列举进程的内核函数ZwQuerySystemInformation _asm
来源:互联网 发布:知乎女神陈大花 编辑:程序博客网 时间:2024/05/19 02:28
编译的时候指定控制台模式/subsystem:CONSOLE
.586
.model flat, stdcall
option casemap:none
include windows.inc
include kernel32.inc
include user32.inc
include masm32.inc
include advapi32.inc
includelib kernel32.lib
includelib user32.lib
includelib advapi32.lib
includelib masm32.lib
UNICODE_STRING STRUCT
_Length WORD ? ; len of string in bytes (not chars)
MaximumLength WORD ? ; len of Buffer in bytes (not chars)
Buffer PWSTR ? ; pointer to string
UNICODE_STRING ENDS
SYSTEMTHREADS struct
KernelTime db 8 dup(?)
UserTime db 8 dup(?)
CreateTime db 8 dup(?)
WaitTime ULONG ?
StartAddress PVOID ?
ClientIs dd ?
Priority dd ?
BasePriority dd ?
ContextSwitchCount ULONG ?
ThreadState ULONG ?
WaitReason dd ? ;KWAIT_REASON
SYSTEMTHREADS ends
SYSTEMPROCESSES struct
NextEntryDelta ULONG ?
ThreadCount ULONG ?
Reserved1 dd 6 DUP(?)
CreateTime db 8 dup(?)
UserTime db 8 dup(?)
KernelTime db 8 dup(?)
ProcessName UNICODE_STRING <>
BasePriority dd ? ;变量类型KPRIORITY
ProcessId ULONG ?
InheritedFromProcessId ULONG ?
HandleCount ULONG ?
Reserved2 ULONG 2 DUP(?)
VmCounters dd ? ;VM_COUNTERS
IoCounters dd ? ;IO_COUNTERS
Threads SYSTEMTHREADS <>
SYSTEMPROCESSES ends
.const
NT_PROCESSTHREAD_INFO equ 5
STATUS_SUCCESS equ 0
.data
ZwQuerySystemInformation db "ZwQuerySystemInformation",0
Ntdll db "NTDLL.DLL",0
mytitle db "利用ZwQuerySystemInformation列进程",0
getsuccess db "Get original Data Success",13,10,0
apiaddr dd ?
Pprocessinfo dd ?
ReturnLength dd ?
ProcessIdFormat db "ID=%d ProcessName=%ws",13,10,0 ;进程名是UNICODE格式的要用ws%
buffer db 255 dup(?)
ProcessCount dd 0
ProcessCountFormat db "Total Process=%d",13,10,0
.data?
processinfo db 50000H dup(?)
.code
start proc
invoke LoadLibrary,offset Ntdll ;没什么好解释的,装载dll
invoke GetProcAddress,eax,offset ZwQuerySystemInformation;获取函数地址
mov apiaddr,eax
mov Pprocessinfo,offset processinfo
mov ecx,offset ReturnLength
push ecx
push 50000H
push Pprocessinfo
push NT_PROCESSTHREAD_INFO
call apiaddr ;调用函数,上面都是其参数
.if eax == STATUS_SUCCESS
invoke StdOut,offset getsuccess
.endif
;列举进程
mov edi,Pprocessinfo;保存到edi
assume edi: ptr SYSTEMPROCESSES;对应结构
.while [edi].NextEntryDelta!=0
invoke wsprintf,addr buffer, addr ProcessIdFormat,[edi].ProcessId,[edi].ProcessName.Buffer;打印输出结构成员
invoke StdOut,offset buffer
add edi,[edi].NextEntryDelta;恢复堆栈
inc ProcessCount;这里每循环一次其值就多一次,纪录进程个数
.endw
assume edi:nothing
invoke wsprintf,addr buffer, addr ProcessCountFormat,ProcessCount;进程个数
invoke StdOut,offset buffer;控制台下输出
ret
start endp
end start
.586
.model flat, stdcall
option casemap:none
include windows.inc
include kernel32.inc
include user32.inc
include masm32.inc
include advapi32.inc
includelib kernel32.lib
includelib user32.lib
includelib advapi32.lib
includelib masm32.lib
UNICODE_STRING STRUCT
_Length WORD ? ; len of string in bytes (not chars)
MaximumLength WORD ? ; len of Buffer in bytes (not chars)
Buffer PWSTR ? ; pointer to string
UNICODE_STRING ENDS
SYSTEMTHREADS struct
KernelTime db 8 dup(?)
UserTime db 8 dup(?)
CreateTime db 8 dup(?)
