思维：利用指针特点，将R0产生的批量数据通过设置结构体存下，再将指定的结构体内存区域（一定大小的指针）拷贝进IRP的缓冲区即可

#include <windows.h>
#include <winioctl.h>
#define  SYMBOLIC_NAME "\\\\.\\sym_name"
//任何宏定义后面都不能有分号！！！
#define CTL_CODE_BASE 0x8000
#define CTL_CMD(i) CTL_CODE(FILE_DEVICE_UNKNOWN,CTL_CODE_BASE+i,METHOD_BUFFERED,FILE_ANY_ACCESS)
#define  CTL_TALK CTL_CMD(1)
#define  CTL_GET CTL_CMD(2)
#ifdef _DEBUG
#define new DEBUG_NEW
#endif
typedef struct _PROCESS_INFOR_
{
    UINT64 pid;
    WCHAR processname;
}PROCESS_INFOR, *PPROCESS_INFOR;
//获取进程数量
void getcount()
{
    HANDLE hDevice = NULL;
    DWORD retlen = 0;
    ULONG count = 0;
    hDevice = CreateFile(TEXT(SYMBOLIC_NAME), GENERIC_ALL, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
    DeviceIoControl(hDevice, CTL_TALK, &count, sizeof(ULONG), &count, sizeof(ULONG), &retlen, NULL);
    CString demo;
    demo.Format(TEXT("%d"), count);
    AfxMessageBox(demo);
}
//获取进程id
void getinfor()
{
    PPROCESS_INFOR processinfor = (PPROCESS_INFOR)malloc(100 * sizeof(PROCESS_INFOR));
    HANDLE hDevice = NULL;
    DWORD retlen = 0;
    hDevice = CreateFile(TEXT(SYMBOLIC_NAME), GENERIC_ALL, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
    DeviceIoControl(hDevice, CTL_GET, processinfor, 100 * sizeof(PROCESS_INFOR), processinfor, 100 * sizeof(PROCESS_INFOR), &retlen, NULL);
    CString demo;
    demo.Format(TEXT("%d"), processinfor[20].pid);
    AfxMessageBox(demo);  // 除非将焦点设置到控件，否则返回 TRUE
}

#include <ntddk.h>
#define  DEVICE_NAME L"\\device\\mydevice"
#define  SYMBOLIC_NAME L"\\dosdevices\\sym_name"
#define CTL_CODE_BASE 0x8000
#define CTL_CMD(i) CTL_CODE(FILE_DEVICE_UNKNOWN,CTL_CODE_BASE+i,METHOD_BUFFERED,FILE_ANY_ACCESS)
#define  CTL_TALK CTL_CMD(1)
#define  CTL_GET CTL_CMD(2)
ULONG count = 0;
typedef struct _PROCESS_INFOR_
{
    UINT64 pid;
    WCHAR processname;
}PROCESS_INFOR, *PPROCESS_INFOR;
VOID GetInfor(PVOID pBuff)
{
    DbgPrint("Suc!");
    UINT64 process_pid = 0;
    PUCHAR process_name = NULL;
    PLIST_ENTRY process_list = NULL;
    PEPROCESS process_first = NULL;
    PEPROCESS process_address = PsGetCurrentProcess();
    ULONG pid_offset = 0x180;
    ULONG list_offset = 0x188;
    ULONG name_offset = 0x2e0;
    ULONG uIndex = 0;
    PPROCESS_INFOR processinfromation = (PPROCESS_INFOR)ExAllocatePool(PagedPool, 100 * sizeof(PROCESS_INFOR));
    //因为双向链表 首节点的位置是0，所以我们要指向第一个节点之前
    process_list = (PLIST_ENTRY)((UINT64)process_address + list_offset);
    process_first = (PEPROCESS)((UINT64)(process_list->Blink) - list_offset);
    if (!process_address)
    {
        DbgPrint("[ERROR]: NOT ....\n");
        return;
    }
    while (process_address)
    {
        process_pid = *(UINT64*)((UINT64)process_address + pid_offset);
        process_name = (PUCHAR)((UINT64)process_address + name_offset);
