1 ULONG EnumProcByPspCidTable()
 2 {
 3     ULONG PspCidTableAddr = 0;
 4     ULONG ProcessType = 0;
 5     ULONG TableBase[16= {0};
 6     ULONG TableCode = 0;
 7     ULONG TheTableNum = 0;
 8     ULONG Object = 0;
 9     ULONG NextFreeTableEntry = 0;
10     ULONG ObjectHeader = 0;
11     ULONG Type = 0;
12     ULONG Flags = 0;
13     ULONG PossibleAddr = 0;
14     ULONG ProcessNum = 0;
15     ULONG i = 0;
16 
17     PspCidTableAddr = GetPspCidTableAddr();
18     ProcessType = GetTheTypeOfProcess();
19 
20     TableCode = *(PULONG)(*(PULONG)PspCidTableAddr);
21     DbgPrint("[TaozSpy]The PspCidTable's TableCode is %x\r\n", TableCode);
22     TheTableNum = ( *(PULONG)(*(PULONG)PspCidTableAddr + HANDLE_TABLE_NEXTHANDLENEEDINGPOOL_OFFSET) )/0x800;
23     DbgPrint("[TaozSpy]The TableNum is %d\r\n", TheTableNum);
24 
25     if (1 == TheTableNum)
26     {
27         TableBase[0= TableCode;
28     }
29     else
30     {
31         TableCode = TableCode & (~3);
32         for (i = 0; i < TheTableNum; i++)
33         {
34             TableBase[i] = *(PULONG)(TableCode + i*0x04);
35         }
36     }
37 
38     for (i = 0; i <= TheTableNum*0x800; i += 4
39     {
40         PossibleAddr = TableBase[i/0x800+ (i - (i/0x800)*0x800)*2;
41         if ( MmIsAddressValid((PVOID)PossibleAddr) )
42         {
43             Object = *(PULONG)PossibleAddr;
44             if ( MmIsAddressValid((PVOID)(PossibleAddr + HANDLE_TABLE_ENTRY_NEXTFREETABLEENTRY_OFFSET)) )
45             {
46                 NextFreeTableEntry = *(PULONG)(PossibleAddr + HANDLE_TABLE_ENTRY_NEXTFREETABLEENTRY_OFFSET);
47                 //The valid value of NextFreeTableEntry in HANDLE_TABLE_ENTRY should be zero
48                 if (NextFreeTableEntry == 0)
49                 {
50                     Object = (Object | 0x80000000& 0xfffffff8//Get EPROCESS's address
51                     ObjectHeader = (ULONG)OBJECT_TO_OBJECT_HEADER(Object);//Get OBJECT_HEADER's address
52                     if ( MmIsAddressValid((PVOID)(ObjectHeader + OBJECT_HEADER_TYPE_OFFSET)) )
53                     {
54                         Type = *(PULONG)(ObjectHeader + OBJECT_HEADER_TYPE_OFFSET);
55                         if (Type == ProcessType)
56                         {
57                             Flags = *(PULONG)(Object + EPROCESS_FLAGS_OFFSET);
58                             if ( (Flags & 0x0c!= 0x0c )
59                             {
60                                 ProcessNum++;
61                                 DbgPrint("[TaozSpy]Yeah,I got %d\r\n", ProcessNum);
62                                 RecordProcessInfo(Object);
63                             }
64                         }
65                     }
66                 }
67             }
68         }
69     }
70     return ProcessNum;
71 }