update

2018-08-14 20:00:00 +08:00 · 2018-08-14 20:00:00 +08:00 · ccef29e4f1
parent afee3eabfc
commit ccef29e4f1
7 changed files with 116 additions and 176 deletions
--- a/ProcessManager/ProcessManager.suo
+++ b/ProcessManager/ProcessManager.suo
--- a/ProcessManager/ProcessManagerDrv/Common.c
+++ b/ProcessManager/ProcessManagerDrv/Common.c
@ -12,7 +12,7 @@ WIN_VERSION GetWindowsVersion()
 	pfnRtlGetVersion RtlGetVersion = NULL;
 	WIN_VERSION WinVersion;
 	WCHAR wzRtlGetVersion[] = L"RtlGetVersion";
-	RtlGetVersion = GetFunctionAddressByName(wzRtlGetVersion);   
+	RtlGetVersion = (pfnRtlGetVersion)GetFunctionAddressByName(wzRtlGetVersion);   
 	if (RtlGetVersion)
 	{
 		RtlGetVersion((PRTL_OSVERSIONINFOW)&osverInfo); 
@ -67,11 +67,6 @@ PVOID
 }


-
-
-
-
-
 ULONG_PTR KeGetObjectType(PVOID Object)
 {
 	ULONG_PTR ObjectType = 0;
@ -100,8 +95,6 @@ ULONG_PTR KeGetObjectType(PVOID Object)
 		//高版本使用函数

 		ObGetObjectType = (pfnObGetObjectType)GetFunctionAddressByName(L"ObGetObjectType");
-
-
 		if (ObGetObjectType)
 		{
 			ObjectType = ObGetObjectType(Object);
--- a/ProcessManager/ProcessManagerDrv/EnumProcess.c
+++ b/ProcessManager/ProcessManagerDrv/EnumProcess.c
@ -1,26 +1,21 @@
 #include "EnumProcess.h"
 #include "Common.h"

-
 extern WIN_VERSION WinVersion;
 extern ULONG_PTR ProcessIdOfEprocess;
 extern ULONG_PTR ProcessImageNameOfEprocess;

-
-
 extern ULONG_PTR ulProcessParametersOfPeb;
 extern ULONG_PTR ulImagePathNameOfProcessParameters;

 extern ULONG_PTR Active_List;

-
 extern ULONG_PTR PebOfEProcess;

 extern ULONG_PTR PspCidTable;
 extern ULONG_PTR FatherOfEprocess;

-
-extern PEPROCESS g_EProcess;
+extern PEPROCESS g_SystemProcess;

 ULONG_PTR SectionObjectOfEProcess = 0;
 NTSTATUS EnumProcessByOpenProcess(PVOID OutputBuffer,ULONG_PTR uOutSize)
@ -29,7 +24,7 @@ NTSTATUS EnumProcessByOpenProcess(PVOID OutputBuffer,ULONG_PTR uOutSize)
 	HANDLE ProcessHandle = NULL;
 	CLIENT_ID Cid = {0};
 	OBJECT_ATTRIBUTES oa = {0};
-	PEPROCESS EProcess = NULL;
+	PEPROCESS Process = NULL;
 	ULONG_PTR i = 0;
 	PROCESS_BASIC_INFORMATION pbi;
 	PVOID Buffer = NULL;
@ -39,10 +34,9 @@ NTSTATUS EnumProcessByOpenProcess(PVOID OutputBuffer,ULONG_PTR uOutSize)
 	ULONG_PTR  ulProcessParamters = 0;
 	ULONG_PTR ulProcessNameLen = 0;
 	ULONG_PTR ulCnt = (uOutSize-sizeof(PROCESS_INFORMATION_OWN))/sizeof(PROCESS_INFORMATION_ENTRY);
-	DbgPrint("2");
-	for(i=0;i<0x1000;i+=4)
+
+	for(i = 0; i < 0x1000; i += 4)
 	{
-		DbgPrint("3");
 		Cid.UniqueProcess = (HANDLE)i;
 		Cid.UniqueThread = 0;
 		status = ZwOpenProcess(&ProcessHandle,GENERIC_ALL,&oa,&Cid);
@ -52,24 +46,24 @@ NTSTATUS EnumProcessByOpenProcess(PVOID OutputBuffer,ULONG_PTR uOutSize)
 				GENERIC_ALL,
 				NULL,
 				KernelMode,
-				&EProcess,
+				&Process,
 				NULL);
-			if(!IsProcessDie(EProcess))
+			if(!IsProcessDie(Process))
 			{
 				ULONG_PTR ulCurrentCnt = ((PPROCESS_INFORMATION_OWN)OutputBuffer)->NumberOfEntry;
-				((PPROCESS_INFORMATION_OWN)OutputBuffer)->Entry[ulCurrentCnt].Eprocess = (ULONG_PTR)EProcess;
-				((PPROCESS_INFORMATION_OWN)OutputBuffer)->Entry[ulCurrentCnt].Pid =  *(ULONG*)((ULONG_PTR)EProcess + ProcessIdOfEprocess);
-				ulProcessNameLen = strlen((const char*)PsGetProcessImageFileName(EProcess));
+				((PPROCESS_INFORMATION_OWN)OutputBuffer)->Entry[ulCurrentCnt].Eprocess = (ULONG_PTR)Process;
+				((PPROCESS_INFORMATION_OWN)OutputBuffer)->Entry[ulCurrentCnt].Pid =  *(ULONG*)((ULONG_PTR)Process + ProcessIdOfEprocess);
+				ulProcessNameLen = strlen((const char*)PsGetProcessImageFileName(Process));
 				//通过EProcess获得进程名称
-				memcpy(((PPROCESS_INFORMATION_OWN)OutputBuffer)->Entry[ulCurrentCnt].ProcessName,(const char*)PsGetProcessImageFileName(EProcess),ulProcessNameLen);  
+				memcpy(((PPROCESS_INFORMATION_OWN)OutputBuffer)->Entry[ulCurrentCnt].ProcessName,(const char*)PsGetProcessImageFileName(Process),ulProcessNameLen);  
 			