        processinfromation[uIndex].pid = (UINT64)process_pid;
        DbgPrint("  pid = %ld  name = %s   \n", process_pid, process_name);
        uIndex++;
        count++;
        process_list = process_list->Flink;
        process_address = (PEPROCESS)((UINT64)(process_list)-list_offset);
        if (process_first == process_address)
        {
            DbgPrint("END!......\n");
            break;
        }
    }
    RtlCopyMemory(pBuff, processinfromation, 100 * sizeof(PROCESS_INFOR));
    DbgPrint("进程id:%d", processinfromation[20].pid);
}
NTSTATUS DispatchControl(PDEVICE_OBJECT pDevice, PIRP pIrp)
{
    PVOID pBuff = pIrp->AssociatedIrp.SystemBuffer;
    PIO_STACK_LOCATION pStack = IoGetCurrentIrpStackLocation(pIrp);
    ULONG CtlCode = pStack->Parameters.DeviceIoControl.IoControlCode;
    switch (CtlCode)
    {
    case CTL_TALK:
    {
                     ULONG tmpcount = count;
                     RtlCopyMemory(pBuff,&tmpcount,sizeof(ULONG));
                     DbgPrint("%d",tmpcount);
                     pIrp->IoStatus.Information = sizeof(ULONG);
                     break;
    }
    case CTL_GET:
    {
                    GetInfor(pBuff);
                    pIrp->IoStatus.Information = sizeof(PEPROCESS)* 100;
                    break;
    }
    default:
        break;
    }
    pIrp->IoStatus.Status = STATUS_SUCCESS;
    IoCompleteRequest(pIrp, IO_NO_INCREMENT);
    return STATUS_SUCCESS;
}
NTSTATUS DispatchCreate(PDEVICE_OBJECT pDeviceObject, PIRP pIrp)
{
    DbgPrint("Create!");
    //设置IRP处理已经成功了
    pIrp->IoStatus.Status = STATUS_SUCCESS;
    //返回多少字节的数据
    pIrp->IoStatus.Information = 0;
    //结束IRP处理流程
    IoCompleteRequest(pIrp, IO_NO_INCREMENT);
    //函数调用成功
    return STATUS_SUCCESS;
}
VOID UnloadDriver(PDRIVER_OBJECT pDriver)
{
    UNICODE_STRING uSyb_Name = RTL_CONSTANT_STRING(SYMBOLIC_NAME);
    IoDeleteDevice(pDriver->DeviceObject);
    IoDeleteSymbolicLink(&uSyb_Name);
    DbgPrint("卸载成功");
}
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriver, PUNICODE_STRING pRegpath)
{
    PDEVICE_OBJECT pDevice = NULL;
    UNICODE_STRING uDeciceName = RTL_CONSTANT_STRING(DEVICE_NAME);
    UNICODE_STRING uSyb_Name = RTL_CONSTANT_STRING(SYMBOLIC_NAME);
    NTSTATUS status = STATUS_SUCCESS;
    status = IoCreateDevice(pDriver, 0, &uDeciceName, FILE_DEVICE_UNKNOWN, 0, FALSE, &pDevice);
    if (!NT_SUCCESS(status))
    {
        DbgPrint("创建设备失败\n");
    }
    status = IoCreateSymbolicLink(&uSyb_Name, &uDeciceName);
    if (!NT_SUCCESS(status))
    {
        DbgPrint("创建符号链接失败\n");
    }
    pDevice->Flags |= DO_BUFFERED_IO;
    pDriver->MajorFunction[IRP_MJ_CREATE] = DispatchCreate;
    pDriver->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DispatchControl;
    DbgPrint("驱动加载成功");
    pDriver->DriverUnload = UnloadDriver;
    return STATUS_SUCCESS;
}