内核枚举进程总结
来源:互联网 发布:php带采集小说系统 编辑:程序博客网 时间:2024/04/27 22:41
我知道的有三种方法
这里的第三种和第二种是一样的 隐藏进程也可以在这么做手脚
但需要注意多线程,在操作前,理应加锁
可以参考这篇文章
http://blog.csdn.net/zfdyq0/article/details/41813747
1.暴力枚举进程 通过PsLookupProcessByProcessId获得EPROCESS
第一个参数我们使用循环 填入0~65535
for (ULONG i = 0; i < 65535; i += 4) { SearchProcessPID(i); } return STATUS_SUCCESS; 2.通过ZwQuerySystemInformation
3.通过进程活动连来枚举
代码如下:
#include "ntddk.h"typedef struct _PROCESS_INFO{ULONG_PTR eprocess;ULONG pid;ULONG ppid;UNICODE_STRING pathName;UNICODE_STRING ImageFileName;}PROCESSINFO,*PPROCESSINFO;typedef struct _SYSTEM_THREADS{ LARGE_INTEGER KernelTime; LARGE_INTEGER UserTime; LARGE_INTEGER CreateTime; ULONG WaitTime; PVOID StartAddress; CLIENT_ID ClientID; KPRIORITY Priority; KPRIORITY BasePriority; ULONG ContextSwitchCount; ULONG ThreadState; KWAIT_REASON WaitReason; ULONG Reserved; //Add}SYSTEM_THREADS,*PSYSTEM_THREADS; typedef struct _SYSTEM_PROCESS_INFORMATION { ULONG NextEntryOffset; ULONG NumberOfThreads; LARGE_INTEGER Reserved[3]; LARGE_INTEGER CreateTime; LARGE_INTEGER UserTime; LARGE_INTEGER KernelTime; UNICODE_STRING ImageName; KPRIORITY BasePriority; HANDLE ProcessId; HANDLE InheritedFromProcessId; ULONG HandleCount; ULONG Reserved2[2]; ULONG PrivatePageCount; VM_COUNTERS VirtualMemoryCounters; IO_COUNTERS IoCounters; SYSTEM_THREADS Threads[0]; } SYSTEM_PROCESS_INFORMATION, *PSYSTEM_PROCESS_INFORMATION; typedef enum _SYSTEM_INFORMATION_CLASS { SystemBasicInformation, // 0 Y N SystemProcessorInformation, // 1 Y N SystemPerformanceInformation, // 2 Y N SystemTimeOfDayInformation, // 3 Y N SystemNotImplemented1, // 4 Y N SystemProcessesAndThreadsInformation, // 5 Y N SystemCallCounts, // 6 Y N SystemConfigurationInformation, // 7 Y N SystemProcessorTimes, // 8 Y N SystemGlobalFlag, // 9 Y Y SystemNotImplemented2, // 10 Y N SystemModuleInformation, // 11 Y N SystemLockInformation, // 12 Y N SystemNotImplemented3, // 13 Y N SystemNotImplemented4, // 14 Y N SystemNotImplemented5, // 15 Y N SystemHandleInformation, // 16 Y N SystemObjectInformation, // 17 Y N SystemPagefileInformation, // 18 Y N SystemInstructionEmulationCounts, // 19 Y N SystemInvalidInfoClass1, // 20 SystemCacheInformation, // 21 Y Y SystemPoolTagInformation, // 22 Y N SystemProcessorStatistics, // 23 Y N SystemDpcInformation, // 24 Y Y SystemNotImplemented6, // 25 Y N SystemLoadImage, // 26 N Y SystemUnloadImage, // 27 N Y SystemTimeAdjustment, // 28 Y Y SystemNotImplemented7, // 29 Y N SystemNotImplemented8, // 30 Y N SystemNotImplemented9, // 31 Y N SystemCrashDumpInformation, // 32 Y N SystemExceptionInformation, // 33 Y N SystemCrashDumpStateInformation, // 34 Y Y/N SystemKernelDebuggerInformation, // 35 Y N SystemContextSwitchInformation, // 36 Y N SystemRegistryQuotaInformation, // 37 Y Y SystemLoadAndCallImage, // 38 N Y SystemPrioritySeparation, // 39 N Y SystemNotImplemented10, // 40 Y N SystemNotImplemented11, // 41 Y N SystemInvalidInfoClass2, // 42 SystemInvalidInfoClass3, // 43 SystemTimeZoneInformation, // 44 Y N SystemLookasideInformation, // 45 Y N SystemSetTimeSlipEvent, // 46 N Y SystemCreateSession, // 47 N Y SystemDeleteSession, // 48 N Y SystemInvalidInfoClass4, // 49 SystemRangeStartInformation, // 50 Y N SystemVerifierInformation, // 51 Y Y SystemAddVerifier, // 52 N Y SystemSessionProcessesInformation // 53 Y N } SYSTEM_INFORMATION_CLASS; typedef NTSTATUS (*ZWQUERYSYSTEMINFORMATION)( _In_ SYSTEM_INFORMATION_CLASS SystemInformationClass, _Inout_ PVOID SystemInformation, _In_ ULONG SystemInformationLength, _Out_opt_ PULONG ReturnLength);NTSTATUS PsLookupProcessByProcessId( IN HANDLE ProcessId, OUT PEPROCESS *Process );NTKERNELAPI UCHAR* PsGetProcessImageFileName(PEPROCESS Process); void EnumProcessByZw(){NTSTATUS status;//ULONGi = 