- 注册时间
- 2011-3-6
- 最后登录
- 1970-1-1
该用户从未签到
|
我知道的有三种方法
这里的第三种和第二种是一样的 隐藏进程也可以在这么做手脚
但需要注意多线程,在操作前,理应加锁
可以参考这篇文章
41813747
1.暴力枚举进程 通过PsLookupProcessByProcessId获得EPROCESS
第一个参数我们使用循环 填入0~65535
for (ULONG i = 0; i < 65535; i += 4)
{
SearchProcessPID(i);
}
return STATUS_SUCCESS; [/code]
2.通过ZwQuerySystemInformation
3.通过进程活动连来枚举
代码如下:
#include "ntddk.h"
typedef struct _PROCESS_INFO
{
ULONG_PTR eprocess;
ULONG pid;
ULONG ppid;
UNICODE_STRING pathName;
UNICODE_STRING ImageFileName;
}PROCESSINFO,*PPROCESSINFO;
typedef struct _SYSTEM_THREADS
{
LARGE_INTEGER KernelTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER CreateTime;
ULONG WaitTime;
PVOID StartAddress;
CLIENT_ID ClientID;
KPRIORITY Priority;
KPRIORITY BasePriority;
ULONG ContextSwitchCount;
ULONG ThreadState;
KWAIT_REASON WaitReason;
ULONG Reserved; //Add
}SYSTEM_THREADS,*PSYSTEM_THREADS;
typedef struct _SYSTEM_PROCESS_INFORMATION {
ULONG NextEntryOffset;
ULONG NumberOfThreads;
LARGE_INTEGER Reserved[3];
LARGE_INTEGER CreateTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER KernelTime;
UNICODE_STRING ImageName;
KPRIORITY BasePriority;
HANDLE ProcessId;
HANDLE InheritedFromProcessId;
ULONG HandleCount;
ULONG Reserved2[2];
ULONG PrivatePageCount;
VM_COUNTERS VirtualMemoryCounters;
IO_COUNTERS IoCounters;
SYSTEM_THREADS Threads[0];
} SYSTEM_PROCESS_INFORMATION, *PSYSTEM_PROCESS_INFORMATION;
typedef enum _SYSTEM_INFORMATION_CLASS
{
SystemBasicInformation, // 0 Y N
SystemProcessorInformation, // 1 Y N
SystemPerformanceInformation, // 2 Y N
SystemTimeOfDayInformation, // 3 Y N
SystemNotImplemented1, // 4 Y N
SystemProcessesAndThreadsInformation, // 5 Y N
SystemCallCounts, // 6 Y N
SystemConfigurationInformation, // 7 Y N
SystemProcessorTimes, // 8 Y N
SystemGlobalFlag, // 9 Y Y
SystemNotImplemented2, // 10 Y N
SystemModuleInformation, // 11 Y N
SystemLockInformation, // 12 Y N
SystemNotImplemented3, // 13 Y N
SystemNotImplemented4, // 14 Y N
SystemNotImplemented5, // 15 Y N
SystemHandleInformation, // 16 Y N
SystemObjectInformation, // 17 Y N
SystemPagefileInformation, // 18 Y N
SystemInstructionEmulationCounts, // 19 Y N
SystemInvalidInfoClass1, // 20
SystemCacheInformation, // 21 Y Y
SystemPoolTagInformation, // 22 Y N
SystemProcessorStatistics, // 23 Y N
SystemDpcInformation, // 24 Y Y
SystemNotImplemented6, // 25 Y N
SystemLoadImage, // 26 N Y
SystemUnloadImage, // 27 N Y
SystemTimeAdjustment, // 28 Y Y
SystemNotImplemented7, // 29 Y N
SystemNotImplemented8, // 30 Y N
SystemNotImplemented9, // 31 Y N
SystemCrashDumpInformation, // 32 Y N
SystemExceptionInformation, // 33 Y N
SystemCrashDumpStateInformation, // 34 Y Y/N
SystemKernelDebuggerInformation, // 35 Y N
SystemContextSwitchInformation, // 36 Y N
SystemRegistryQuotaInformation, // 37 Y Y
SystemLoadAndCallImage, // 38 N Y
SystemPrioritySeparation, // 39 N Y
SystemNotImplemented10, // 40 Y N
SystemNotImplemented11, // 41 Y N
SystemInvalidInfoClass2, // 42
SystemInvalidInfoClass3, // 43
SystemTimeZoneInformation, // 44 Y N
SystemLookasideInformation, // 45 Y N
SystemSetTimeSlipEvent, // 46 N Y
SystemCreateSession, // 47 N Y
SystemDeleteSession, // 48 N Y
SystemInvalidInfoClass4, // 49
SystemRangeStartInformation, // 50 Y N
SystemVerifierInformation, // 51 Y Y
SystemAddVerifier, // 52 N Y
SystemSessionProcessesInformation // 53 Y N
} SYSTEM_INFORMATION_CLASS;
typedef NTSTATUS (*ZWQUERYSYSTEMINFORMATION)(
_In_ SYSTEM_INFORMATION_CLASS SystemInformationClass,
_Inout_ PVOID SystemInformation,
_In_ ULONG SystemInformationLength,
