReg]
+HKR,,CoInstallers32,0x00010000, "WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll,WdfCoInstaller"
+
+[DriverProcess_Device_CoInstaller_CopyFiles]
+WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll
+
+[DriverProcess_Device.NT.Wdf]
+KmdfService =  DriverProcess, DriverProcess_wdfsect
+[DriverProcess_wdfsect]
+KmdfLibraryVersion = $KMDFVERSION$
+
+[Strings]
+SPSVCINST_ASSOCSERVICE= 0x00000002
+ManufacturerName="<Your manufacturer name>" ;TODO: Replace with your manufacturer name
+ClassName="Samples" ; TODO: edit ClassName
+DiskName = "DriverProcess Installation Disk"
+DriverProcess.DeviceDesc = "DriverProcess Device"
+DriverProcess.SVCDESC = "DriverProcess Service"
diff --git a/DriverProcess/DriverProcess.vcxproj b/DriverProcess/DriverProcess.vcxproj
new file mode 100644
index 0000000..c4646d0
--- /dev/null
+++ b/DriverProcess/DriverProcess.vcxproj
@@ -0,0 +1,155 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|x64">
+      <Configuration>Debug</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|x64">
+      <Configuration>Release</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|ARM">
+      <Configuration>Debug</Configuration>
+      <Platform>ARM</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|ARM">
+      <Configuration>Release</Configuration>
+      <Platform>ARM</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|ARM64">
+      <Configuration>Debug</Configuration>
+      <Platform>ARM64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|ARM64">
+      <Configuration>Release</Configuration>
+      <Platform>ARM64</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{80F51F20-33D7-4F2A-8615-9E556E8567B7}</ProjectGuid>
+    <TemplateGuid>{1bc93793-694f-48fe-9372-81e2b05556fd}</TemplateGuid>
+    <TargetFrameworkVersion>v4.5</TargetFrameworkVersion>
+    <MinimumVisualStudioVersion>12.0</MinimumVisualStudioVersion>
+    <Configuration>Debug</Configuration>
+    <Platform Condition="'$(Platform)' == ''">Win32</Platform>
+    <RootNamespace>DriverProcess</RootNamespace>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
+    <TargetVersion>Windows10</TargetVersion>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
+    <ConfigurationType>Driver</ConfigurationType>
+    <DriverType>KMDF</DriverType>
+    <DriverTargetPlatform>Universal</DriverTargetPlatform>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
+    <TargetVersion>Windows10</TargetVersion>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
+    <ConfigurationType>Driver</ConfigurationType>
+    <DriverType>KMDF</DriverType>
+    <DriverTargetPlatform>Universal</DriverTargetPlatform>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
+    <TargetVersion>Windows10</TargetVersion>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
+    <ConfigurationType>Driver</ConfigurationType>
+    <DriverType>KMDF</DriverType>
+    <DriverTargetPlatform>Universal</DriverTargetPlatform>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
+    <TargetVersion>Windows10</TargetVersion>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
+    <ConfigurationType>Driver</ConfigurationType>
+    <DriverType>KMDF</DriverType>
+    <DriverTargetPlatform>Universal</DriverTargetPlatform>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'" Label="Configuration">
+    <TargetVersion>Windows10</TargetVersion>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
+    <ConfigurationType>Driver</ConfigurationType>
+    <DriverType>KMDF</DriverType>
+    <DriverTargetPlatform>Universal</DriverTargetPlatform>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'" Label="Configuration">
+    <TargetVersion>Windows10</TargetVersion>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
+    <ConfigurationType>Driver</ConfigurationType>
+    <DriverType>KMDF</DriverType>
+    <DriverTargetPlatform>Universal</DriverTargetPlatform>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'" Label="Configuration">
+    <TargetVersion>Windows10</TargetVersion>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