-				((PPROCESS_INFORMATION_OWN)OutputBuffer)->Entry[ulCurrentCnt].ParentId =  *(ULONG*)((ULONG_PTR)EProcess + FatherOfEprocess);
-				DbgPrint("ZwOpenProcess ID:%d  %s\r\n",*((ULONG_PTR*)((ULONG_PTR)EProcess+ProcessIdOfEprocess)),(char*)((ULONG_PTR)EProcess+ProcessImageNameOfEprocess));
+				((PPROCESS_INFORMATION_OWN)OutputBuffer)->Entry[ulCurrentCnt].ParentId =  *(ULONG*)((ULONG_PTR)Process + FatherOfEprocess);
+				DbgPrint("ZwOpenProcess ID:%d  %s\r\n",*((ULONG_PTR*)((ULONG_PTR)Process+ProcessIdOfEprocess)),(char*)((ULONG_PTR)Process+ProcessImageNameOfEprocess));
 			
-				GetProcessPathBySectionObject(EProcess,((PPROCESS_INFORMATION_OWN)OutputBuffer)->Entry[ulCurrentCnt].ProcessPath);
+				GetProcessPathBySectionObject(Process,((PPROCESS_INFORMATION_OWN)OutputBuffer)->Entry[ulCurrentCnt].ProcessPath);
 				((PPROCESS_INFORMATION_OWN)OutputBuffer)->NumberOfEntry++;
 			}
-			ObDereferenceObject(EProcess);   //½âÒýÓÃ
+			ObDereferenceObject(Process);   //½âÒýÓÃ
 			ZwClose(ProcessHandle);
 		}
 		memset(&oa,0,sizeof(OBJECT_ATTRIBUTES));
@ -77,10 +71,8 @@ NTSTATUS EnumProcessByOpenProcess(PVOID OutputBuffer,ULONG_PTR uOutSize)
 	return STATUS_SUCCESS;
 }

-
 NTSTATUS EnumProcessByActiveList(PPROCESS_INFORMATION_OWN OutputBuffer,ULONG_PTR OutSize)
 {
-
 	NTSTATUS Status = STATUS_UNSUCCESSFUL;

 	PLIST_ENTRY ListHead = NULL;
@ -88,36 +80,36 @@ NTSTATUS EnumProcessByActiveList(PPROCESS_INFORMATION_OWN OutputBuffer,ULONG_PTR
 	PETHREAD EThread = NULL;
 	CHAR PreMode;
 	ULONG_PTR ulCnt = (OutSize - sizeof(PROCESS_INFORMATION_OWN)) / sizeof(PROCESS_INFORMATION_ENTRY);
-	PEPROCESS EProcess = g_EProcess;
+	PEPROCESS Process = g_SystemProcess;
 	KAPC_STATE ApcState;
 	PPEB  Peb = NULL;
 	ULONG_PTR  ulProcessParamters = 0;

