使用EPROCESS下Win32Process枚举进程
来源:互联网 发布:淘宝试用报告模板 编辑:程序博客网 时间:2024/05/09 10:51
此方法硬编码很多!!!
EPROCESS下win32Process其实是一个tagPROCESSINFO 结构
typedef struct _tagPROCESSINFO // 55 elements, 0x300 bytes (sizeof) { /*0x000*/ struct _EPROCESS* Process; /*0x008*/ ULONG32 RefCount; /*0x00C*/ ULONG32 W32PF_Flags; /*0x010*/ struct _KEVENT* InputIdleEvent; /*0x018*/ ULONG32 StartCursorHideTime; /*0x01C*/ UINT8 _PADDING0_[0x4]; /*0x020*/ struct _W32PROCESS* NextStart; /*0x028*/ VOID* pDCAttrList; /*0x030*/ VOID* pBrushAttrList; /*0x038*/ ULONG32 W32Pid; /*0x03C*/ LONG32 GDIHandleCount; /*0x040*/ ULONG32 GDIHandleCountPeak; /*0x044*/ LONG32 UserHandleCount; /*0x048*/ ULONG32 UserHandleCountPeak; /*0x04C*/ UINT8 _PADDING1_[0x4]; /*0x050*/ struct _EX_PUSH_LOCK GDIPushLock; // 7 elements, 0x8 bytes (sizeof) /*0x058*/ struct _RTL_AVL_TABLE GDIEngUserMemAllocTable; // 11 elements, 0x68 bytes (sizeof) /*0x0C0*/ struct _LIST_ENTRY GDIDcAttrFreeList; // 2 elements, 0x10 bytes (sizeof) /*0x0D0*/ struct _LIST_ENTRY GDIBrushAttrFreeList; // 2 elements, 0x10 bytes (sizeof) /*0x0E0*/ struct _LIST_ENTRY GDIW32PIDLockedBitmaps; // 2 elements, 0x10 bytes (sizeof) /*0x0F0*/ VOID* hSecureGdiSharedHandleTable; /*0x0F8*/ VOID* DxProcess; /*0x100*/ struct _tagTHREADINFO* ptiList; /*0x108*/ struct _tagTHREADINFO* ptiMainThread; /*0x110*/ struct _tagDESKTOP* rpdeskStartup; /*0x118*/ struct _tagCLS* pclsPrivateList; /*0x120*/ struct _tagCLS* pclsPublicList; /*0x128*/ struct _tagWOWPROCESSINFO* pwpi; /*0x130*/ struct _tagPROCESSINFO* ppiNext; /*0x138*/ struct _tagPROCESSINFO* ppiNextRunning; /*0x140*/ UINT32 cThreads; /*0x144*/ UINT8 _PADDING2_[0x4]; /*0x148*/ struct _HDESK__* hdeskStartup; /*0x150*/ UINT32 cSysExpunge; /*0x154*/ ULONG32 dwhmodLibLoadedMask; /*0x158*/ VOID* ahmodLibLoaded[32]; /*0x258*/ struct _tagWINDOWSTATION* rpwinsta; /*0x260*/ struct _HWINSTA__* hwinsta; /*0x268*/ ULONG32 amwinsta; /*0x26C*/ ULONG32 dwHotkey; /*0x270*/ struct _HMONITOR__* hMonitor; /*0x278*/ struct _tagDESKTOPVIEW* pdvList; /*0x280*/ UINT32 iClipSerialNumber; /*0x284*/ UINT8 _PADDING3_[0x4]; /*0x288*/ struct _RTL_BITMAP bmHandleFlags; // 2 elements, 0x10 bytes (sizeof) /*0x298*/ struct _tagCURSOR* pCursorCache; /*0x2A0*/ VOID* pClientBase; /*0x2A8*/ ULONG32 dwLpkEntryPoints; /*0x2AC*/ UINT8 _PADDING4_[0x4]; /*0x2B0*/ struct _tagW32JOB* pW32Job; /*0x2B8*/ ULONG32 dwImeCompatFlags; /*0x2BC*/ struct _LUID luidSession; // 2 elements, 0x8 bytes (sizeof) /*0x2C4*/ struct _tagUSERSTARTUPINFO usi; // 8 elements, 0x1C bytes (sizeof) union // 2 elements, 0x4 bytes (sizeof) { /*0x2E0*/ ULONG32 Flags; struct // 2 elements, 0x4 bytes (sizeof) { /*0x2E0*/ UINT32 fHasMagContext : 1; // 0 BitPosition /*0x2E0*/ UINT32 Unused : 31; // 1 BitPosition }; }; /*0x2E4*/ ULONG32 dwLayout; /*0x2E8*/ struct _tagPROCESS_HID_TABLE* pHidTable; /*0x2F0*/ ULONG32 dwRegisteredClasses; /*0x2F4*/ UINT8 _PADDING5_[0x4]; /*0x2F8*/ struct _VWPL* pvwplWndGCList; }tagPROCESSINFO, *PtagPROCESSINFO; tagPROCESSINFO 下有一个成员tagDESKTOP (offset 0x110)
typedef struct _tagDESKTOP // 25 elements, 0xE0 bytes (sizeof) { /*0x000*/ ULONG32 dwSessionId; /*0x004*/ UINT8 _PADDING0_[0x4]; /*0x008*/ struct _tagDESKTOPINFO* pDeskInfo; /*0x010*/ struct _tagDISPLAYINFO* pDispInfo; /*0x018*/ struct _tagDESKTOP* rpdeskNext; /*0x020*/ struct _tagWINDOWSTATION* rpwinstaParent; /*0x028*/ ULONG32 dwDTFlags; /*0x02C*/ UINT8 _PADDING1_[0x4]; /*0x030*/ UINT64 dwDesktopId; /*0x038*/ struct _tagMENU* spmenuSys; /*0x040*/ struct _tagMENU* spmenuDialogSys; /*0x048*/ struct _tagMENU* spmenuHScroll; /*0x050*/ struct _tagMENU* spmenuVScroll; /*0x058*/ struct _tagWND* spwndForeground; /*0x060*/ struct _tagWND* spwndTray; /*0x068*/ struct _tagWND* spwndMessage; /*0x070*/ struct _tagWND* spwndTooltip; /*0x078*/ VOID* hsectionDesktop; /*0x080*/ struct _tagWIN32HEAP* pheapDesktop; /*0x088*/ ULONG32 ulHeapSize; /*0x08C*/ UINT8 _PADDING2_[0x4]; /*0x090*/ struct _CONSOLE_CARET_INFO cciConsole; // 2 elements, 0x18 bytes (sizeof) /*0x0A8*/ struct _LIST_ENTRY PtiList; // 2 elements, 0x10 bytes (sizeof) /*0x0B8*/ struct _tagWND* spwndTrack; /*0x0C0*/ INT32 htEx; /*0x0C4*/ struct _tagRECT rcMouseHover; // 4 elements, 0x10 bytes (sizeof) /*0x0D4*/ ULONG32 dwMouseHoverTime; /*0x0D8*/ struct _MAGNIFICATION_INPUT_TRANSFORM* pMagInputTransform; }tagDESKTOP, *PtagDESKTOP; tagDESKTOP 下+0x8处_tagDESKTOPINFO结构
typedef struct _tagDESKTOPINFO // 16 elements, 0xF0 bytes (sizeof) { /*0x000*/ VOID* pvDesktopBase; /*0x008*/ VOID* pvDesktopLimit; /*0x010*/ struct _tagWND* spwnd; /*0x018*/ ULONG32 fsHooks; /*0x01C*/ UINT8 _PADDING0_[0x4]; /*0x020*/ struct _tagHOOK* aphkStart[16]; /*0x0A0*/ struct _tagWND* spwndShell; /*0x0A8*/ struct _tagPROCESSINFO* ppiShellProcess; /*0x0B0*/ struct _tagWND* spwndBkGnd; /*0x0B8*/ struct _tagWND* spwndTaskman; /*0x0C0*/ struct _tagWND* spwndProgman; /*0x0C8*/ struct _VWPL* pvwplShellHook; /*0x0D0*/ INT32 cntMBox; /*0x0D4*/ UINT8 _PADDING1_[0x4]; /*0x0D8*/ struct _tagWND* spwndGestureEngine; /*0x0E0*/ struct _VWPL* pvwplMessagePPHandler; struct // 2 elements, 0x4 bytes (sizeof) { /*0x0E8*/ ULONG32 fComposited : 1; // 0 BitPosition /*0x0E8*/ ULONG32 fIsDwmDesktop : 1; // 1 BitPosition }; }tagDESKTOPINFO, *PtagDESKTOPINFO; tagDESKTOPINFO+0x10处tagWND结构