0;ULONGretusize;UNICODE_STRINGZwFunName;PVOIDAllSize=0;ZWQUERYSYSTEMINFORMATIONZwQuerySystemInformation;SYSTEM_PROCESS_INFORMATION*ProcessInfo;RtlInitUnicodeString(&ZwFunName,L"ZwQuerySystemInformation");ZwQuerySystemInformation = (ZWQUERYSYSTEMINFORMATION)MmGetSystemRoutineAddress(&ZwFunName);if(ZwQuerySystemInformation==0){KdPrint(("Get Fun Addr Faile!"));return;}status = ZwQuerySystemInformation(SystemProcessesAndThreadsInformation,0,0,&retusize);if(retusize==0){KdPrint(("retu size is null"));return;}AllSize = ExAllocatePool(NonPagedPool,retusize);if(AllSize==0){return;}status = ZwQuerySystemInformation(SystemProcessesAndThreadsInformation,AllSize,(ULONG)retusize,&retusize);if(!NT_SUCCESS(status)){KdPrint(("ZwQuerySystemInformation is faild!"));ExFreePool(AllSize);return;}ProcessInfo = (SYSTEM_PROCESS_INFORMATION*)AllSize;while (ProcessInfo->NextEntryOffset){KdPrint(("ProcessId:%d------ProcessName:%wZ",ProcessInfo->ProcessId,&ProcessInfo->ImageName));/*for (i = 0; i < ProcessInfo->NumberOfThreads;i++){KdPrint((" CliendId: %x-------StartAddress:0x%llx",ProcessInfo->Threads[i].ClientID.UniqueThread,ProcessInfo->Threads[i].StartAddress));}*/ProcessInfo = (SYSTEM_PROCESS_INFORMATION*)((ULONGLONG)ProcessInfo + ProcessInfo->NextEntryOffset);}ExFreePool(AllSize);}//暴力枚举PID,枚举进程 NTSTATUS SearchProcessPID(ULONG pid) { NTSTATUS status = STATUS_SUCCESS; PEPROCESS process = NULL; PUCHAR processName; status = PsLookupProcessByProcessId((HANDLE)pid, &process); processName = ExAllocatePool(NonPagedPool, sizeof(process)); if (NT_SUCCESS(status)) { processName = PsGetProcessImageFileName(process); DbgPrint("PID:%d,processName:%s\n", pid, processName); /*这里使用完后要ObdefObject,<span style="font-family: Arial, Helvetica, sans-serif;">PsLookupProcessByProcessId会增加引用计数 这里的内存也没有释放*/</span> } }void EnumProcessByLink(){ULONGLONG eprocess;PLIST_ENTRY p_head,p_list;ULONGLONG offset = 0x16f8;ULONGprocessnum =1;PPROCESSINFO pProcessInfo = {0};eprocess = (ULONGLONG)PsGetCurrentProcess();p_head = (PLIST_ENTRY)(eprocess+0x188);p_list = p_head;while (p_list->Flink!=p_head){processnum++;eprocess = (ULONGLONG)(p_list - 0x188)+offset;KdPrint(("ProcessName:%s",eprocess+0x2e0));p_list = p_list->Flink;}KdPrint(("ProcessNum:%d",processnum));}#define ACTIVE_PROCESS_LINK 0x188//通过EPROCESS枚举进程 NTSTATUS SearchProcessEPROCESS() { PEPROCESS process=NULL,firstProcess=NULL; NTSTATUS status = STATUS_SUCCESS; PLIST_ENTRY plist; process = firstProcess = PsGetCurrentProcess(); do { PUCHAR ProcessNmae = NULL; ProcessNmae = PsGetProcessImageFileName(process); DbgPrint("PID:%d,ProcessName:%s\n", (HANDLE)PsGetProcessId(process), ProcessNmae); plist = (PLIST_ENTRY)((ULONG)process + ACTIVE_PROCESS_LINK); process = (PEPROCESS)((ULONG)plist->Flink - ACTIVE_PROCESS_LINK); if (process == firstProcess) { break; } } while (process != NULL); return status; } void DriverUnload(PDRIVER_OBJECT pDriverObject){KdPrint(("DriverUnload"));}NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject,PUNICODE_STRING pUnicodeString){KdPrint(("DriverEntry"));//EnumProcessByZw();EnumProcessByLink();pDriverObject->DriverUnload = DriverUnload;return STATUS_SUCCESS;}测试平台:win7 x64 build 7601
0 0
- 内核枚举进程总结
- 枚举进程内核句柄
- NT内核函数枚举系统所有进程.
- 枚举指定进程内核对象句柄的C源代码
- Linux内核分析之进程总结
- Linux进程调度与内核抢占总结
- linux内核进程调度分析总结
- 枚举进程
- 枚举进程
- 枚举进程
- 进程枚举
- 进程枚举
- 枚举进程
- 枚举进程
- 枚举进程
- 枚举进程
- 枚举进程
- 枚举进程,枚举窗口
- leetcode笔记:Reverse Vowels of a String
- [linux]结束进程
- (1)PX4开发指南——引言及入门-linux下px4开发环境搭建
- mmap
- 使用ZwQueryVirtualMemory枚举进程模块支持x64
- 内核枚举进程总结
- geekband android #5 第九周分享(多进程)
- R3 x64枚举进程句柄
- LeetCode 345 Reverse Vowels of a String
- 利用ObRegisterCallbacks保护进程并附上突破ObRegisterCallbacks的方法[未更新]
- Bellman-Ford算法-POJ1806-JAVA语言描述
- Python 网页爬虫 & 文本处理 & 科学计算 & 机器学习 & 数据挖掘兵器谱
- 【教程】七步精通Python机器学习
- Python的机器学习库汇总与梳理