-	if(EProcess!=NULL)
+	if(Process!=NULL)
 	{
-		ListHead = ListTemp = (PLIST_ENTRY)((ULONG_PTR)EProcess + Active_List);  //system.exe
+		ListHead = ListTemp = (PLIST_ENTRY)((ULONG_PTR)Process + Active_List);  //system.exe
 		ListHead = ListHead->Blink;

 		while (ListTemp!=ListHead)
 		{
 			ULONG_PTR  ulCurrentCnt = OutputBuffer->NumberOfEntry;
-			EProcess = (PEPROCESS)((ULONG_PTR)ListTemp-Active_List);
-			((PPROCESS_INFORMATION_OWN)OutputBuffer)->Entry[ulCurrentCnt].Eprocess = (ULONG_PTR)EProcess;
-			DbgPrint("ActiveList ID:%d  %s\r\n",*((ULONG_PTR*)((ULONG_PTR)EProcess+ProcessIdOfEprocess)),(char*)((ULONG_PTR)EProcess+ProcessImageNameOfEprocess));
-			OutputBuffer->Entry[ulCurrentCnt].Pid = *((ULONG*)((ULONG_PTR)EProcess+ProcessIdOfEprocess));
-			strcpy(OutputBuffer->Entry[ulCurrentCnt].ProcessName,(char*)((ULONG_PTR)EProcess + ProcessImageNameOfEprocess));
+			Process = (PEPROCESS)((ULONG_PTR)ListTemp-Active_List);
+			((PPROCESS_INFORMATION_OWN)OutputBuffer)->Entry[ulCurrentCnt].Eprocess = (ULONG_PTR)Process;
+			DbgPrint("ActiveList ID:%d  %s\r\n",*((ULONG_PTR*)((ULONG_PTR)Process + ProcessIdOfEprocess)),(char*)((ULONG_PTR)Process + ProcessImageNameOfEprocess));
+			OutputBuffer->Entry[ulCurrentCnt].Pid = *((ULONG*)((ULONG_PTR)Process + ProcessIdOfEprocess));
+			strcpy(OutputBuffer->Entry[ulCurrentCnt].ProcessName,(char*)((ULONG_PTR)Process + ProcessImageNameOfEprocess));

-			((PPROCESS_INFORMATION_OWN)OutputBuffer)->Entry[ulCurrentCnt].ParentId =  *(ULONG*)((ULONG_PTR)EProcess + FatherOfEprocess);
-			GetProcessPathBySectionObject(EProcess,((PPROCESS_INFORMATION_OWN)OutputBuffer)->Entry[ulCurrentCnt].ProcessPath);
+			((PPROCESS_INFORMATION_OWN)OutputBuffer)->Entry[ulCurrentCnt].ParentId =  *(ULONG*)((ULONG_PTR)Process + FatherOfEprocess);
+			GetProcessPathBySectionObject(Process,((PPROCESS_INFORMATION_OWN)OutputBuffer)->Entry[ulCurrentCnt].ProcessPath);
 			/*
-			Peb = PsGetProcessPeb(EProcess);     //»ñµÃPEB
+			Peb = PsGetProcessPeb(Process);     //»ñµÃPEB
 			if (Peb==NULL) 
 			{
 				return FALSE;
 			}
-			KeStackAttachProcess(EProcess, &ApcState);
+			KeStackAttachProcess(Process, &ApcState);

-			ulProcessParamters = *(ULONG_PTR*)((ULONG_PTR)Peb+ulProcessParametersOfPeb);//0x20
+			ulProcessParamters = *(ULONG_PTR*)((ULONG_PTR)Peb + ulProcessParametersOfPeb);//0x20

 			memcpy(((PPROCESS_INFORMATION_OWN)OutputBuffer)->Entry[ulCurCnt].ProcessPath,((PUNICODE_STRING)(ulProcessParamters+ulImagePathNameOfProcessParameters))->Buffer,
 				((PUNICODE_STRING)(ulProcessParamters+ulImagePathNameOfProcessParameters))->Length);//0x60
@ -130,9 +122,6 @@ NTSTATUS EnumProcessByActiveList(PPROCESS_INFORMATION_OWN OutputBuffer,ULONG_PTR
 	return STATUS_SUCCESS;
 }

-
-
-
 NTSTATUS EnumProcessByPspCidTable(PPROCESS_INFORMATION_OWN OutputBuffer,ULONG_PTR OutSize)
 {
 	NTSTATUS Status;
@ -151,8 +140,6 @@ NTSTATUS EnumProcessByPspCidTable(PPROCESS_INFORMATION_OWN OutputBuffer,ULONG_PT
 	return Status;
 }