_Out_opt_ PULONG ReturnLength
);
NTSTATUS
PsLookupProcessByProcessId(
IN HANDLE ProcessId,
OUT PEPROCESS *Process
);
NTKERNELAPI UCHAR* PsGetProcessImageFileName(PEPROCESS Process);
void EnumProcessByZw()
{
NTSTATUS status;
//ULONG i = 0;
ULONG retusize;
UNICODE_STRING ZwFunName;
PVOID AllSize=0;
ZWQUERYSYSTEMINFORMATION ZwQuerySystemInformation;
SYSTEM_PROCESS_INFORMATION* ProcessInfo;
RtlInitUnicodeString(&ZwFunName,L"ZwQuerySystemInformation");
ZwQuerySystemInformation = (ZWQUERYSYSTEMINFORMATION)MmGetSystemRoutineAddress(&ZwFunName);
if(ZwQuerySystemInformation==0)
{
KdPrint(("Get Fun Addr Faile!"));
return;
}
status = ZwQuerySystemInformation(SystemProcessesAndThreadsInformation,0,0,&retusize);
if(retusize==0)
{
KdPrint(("retu size is null"));
return;
}
AllSize = ExAllocatePool(NonPagedPool,retusize);
if(AllSize==0)
{
return;
}
status = ZwQuerySystemInformation(SystemProcessesAndThreadsInformation,AllSize,(ULONG)retusize,&retusize);
if(!NT_SUCCESS(status))
{
KdPrint(("ZwQuerySystemInformation is faild!"));
ExFreePool(AllSize);
return;
}
ProcessInfo = (SYSTEM_PROCESS_INFORMATION*)AllSize;
while (ProcessInfo->NextEntryOffset)
{
KdPrint(("rocessId:%d------ProcessName:%wZ",ProcessInfo->rocessId,&rocessInfo->ImageName));
/*for (i = 0; i < ProcessInfo->NumberOfThreads;i++)
{
KdPrint((" CliendId: %x-------StartAddress:0x%llx",ProcessInfo->Threads.ClientID.UniqueThread,ProcessInfo->Threads.StartAddress));
}*/
ProcessInfo = (SYSTEM_PROCESS_INFORMATION*)((ULONGLONG)ProcessInfo + ProcessInfo->NextEntryOffset);
}
ExFreePool(AllSize);
}
//暴力枚举PID,枚举进程
NTSTATUS SearchProcessPID(ULONG pid)
{
NTSTATUS status = STATUS_SUCCESS;
PEPROCESS process = NULL;
PUCHAR processName;
status = PsLookupProcessByProcessId((HANDLE)pid, &process);
processName = ExAllocatePool(NonPagedPool, sizeof(process));
if (NT_SUCCESS(status))
{
processName = PsGetProcessImageFileName(process);
DbgPrint("ID:%d,processName:%s\n", pid, processName); /*这里使用完后要ObdefObject,<span style="font-family: Arial, Helvetica, sans-serif;">sLookupProcessByProcessId会增加引用计数 这里的内存也没有释放*/</span>
}
}
void EnumProcessByLink()
{
ULONGLONG eprocess;
PLIST_ENTRY p_head,p_list;
ULONGLONG offset = 0x16f8;
ULONG processnum =1;
PPROCESSINFO pProcessInfo = {0};
eprocess = (ULONGLONG)PsGetCurrentProcess();
p_head = (PLIST_ENTRY)(eprocess+0x188);
p_list = p_head;
while (p_list->Flink!=p_head)
{
processnum++;
eprocess = (ULONGLONG)(p_list - 0x188)+offset;
KdPrint(("rocessName:%s",eprocess+0x2e0));
p_list = p_list->Flink;
}
KdPrint(("rocessNum:%d",processnum));
}
#define ACTIVE_PROCESS_LINK 0x188
//通过EPROCESS枚举进程
NTSTATUS SearchProcessEPROCESS()
{
PEPROCESS process=NULL,firstProcess=NULL;
NTSTATUS status = STATUS_SUCCESS;
PLIST_ENTRY plist;
process = firstProcess = PsGetCurrentProcess();
do
{
PUCHAR ProcessNmae = NULL;
ProcessNmae = PsGetProcessImageFileName(process);
DbgPrint("ID:%d,ProcessName:%s\n", (HANDLE)PsGetProcessId(process), ProcessNmae);
plist = (PLIST_ENTRY)((ULONG)process + ACTIVE_PROCESS_LINK);
process = (PEPROCESS)((ULONG)plist->Flink - ACTIVE_PROCESS_LINK);
if (process == firstProcess)
{
break;
}
} while (process != NULL);
return status;
}
void DriverUnload(PDRIVER_OBJECT pDriverObject)
{
KdPrint(("DriverUnload"));
}
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject,PUNICODE_STRING pUnicodeString)
{
KdPrint(("DriverEntry"));
//EnumProcessByZw();
EnumProcessByLink();
pDriverObject->DriverUnload = DriverUnload;
return STATUS_SUCCESS;
}[/code]
测试平台:win7 x64 build 7601 |
|