+    <ConfigurationType>Driver</ConfigurationType>
+    <DriverType>KMDF</DriverType>
+    <DriverTargetPlatform>Universal</DriverTargetPlatform>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'" Label="Configuration">
+    <TargetVersion>Windows10</TargetVersion>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
+    <ConfigurationType>Driver</ConfigurationType>
+    <DriverType>KMDF</DriverType>
+    <DriverTargetPlatform>Universal</DriverTargetPlatform>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'">
+    <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'">
+    <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'">
+    <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'">
+    <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
+  </PropertyGroup>
+  <ItemGroup>
+    <Inf Include="DriverProcess.inf" />
+  </ItemGroup>
+  <ItemGroup>
+    <FilesToPackage Include="$(TargetPath)" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="processDriver.c" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
\ No newline at end of file
diff --git a/DriverProcess/DriverProcess.vcxproj.filters b/DriverProcess/DriverProcess.vcxproj.filters
new file mode 100644
index 0000000..ca7431b
--- /dev/null
+++ b/DriverProcess/DriverProcess.vcxproj.filters
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+    <Filter Include="Driver Files">
+      <UniqueIdentifier>{8E41214B-6785-4CFE-B992-037D68949A14}</UniqueIdentifier>
+      <Extensions>inf;inv;inx;mof;mc;</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <Inf Include="DriverProcess.inf">
+      <Filter>Driver Files</Filter>
+    </Inf>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="processDriver.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+</Project>
\ No newline at end of file
diff --git a/DriverProcess/processDriver.c b/DriverProcess/processDriver.c
new file mode 100644
index 0000000..53c9e78
--- /dev/null
+++ b/DriverProcess/processDriver.c
@@ -0,0 +1,56 @@
+#include <ntddk.h>
+
+
+#define UniqueProcessId 0x440   // win 10  eprocess  structure offset
+#define ActiveProcessLinks 0x448 // win 10  eprocess structure  offset
+#define ImageFileName 0x5a8 // win 10  eprocess structure offset
+// these offsets can be different which  depend on  the version of your windows system .
+
+VOID DriverUnload(PDRIVER_OBJECT  DriverObject)
+{
+    UNREFERENCED_PARAMETER(DriverObject);
+    DbgPrintEx(0,0,"[%ws] Unload Successful \n", __FUNCTIONW__);
+}
+
+NTSTATUS Get_All_Process()
+{
+    UINT64 process_pid = 0;
+    PUCHAR process_name = NULL;
+    PLIST_ENTRY process_list = NULL;
+    PEPROCESS process_first = NULL;
+    PEPROCESS process_address = PsGetCurrentProcess();// get current Eprocess
+    
+    process_list = (PLIST_ENTRY)((UINT64)process_address + ActiveProcessLinks);//ActiveProcessLinks
+    //process_list is a doubly linked list¡£
+    //You can start traversing at any starting node
+    process_first = (PEPROCESS)((UINT64)(process_list->Blink) - ActiveProcessLinks);
+
+    if (!process_address)
+    {
+        DbgPrintEx(0,0,"[ERROR]: NOT ....\n");
+        return STATUS_SEVERITY_ERROR;
+    }
+    while (process_address)
+    {
+        process_pid = *(UINT64*)((UINT64)process_address + UniqueProcessId);
+        process_name = (PUCHAR)((UINT64)process_address + ImageFileName);
+        DbgPrintEx(0,0,"pid = %ld  name = %s \n", process_pid, process_name);
+        process_list = process_list->Flink;//jsut go forward 
+        process_address = (PEPROCESS)((UINT64)(process_list)-ActiveProcessLinks);
+        if (process_first == process_address)//back to the starting point
+        {
+            DbgPrintEx(0,0,"END!......\n");
+            break;
+        }
+    }
+    return STATUS_SUCCESS;
+}
+
+NTSTATUS DriverEntry(PDRIVER_OBJECT  DriverObject, PUNICODE_STRING RegistryPath)
+{
+    UNREFERENCED_PARAMETER(RegistryPath);
+    DbgPrintEx(0,0,"[%ws] [OK] \n", __FUNCTIONW__);
+    Get_All_Process();
+    DriverObject->DriverUnload = DriverUnload;
+    return STATUS_SUCCESS;
+}
\ No newline at end of file