-
-
 ULONG_PTR GetPspCidTableAddress()  
 {  
 	PVOID PsLookupProcessByProcessIdAddress = NULL;  
@ -172,6 +159,7 @@ ULONG_PTR GetPspCidTableAddress()

 	switch(WinVersion)
 	{
+#ifdef _WIN64
 	case WINDOWS_7:
 		{
 			
@ -210,7 +198,7 @@ ULONG_PTR GetPspCidTableAddress()
 			}  
 			break;
 		}
-
+#else
 	case WINDOWS_XP:
 		{
 			/*
@ -241,26 +229,25 @@ ULONG_PTR GetPspCidTableAddress()
 			}  
 			break;
 		}
+#endif
+    default: 
+        return 0;
 	}
-	

 	return ulPspCidTableValue;  
 }  

-
-
 VOID ScanHandleTableToEnumProcess(PPROCESS_INFORMATION_OWN OutputBuffer, ULONG_PTR ulCnt)
 {
 	PHANDLE_TABLE   HandleTable = NULL;    // 指向句柄表的指针   
 	ULONG_PTR uTableCode = 0;  
 	ULONG uFlag = 0;

-
 	HandleTable = (PHANDLE_TABLE)(*(ULONG_PTR*)PspCidTable);  

 	if (HandleTable && MmIsAddressValid((PVOID)HandleTable))
 	{
-		uTableCode = (ULONG_PTR)(HandleTable->TableCode) & 0xFFFFFFFFFFFFFFFC;  ;
+		uTableCode = (ULONG_PTR)(HandleTable->TableCode) & 0xFFFFFFFFFFFFFFFC;
 		if (uTableCode && MmIsAddressValid((PVOID)uTableCode))
 		{
 			uFlag = (ULONG)(HandleTable->TableCode) & 0x03;    //00  01  10  
@ -284,8 +271,6 @@ VOID ScanHandleTableToEnumProcess(PPROCESS_INFORMATION_OWN OutputBuffer, ULONG_P
 					EnumTable3(uTableCode,OutputBuffer, ulCnt);
 					break; 
 				}
-
-
 			default:
 				KdPrint(("TableCode error\n"));
 			} 			
@ -293,32 +278,34 @@ VOID ScanHandleTableToEnumProcess(PPROCESS_INFORMATION_OWN OutputBuffer, ULONG_P
 	}
 }

-
-
-
 //uTableCode  已经清了最后两位
 NTSTATUS EnumTable1(ULONG_PTR uTableCode,PPROCESS_INFORMATION_OWN OutputBuffer, ULONG_PTR ulCnt)
 {
-
-
 	PVOID  Object = NULL;
 	PHANDLE_TABLE_ENTRY HandleTableEntry = NULL;  
 	ULONG uIndex = 0;
 	ULONG_PTR ulOffset = 0;
 	switch(WinVersion)
 	{
+#ifdef _WIN32
 	case WINDOWS_XP:
 		{
 			ulOffset = 0x8;
 			break;
 		}
+#else
 	case WINDOWS_7:
 		{
 			ulOffset = 0x10;
 			break;
 		}
+#endif
+    default:
+        return STATUS_NOT_SUPPORTED;
 	}
-	HandleTableEntry = (PHANDLE_TABLE_ENTRY)((ULONG_PTR)(*(ULONG_PTR*)uTableCode) + ulOffset); //xp offset 0x08  
+
+	HandleTableEntry = (PHANDLE_TABLE_ENTRY)((ULONG_PTR)(*(ULONG_PTR*)uTableCode) + ulOffset); 
+    //xp offset 0x08  
 	//Win7 offset 0x10
 	for (uIndex = 0;uIndex<511; uIndex++ )  
 	{  
@ -330,26 +317,18 @@ NTSTATUS EnumTable1(ULONG_PTR uTableCode,PPROCESS_INFORMATION_OWN OutputBuffer,
 				{  
 					if (MmIsAddressValid(HandleTableEntry->Object))
 					{
-
 						Object = (PVOID)(((ULONG_PTR)HandleTableEntry->Object)  & 0xFFFFFFFFFFFFFFF8);  
 						InsertProcess((PEPROCESS)Object,OutputBuffer, ulCnt);
-
 					}
-
 				}
 			}
-
 		}
-
 		HandleTableEntry++;  
-
 	}  

