使用EPROCESS下Win32Process枚举进程
此方法硬编码很多!!!
EPROCESS下win32Process其实是一个tagPROCESSINFO 结构
//#include <ntddk.h>
#include <ntifs.h>
NTKERNELAPI PVOID PsGetProcessWin32Process( IN PEPROCESS Process );
NTKERNELAPI PEPROCESS IoThreadToProcess(IN PETHREAD Thread);
NTKERNELAPI UCHAR* PsGetProcessImageFileName(PEPROCESS Process);
//win7x64 通过win32Process枚举进程 传入explorer.exe的EPROCESS 必须是explorer.exe
VOID EnumWindows(PEPROCESS explorer)
{
//NTSTATUS status;
PEPROCESS gui_process;
ULONG_PTR win32_process,tag_desk_top,tag_desk_info,tag_desk_wnd,tag_wnd;
ULONG_PTR tag_thread_info,ethread;//eprocess;
PEPROCESS tmp_process;
ULONG_PTR strName = 0;
ULONG_PTR h = 0;
//ULONG_PTR pstrAppName = 0;
ULONG_PTR ProcessID = 0;
//_LARGE_UNICODE_STRING
//status = PsLookupProcessByProcessId((HANDLE)1384,&gui_process);
if(explorer == NULL)
return;
gui_process = explorer;
KeAttachProcess(gui_process);
do
{
//win32_process = *(ULONG_PTR*)((ULONG_PTR)gui_process + 0x258);//tagPROCESSINFO
win32_process = (ULONG_PTR)PsGetProcessWin32Process(gui_process);
if(win32_process == 0 )
{
DbgPrint("win32_process");
break;
}
tag_desk_top = *(ULONG_PTR*)(win32_process+0x110);//tagDESKTOP
if(tag_desk_top == 0)
{
DbgPrint("tag_desk_top");
break;
}
tag_desk_info = *(ULONG_PTR*)(tag_desk_top+0x8);//tagDESKTOPINFO
if(tag_desk_info == 0)
{
DbgPrint("tag_desk_info");
break;
}
tag_desk_wnd = *(ULONG_PTR*)(tag_desk_info+0x10);//struct _tagWND* spwnd;
if(tag_desk_wnd == 0)
{
DbgPrint("tag_desk_wnd");
break;
}
tag_wnd = *(ULONG_PTR*)(tag_desk_wnd+0x60);///*0x060*/ struct _tagWND* spwndChild;
if(tag_wnd == 0)
{
DbgPrint("tag_wnd");
break;
}
while(tag_wnd)
{
h = *(ULONG_PTR*)tag_wnd;
if(h != 0)
{
DbgPrint("hwnd:0x%llx----tag_wnd:0x%llx\n",h,tag_wnd);
}
tag_thread_info = *(ULONG_PTR*)(tag_wnd+0x10);
if(tag_thread_info == 0)
{
tag_wnd = *(ULONG_PTR*)(tag_wnd+0x48);///*0x048*/ struct _tagWND* spwndNext;
continue;
}
///*0x1A0*/ struct _UNICODE_STRING* pstrAppName; 常年为NULL
/*pstrAppName = tag_thread_info + 0x1a0;
if(pstrAppName != 0)
{
DbgPrint("pstrAppName:%wZ\n",pstrAppName);
}*/
ethread = *(ULONG_PTR*)(tag_thread_info);
if(ethread == 0)
{
tag_wnd = *(ULONG_PTR*)(tag_wnd+0x48);///*0x048*/ struct _tagWND* spwndNext;
continue;
}
//eprocess = *(ULONG_PTR*)(ethread+0x210);//_KTHREAD +0x210 Process : Ptr64 _KPROCESS
tmp_process = IoThreadToProcess((PETHREAD)ethread);
if(tmp_process == NULL)
{
tag_wnd = *(ULONG_PTR*)(tag_wnd+0x48);///*0x048*/ struct _tagWND* spwndNext;
continue;
}
///*0x0D8*/ struct _LARGE_UNICODE_STRING strName;
strName = *(ULONG_PTR*)(tag_wnd + 0xd8 +0x8);
if(strName != 0)
DbgPrint("strName:%S",strName);
ProcessID = (ULONG_PTR)PsGetProcessId(tmp_process);
DbgPrint("\nProcessID:%d\n",ProcessID);
//DbgPrint("%s\n",eprocess+0x2e0);
DbgPrint("ProcessName:%s\n",PsGetProcessImageFileName(tmp_process));
tag_wnd = *(ULONG_PTR*)(tag_wnd+0x48);///*0x048*/ struct _tagWND* spwndNext;
}
}while(0);
KeDetachProcess();
// ObDereferenceObject(gui_process);
}
VOID DriverUnload(PDRIVER_OBJECT pDriverObject)
{
UNREFERENCED_PARAMETER(pDriverObject);
DbgPrint("88!\n");
}
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegPath)
{
UNREFERENCED_PARAMETER(pRegPath);
pDriverObject->DriverUnload = DriverUnload;
EnumWindows((PEPROCESS)0xfffffa801a596b30);
return STATUS_SUCCESS;
}
测试图:有一些是没有strName的
页:
[1]