问题描述

我想通过使用EPROCESS结构枚举在我的系统上运行的所有进程ID，但问题是，我不知道如何访问EPROCESS结构中的UniqueProcessId字段。现在，我已经通过这个函数获得了EPROCESS结构的指针



PEPROCESS过程;

PsLookupProcessByProcessId（_ProcessID，& Process）;



并计算UniqueProcessId字段的偏移量，即0x0b4。我尝试使用此代码*（Process + 0x0b4（UniqueProcessId offset））来获取UniqueProcessId字段的值，但总是带来错误和无效的值/数据。任何人都可以帮助我知道如何访问UniqueProcessId字段？我的系统是Windows7 / x86。提前致谢！



我的尝试：



- -------------------------------------------------- ---------------------

I want to enumerate all of the process id running on my system by using EPROCESS structure but the problem here is, I do not know how to access to the UniqueProcessId field in EPROCESS structure. Now, I've got the pointer to EPROCESS structure by this function

PEPROCESS Process;
PsLookupProcessByProcessId(_ProcessID,&Process);

and calculated the offset of UniqueProcessId field which is 0x0b4. I attempted this code "*(Process+0x0b4(UniqueProcessId offset))" to get the value of UniqueProcessId field but always it brought wrong and invalid value/data. Could anyone help me know how to access to the UniqueProcessId field? My system is Windows7/x86. Thanks in advance!

What I have tried:

-------------------------------------------------------------------------

这篇关于使用EPROCESS结构在内核模式中枚举进程ID的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！