 	return STATUS_SUCCESS;
 }

-
-
 NTSTATUS EnumTable2(ULONG_PTR uTableCode,PPROCESS_INFORMATION_OWN OutputBuffer, ULONG_PTR ulCnt)
 {
 	do   
@ -357,13 +336,11 @@ NTSTATUS EnumTable2(ULONG_PTR uTableCode,PPROCESS_INFORMATION_OWN OutputBuffer,
 		DbgPrint("Two");
 		EnumTable1(uTableCode,OutputBuffer,ulCnt);  
 		uTableCode += sizeof(ULONG_PTR);  
-	} while (*(PULONG_PTR)uTableCode != 0&&MmIsAddressValid((PVOID)*(PULONG_PTR)uTableCode));  
+	} while (*(PULONG_PTR)uTableCode != 0 && MmIsAddressValid((PVOID)*(PULONG_PTR)uTableCode));  

 	return STATUS_SUCCESS;
 }

-
-
 NTSTATUS EnumTable3(ULONG_PTR uTableCode, PPROCESS_INFORMATION_OWN OutputBuffer, ULONG_PTR ulCnt)
 {
 	do   
@ -375,9 +352,6 @@ NTSTATUS EnumTable3(ULONG_PTR uTableCode, PPROCESS_INFORMATION_OWN OutputBuffer,
 	return STATUS_SUCCESS;  
 }

-
-
-
 VOID InsertProcess(PEPROCESS EProcess, PPROCESS_INFORMATION_OWN OutputBuffer, ULONG_PTR ulCnt)
 {
 	KAPC_STATE ApcState;
@ -421,8 +395,6 @@ VOID InsertProcess(PEPROCESS EProcess, PPROCESS_INFORMATION_OWN OutputBuffer, UL
 	} 
 }

-
-
 BOOLEAN  GetProcessPathBySectionObject(PEPROCESS EProcess,WCHAR* wzProcessPath)
 {
 	PSECTION_OBJECT32   SectionObject32   = NULL;
@ -435,6 +407,7 @@ BOOLEAN  GetProcessPathBySectionObject(PEPROCESS EProcess,WCHAR* wzProcessPath)
 	BOOLEAN             bGetPath = FALSE;
 	switch(WinVersion)
 	{
+#ifdef _WIN32
 	case WINDOWS_XP:
 		{
 			SectionObjectOfEProcess = 0x138;
@ -467,6 +440,7 @@ BOOLEAN  GetProcessPathBySectionObject(PEPROCESS EProcess,WCHAR* wzProcessPath)
 			}
 			break;
 		}
+#else
 	case WINDOWS_7:
 		{
 			SectionObjectOfEProcess = 0x268;
@ -496,15 +470,14 @@ BOOLEAN  GetProcessPathBySectionObject(PEPROCESS EProcess,WCHAR* wzProcessPath)
 									return TRUE;
 							}
 						}
-
-
 					}
-
 				}
-
 			}
 			break;
 		}
+#endif
+    default:
+        return FALSE;
 	}
 	return TRUE;
 }
@ -528,12 +501,12 @@ BOOLEAN GetPathByFileObject(PFILE_OBJECT FileObject, WCHAR* wzPath)
 				{
 					NTSTATUS  Status = STATUS_UNSUCCESSFUL;
 					ULONG ulRet= 0;
-					PVOID     Buffer = ExAllocatePool(PagedPool,0x1000);
+					POBJECT_NAME_INFORMATION Buffer = (POBJECT_NAME_INFORMATION)ExAllocatePool(PagedPool,0x1000);
 					if (Buffer)
 					{
 						// ObQueryNameString :C:\Program Files\VMware\VMware Tools\VMwareTray.exe
 						memset(Buffer, 0, 0x1000);
-						Status = ObQueryNameString((PVOID)FileObject, (POBJECT_NAME_INFORMATION)Buffer, 0x1000, &ulRet);
+						Status = ObQueryNameString((PVOID)FileObject, Buffer, 0x1000, &ulRet);
 						if (NT_SUCCESS(Status))
 						{
 							POBJECT_NAME_INFORMATION Temp = (POBJECT_NAME_INFORMATION)Buffer;
--- a/ProcessManager/ProcessManagerDrv/HideProcess.c
+++ b/ProcessManager/ProcessManagerDrv/HideProcess.c
@ -7,79 +7,71 @@ extern ULONG_PTR ProcessImageNameOfEprocess;

 extern ULONG_PTR PspCidTable;