WaitTime ULONG ?
StartAddress PVOID ?
ClientIs dd ?
Priority dd ?
BasePriority dd ?
ContextSwitchCount ULONG ?
ThreadState ULONG ?
WaitReason dd ? ;KWAIT_REASON
SYSTEMTHREADS ends
SYSTEMPROCESSES struct
NextEntryDelta ULONG ?
ThreadCount ULONG ?
Reserved1 dd 6 DUP(?)
CreateTime db 8 dup(?)
UserTime db 8 dup(?)
KernelTime db 8 dup(?)
ProcessName UNICODE_STRING <>
BasePriority dd ? ;变量类型KPRIORITY
ProcessId ULONG ?
InheritedFromProcessId ULONG ?
HandleCount ULONG ?
Reserved2 ULONG 2 DUP(?)
VmCounters dd ? ;VM_COUNTERS
IoCounters dd ? ;IO_COUNTERS
Threads SYSTEMTHREADS <>
SYSTEMPROCESSES ends
.const
NT_PROCESSTHREAD_INFO equ 5
STATUS_SUCCESS equ 0
.data
ZwQuerySystemInformation db "ZwQuerySystemInformation",0
Ntdll db "NTDLL.DLL",0
mytitle db "利用ZwQuerySystemInformation列进程",0
getsuccess db "Get original Data Success",13,10,0
apiaddr dd ?
Pprocessinfo dd ?
ReturnLength dd ?
ProcessIdFormat db "ID=%d ProcessName=%ws",13,10,0 ;进程名是UNICODE格式的要用ws%
buffer db 255 dup(?)
ProcessCount dd 0
ProcessCountFormat db "Total Process=%d",13,10,0
.data?
processinfo db 50000H dup(?)
.code
start proc
invoke LoadLibrary,offset Ntdll ;没什么好解释的,装载dll
invoke GetProcAddress,eax,offset ZwQuerySystemInformation;获取函数地址
mov apiaddr,eax
mov Pprocessinfo,offset processinfo
mov ecx,offset ReturnLength
push ecx
push 50000H
push Pprocessinfo
push NT_PROCESSTHREAD_INFO
call apiaddr ;调用函数,上面都是其参数
.if eax == STATUS_SUCCESS
invoke StdOut,offset getsuccess
.endif
;列举进程
mov edi,Pprocessinfo;保存到edi
assume edi: ptr SYSTEMPROCESSES;对应结构
.while [edi].NextEntryDelta!=0
invoke wsprintf,addr buffer, addr ProcessIdFormat,[edi].ProcessId,[edi].ProcessName.Buffer;打印输出结构成员
invoke StdOut,offset buffer
add edi,[edi].NextEntryDelta;恢复堆栈
inc ProcessCount;这里每循环一次其值就多一次,纪录进程个数
.endw
assume edi:nothing
invoke wsprintf,addr buffer, addr ProcessCountFormat,ProcessCount;进程个数
invoke StdOut,offset buffer;控制台下输出
ret
start endp
end start
- 列举进程的内核函数ZwQuerySystemInformation _asm
- 列举进程的内核函数ZwQuerySystemInformation _asm
- ZwQuerySystemInformation 函数查看进程列表
- ZwQuerySystemInformation函数的用法
- ZwQuerySystemInformation函数的用法
- 关于未公开函数ZwQuerySystemInformation的使用
- 隐藏进程 hook ZwQuerySystemInformation
- hook zwQuerySysteminformation 隐藏进程
- hook ZwQuerySystemInformation 隐藏进程
- ZwQuerySystemInformation枚举进程
- hook zwQuerySysteminformation 隐藏进程
- ZwQuerySystemInformation枚举进程
- 列举当前所有的进程
- ZwQuerySystemInformation函数查询SystemModuleInformation
- ZwQuerySystemInformation函数[msdn文档]
- 函数ZwQuerySystemInformation小结
- 函数ZwQuerySystemInformation小结
- 函数ZwQuerySystemInformation小结
- Java keytool工具的作用及使用方法
- Hook API监视驱动的加载_ASM
- Mysql日期和时间函数不求人
- 常用log4j配置
- 通过进程链枚举进程_asm
- 列举进程的内核函数ZwQuerySystemInformation _asm
- Kill_Vagaa_Process完整版
- TCP/IP学习代码_asm
- ScanMac.cpp
- Ajax入门实例(一)
- People-Oriented Software
- (转)Sybase新版PowerBuilder 11强调与微软互通
- 跟踪Native API函数调用
- [C]二级指针与指针数组
