|
|
|
|
@ -641,7 +641,7 @@ FORCEINLINE PVOID GetDriverExport(_In_ CONST CHAR* pszDriverName,
|
|
|
|
|
: NULL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
FORCEINLINE PDRIVER_OBJECT GetDriverObject(_In_ CONST WHCAR* pwszDriverName) {
|
|
|
|
|
FORCEINLINE PDRIVER_OBJECT GetDriverObject(_In_ CONST WCHAR* pwszDriverName) {
|
|
|
|
|
HANDLE handle{};
|
|
|
|
|
OBJECT_ATTRIBUTES attr{};
|
|
|
|
|
UNICODE_STRING dirName{};
|
|
|
|
|
@ -775,7 +775,8 @@ FORCEINLINE VOID ForEachProcess(_In_ PsCallbackPtr lpCallback) {
|
|
|
|
|
DYN_NT_SYM(ExFreePool)(origPtr);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
FORCEINLINE VOID ForEachThread(_In_ HANDLE hPid, _In_ TdCallbackPtr lpCallback) {
|
|
|
|
|
FORCEINLINE VOID ForEachThread(_In_ HANDLE hPid,
|
|
|
|
|
_In_ TdCallbackPtr lpCallback) {
|
|
|
|
|
ULONG nAllocSize{};
|
|
|
|
|
DYN_NT_SYM(ZwQuerySystemInformation)
|
|
|
|
|
(SystemProcessInformation, NULL, nAllocSize, &nAllocSize);
|
|
|
|
|
@ -790,20 +791,20 @@ FORCEINLINE VOID ForEachThread(_In_ HANDLE hPid, _In_ TdCallbackPtr lpCallback)
|
|
|
|
|
|
|
|
|
|
while (true) {
|
|
|
|
|
if (lpstProcInfo->ProcessId == hPid)
|
|
|
|
|
for (UINT idx = 0u; idx < lpstProcInfo->NumberOfThreads; ++idx)
|
|
|
|
|
for (INT idx = 0u; idx < lpstProcInfo->NumberOfThreads; ++idx)
|
|
|
|
|
lpCallback(lpstProcInfo->Threads[idx]);
|
|
|
|
|
|
|
|
|
|
if (!lpstProcInfo->NextEntryOffset)
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
lpstProcInfo =
|
|
|
|
|
(PSYSTEM_PROCESS_INFORMATION)((ULONG64)lpstProcInfo+ lpstProcInfo->NextEntryOffset));
|
|
|
|
|
lpstProcInfo = (PSYSTEM_PROCESS_INFORMATION)((ULONG64)lpstProcInfo +
|
|
|
|
|
lpstProcInfo->NextEntryOffset);
|
|
|
|
|
}
|
|
|
|
|
DYN_NT_SYM(ExFreePool)(lpstOrigPtr);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
FORCEINLINE PVOID GetModuleBase(_In_ HANDLE hPid,
|
|
|
|
|
_In_ CONST PWCHAR pwszModuleName) {
|
|
|
|
|
_In_ CONST WCHAR* pwszModuleName) {
|
|
|
|
|
PEPROCESS lpProc;
|
|
|
|
|
KAPC_STATE stApcState;
|
|
|
|
|
if (NT_SUCCESS(DYN_NT_SYM(PsLookupProcessByProcessId)(hPid, &lpProc))) {
|
|
|
|
|
|
IDontCode
3 years ago