-
-
 KIRQL Irql;
 VOID RemoveNodeFromActiveProcessLinks(ULONG_PTR ProcessId)
 {
 	NTSTATUS status;
-
-	LIST_ENTRY  *pListEntry;
-	PEPROCESS	Eprocess;
-	ULONG_PTR ActiveOffsetPre = 0x8c;
-	ULONG_PTR ActiveOffsetNext = 0x88;
+	PEPROCESS	Process;
+	ULONG_PTR ActiveOffsetPre = 0;
+	ULONG_PTR ActiveOffsetNext = 0;
 	PLIST_ENTRY Temp = NULL;
+
 	switch(WinVersion)
 	{
-	case WINDOWS_XP:   //32Bits
-		{
-			ActiveOffsetPre =  0x8c;
-			ActiveOffsetNext = 0x88;
-			break;
-		}
-	case WINDOWS_7:   //64Bits 
-		{
-			ActiveOffsetPre =  0x190;
-			ActiveOffsetNext = 0x188;
-			break;
-		}
+#ifdef _WIN32
+    case WINDOWS_XP:   //32Bits
+        {
+            ActiveOffsetPre =  0x8c;
+            ActiveOffsetNext = 0x88;
+            break;
+        }
+#else
+    case WINDOWS_7:   //64Bits 
+        {
+            ActiveOffsetPre =  0x190;
+            ActiveOffsetNext = 0x188;
+            break;
+        }
+#endif
+    default:
+        return;
 	}
-	status = PsLookupProcessByProcessId((HANDLE)ProcessId,&Eprocess);
+
+	status = PsLookupProcessByProcessId((HANDLE)ProcessId,&Process);
 	if (!NT_SUCCESS(status))
 	{
 		DbgPrint("PsLookupProcessByProcessId Error!\n");
 		return ;
 	}
 		
-		DbgPrint("PsLookupProcessByProcessId Success!\n");
-	//pListEntry = (LIST_ENTRY *)((ULONG)Eprocess + Active_List);
-
-
-	//EProcessPre = (PEPROCESS)((ULONG_PTR)(*((ULONG_PTR*)((ULONG_PTR)EProcessCurrent+ActiveOffsetPre)))-ActiveOffsetNext);
-	Temp = (PLIST_ENTRY)((ULONG_PTR)Eprocess+ActiveOffsetNext);
-	DbgPrint("ID:%d  %s\r\n",*((ULONG_PTR*)((ULONG_PTR)Eprocess+ProcessIdOfEprocess)),(char*)((ULONG_PTR)Eprocess+ProcessImageNameOfEprocess));
+	Temp = (PLIST_ENTRY)((ULONG_PTR)Process + ActiveOffsetNext);
+	DbgPrint("ID:%d  %s\r\n",*((ULONG_PTR*)((ULONG_PTR)Process + ProcessIdOfEprocess)),(char*)((ULONG_PTR)Process + ProcessImageNameOfEprocess));
 	if (MmIsAddressValid(Temp))
 	{
-		//    Temp->Blink->Flink = Temp->Flink;
-		//    Temp->Flink->Blink = Temp->Blink;   //数据结构
 		RemoveEntryList(Temp);
-
 	}

-	//RemoveEntryList(pListEntry);
+    if(Process)
+        ObDereferenceObject(Process);

-	//pListEntry->Flink->Blink = pListEntry->Blink;
-	//pListEntry->Blink->Flink = pListEntry->Flink;
-	
-	ObDereferenceObject(Eprocess);
+    return;
 }


-
-
 VOID EraseObjectFromHandleTable1(ULONG_PTR ProcessId)
 {
 	PHANDLE_TABLE   HandleTable = NULL;    // 指向句柄表的指针   
 	ULONG_PTR uTableCode = 0;  
 	ULONG uFlag = 0;

-	DbgPrint("join");
-	HandleTable = (PHANDLE_TABLE)(*(ULONG_PTR*)PspCidTable);  
+	if(PspCidTable == NULL)
+        return;

+	HandleTable = (PHANDLE_TABLE)(*(ULONG_PTR*)PspCidTable);  

 	if (HandleTable && MmIsAddressValid((PVOID)HandleTable))
 	{
-		uTableCode = (ULONG_PTR)(HandleTable->TableCode) & 0xFFFFFFFFFFFFFFFC;  ;
+		uTableCode = (ULONG_PTR)(HandleTable->TableCode) & 0xFFFFFFFFFFFFFFFC;
 		if (uTableCode && MmIsAddressValid((PVOID)uTableCode))
 		{
 			uFlag = (ULONG)(HandleTable->TableCode) & 0x03;    //00  01  10  
@ -88,26 +80,19 @@ VOID EraseObjectFromHandleTable1(ULONG_PTR ProcessId)
 			{
 			case 0:
 				{
-					DbgPrint("One");
 					EnumTable11(uTableCode,ProcessId);
 					break;
 				}
 			case 1:
 				{
-					DbgPrint("Two");
 					EnumTable12(uTableCode,ProcessId);
 					break;
 				}
-
-
 			case 2:
 				{
-					DbgPrint("Three");
 					EnumTable13(uTableCode,ProcessId);
 					break; 
 				}
-
-
 			default:
 				KdPrint(("TableCode error\n"));
 			} 			
@ -116,31 +101,34 @@ VOID EraseObjectFromHandleTable1(ULONG_PTR ProcessId)
 }


-
-
 //uTableCode  已经清了最后两位
 NTSTATUS EnumTable11(ULONG_PTR uTableCode,ULONG_PTR ProcessId)
 {
-
-
 	PVOID  Object = NULL;
 	PHANDLE_TABLE_ENTRY HandleTableEntry = NULL;  
 	ULONG uIndex = 0;
 	ULONG_PTR ulOffset = 0;
 	switch(WinVersion)
 	{
-	case WINDOWS_XP:
-		{
-			ulOffset = 0x8;
-			break;
-		}
-	case WINDOWS_7:
-		{
-			ulOffset = 0x10;
-			break;
-		}
+#ifdef _WIN32
+    case WINDOWS_XP:
+        {
+            ulOffset = 0x8;
+            break;
+        }
+#else
+    case WINDOWS_7:
+        {
+            ulOffset = 0x10;
+            break;
+        }
+#endif
+    default:
+        return STATUS_INVALID_PARAMETER;
 	}
-	HandleTableEntry = (PHANDLE_TABLE_ENTRY)((ULONG_PTR)(*(ULONG_PTR*)uTableCode) + ulOffset); //xp offset 0x08  
+
+	HandleTableEntry = (PHANDLE_TABLE_ENTRY)((ULONG_PTR)(*(ULONG_PTR*)uTableCode) + ulOffset); 
+    //xp offset 0x08  
 	//Win7 offset 0x10
 	for (uIndex = 0;uIndex<511; uIndex++ )  
 	{  
@ -152,7 +140,6 @@ NTSTATUS EnumTable11(ULONG_PTR uTableCode,ULONG_PTR ProcessId)
 				{  
 					if (MmIsAddressValid(HandleTableEntry->Object))
 					{
-
 						Object = (PVOID)(((ULONG_PTR)HandleTableEntry->Object)  & 0xFFFFFFFFFFFFFFF8);  //去掉低三位
 						if(ClearPspCidTable((PEPROCESS)Object,ProcessId)==TRUE)
 						{
@ -160,12 +147,9 @@ NTSTATUS EnumTable11(ULONG_PTR uTableCode,ULONG_PTR ProcessId)
 							memset(HandleTableEntry,0,sizeof(HANDLE_TABLE_ENTRY));
 							WPON();
 						}
-
 					}
-
 				}
 			}
-
 		}
 		HandleTableEntry++;  
 	}  
@ -181,13 +165,11 @@ NTSTATUS EnumTable12(ULONG_PTR uTableCode,ULONG_PTR ProcessId)
 	{  
 		EnumTable11(uTableCode,ProcessId);  
 		uTableCode += sizeof(ULONG_PTR);  
-	} while (*(PULONG_PTR)uTableCode != 0&&MmIsAddressValid((PVOID)*(PULONG_PTR)uTableCode));  
+	} while (*(PULONG_PTR)uTableCode != 0 && MmIsAddressValid((PVOID)*(PULONG_PTR)uTableCode));  

 	return STATUS_SUCCESS;
 }

-
-
 NTSTATUS EnumTable13(ULONG_PTR uTableCode,ULONG_PTR ProcessId)
 {
 	do   
@ -199,28 +181,24 @@ NTSTATUS EnumTable13(ULONG_PTR uTableCode,ULONG_PTR ProcessId)
 	return STATUS_SUCCESS;  
 }

-
-
-
-BOOLEAN ClearPspCidTable(PEPROCESS EProcess, ULONG_PTR PrcessId)
+BOOLEAN ClearPspCidTable(PEPROCESS Process, ULONG_PTR PrcessId)
 {
 	KAPC_STATE ApcState;
 	PPEB  Peb = NULL;
 	ULONG_PTR  ulProcessParamters = 0;

-	if (EProcess && MmIsAddressValid((PVOID)EProcess) && KeGetObjectType((PVOID)EProcess) == (ULONG_PTR)*PsProcessType)
+	if (Process && MmIsAddressValid((PVOID)Process) && KeGetObjectType((PVOID)Process) == (ULONG_PTR)*PsProcessType)
 	{ 
-
-		if (!IsProcessDie(EProcess)&&
-			NT_SUCCESS(ObReferenceObjectByPointer(EProcess, 0, NULL, KernelMode)))  //因为要操作该对象所以增加引用计数
+		if (!IsProcessDie(Process)&&
+			NT_SUCCESS(ObReferenceObjectByPointer(Process, 0, NULL, KernelMode)))  //因为要操作该对象所以增加引用计数
 		{
-			DbgPrint("PspCidTable ID:%d  %s\r\n",*((ULONG_PTR*)((ULONG_PTR)EProcess+ProcessIdOfEprocess)),(char*)((ULONG_PTR)EProcess+ProcessImageNameOfEprocess));
+			DbgPrint("PspCidTable ID:%d  %s\r\n",*((ULONG_PTR*)((ULONG_PTR)Process + ProcessIdOfEprocess)),(char*)((ULONG_PTR)Process + ProcessImageNameOfEprocess));
 		
-			if(PrcessId == *(ULONG_PTR*)((ULONG_PTR)EProcess+ProcessIdOfEprocess))
+			if(PrcessId == *(ULONG_PTR*)((ULONG_PTR)Process + ProcessIdOfEprocess))
 			{
 				return TRUE;
 			}
-			ObfDereferenceObject(EProcess);
+			ObfDereferenceObject(Process);
 		}
 	} 

--- a/ProcessManager/ProcessManagerDrv/HideProcess.h
+++ b/ProcessManager/ProcessManagerDrv/HideProcess.h
@ -1,11 +1,8 @@
 #pragma once
 #include "ProcessManagerDrv.h"

-
-
 VOID RemoveNodeFromActiveProcessLinks(ULONG_PTR ProcessId);

-
 VOID WPOFF();
 VOID WPON();

@ -14,5 +11,4 @@ NTSTATUS EnumTable11(ULONG_PTR uTableCode,ULONG_PTR ProcessId);
 NTSTATUS EnumTable12(ULONG_PTR uTableCode,ULONG_PTR ProcessId);
 NTSTATUS EnumTable13(ULONG_PTR uTableCode,ULONG_PTR ProcessId);

-
 BOOLEAN ClearPspCidTable(PEPROCESS EProcess, ULONG_PTR PrcessId);
--- a/ProcessManager/ProcessManagerDrv/ProcessManagerDrv.c
+++ b/ProcessManager/ProcessManagerDrv/ProcessManagerDrv.c
@ -1,5 +1,3 @@
-
-
 #ifndef CXX_PROCESSMANAGERRING0_H
 #	include "ProcessManagerDrv.h"
 #include "EnumProcess.h"
@ -8,8 +6,6 @@
 #endif


-
-
 WIN_VERSION WinVersion = WINDOWS_UNKNOW;
 ULONG_PTR ProcessIdOfEprocess = 0;
 ULONG_PTR ProcessImageNameOfEprocess = 0;
@ -30,7 +26,7 @@ ULONG_PTR FatherOfEprocess = 0;

 ULONG_PTR PspCidTable = 0;

-PEPROCESS g_EProcess = NULL;
+PEPROCESS g_SystemProcess = NULL;
 MSG         Msg = {0};
 PKEVENT         EventArray[3] = {0}; 

@ -87,10 +83,10 @@ DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING pRegistryString)
 		return status;
 	}	

-
 	WinVersion = GetWindowsVersion();
 	switch(WinVersion)
 	{
+#ifdef _WIN32
 	case WINDOWS_XP:
 		{
 			ProcessIdOfEprocess = 0x84;
@ -111,6 +107,7 @@ DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING pRegistryString)
 			FatherOfEprocess = 0x14c;
 			break;
 		}
+#else
 	case WINDOWS_7:
 		{
 			ProcessIdOfEprocess  = 0x180;
@ -128,10 +125,13 @@ DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING pRegistryString)
 			break;

 		}
+#endif
+    default:
+        return STATUS_NOT_SUPPORTED;
 	}

 	PspCidTable = GetPspCidTableAddress();
-	g_EProcess = PsGetCurrentProcess();
+	g_SystemProcess = PsGetCurrentProcess();

 	return STATUS_SUCCESS;
 }
--- a/ProcessManager/ProcessManagerDrv/sources
+++ b/ProcessManager/ProcessManagerDrv/sources
@ -1,7 +1,7 @@
 TARGETNAME=ProcessManagerDrv
 TARGETPATH=obj
 TARGETTYPE=DRIVER
-LINKER_FLAGS=/integritycheck
+
 INCLUDES=.\

 SOURCES= \