typedef struct _tagWND // 170 elements, 0x128 bytes (sizeof) { /*0x000*/ struct _THRDESKHEAD head; // 5 elements, 0x28 bytes (sizeof) union // 2 elements, 0x4 bytes (sizeof) { /*0x028*/ ULONG32 state; struct // 32 elements, 0x4 bytes (sizeof) { /*0x028*/ INT32 bHasMeun : 1; // 0 BitPosition /*0x028*/ INT32 bHasVerticalScrollbar : 1; // 1 BitPosition /*0x028*/ INT32 bHasHorizontalScrollbar : 1; // 2 BitPosition /*0x028*/ INT32 bHasCaption : 1; // 3 BitPosition /*0x028*/ INT32 bSendSizeMoveMsgs : 1; // 4 BitPosition /*0x028*/ INT32 bMsgBox : 1; // 5 BitPosition /*0x028*/ INT32 bActiveFrame : 1; // 6 BitPosition /*0x028*/ INT32 bHasSPB : 1; // 7 BitPosition /*0x028*/ INT32 bNoNCPaint : 1; // 8 BitPosition /*0x028*/ INT32 bSendEraseBackground : 1; // 9 BitPosition /*0x028*/ INT32 bEraseBackground : 1; // 10 BitPosition /*0x028*/ INT32 bSendNCPaint : 1; // 11 BitPosition /*0x028*/ INT32 bInternalPaint : 1; // 12 BitPosition /*0x028*/ INT32 bUpdateDirty : 1; // 13 BitPosition /*0x028*/ INT32 bHiddenPopup : 1; // 14 BitPosition /*0x028*/ INT32 bForceMenuDraw : 1; // 15 BitPosition /*0x028*/ INT32 bDialogWindow : 1; // 16 BitPosition /*0x028*/ INT32 bHasCreatestructName : 1; // 17 BitPosition /*0x028*/ INT32 bServerSideWindowProc : 1; // 18 BitPosition /*0x028*/ INT32 bAnsiWindowProc : 1; // 19 BitPosition /*0x028*/ INT32 bBeingActivated : 1; // 20 BitPosition /*0x028*/ INT32 bHasPalette : 1; // 21 BitPosition /*0x028*/ INT32 bPaintNotProcessed : 1; // 22 BitPosition /*0x028*/ INT32 bSyncPaintPending : 1; // 23 BitPosition /*0x028*/ INT32 bRecievedQuerySuspendMsg : 1; // 24 BitPosition /*0x028*/ INT32 bRecievedSuspendMsg : 1; // 25 BitPosition /*0x028*/ INT32 bToggleTopmost : 1; // 26 BitPosition /*0x028*/ INT32 bRedrawIfHung : 1; // 27 BitPosition /*0x028*/ INT32 bRedrawFrameIfHung : 1; // 28 BitPosition /*0x028*/ INT32 bAnsiCreator : 1; // 29 BitPosition /*0x028*/ INT32 bMaximizesToMonitor : 1; // 30 BitPosition /*0x028*/ INT32 bDestroyed : 1; // 31 BitPosition }; }; union // 2 elements, 0x4 bytes (sizeof) { /*0x02C*/ ULONG32 state2; struct // 30 elements, 0x4 bytes (sizeof) { /*0x02C*/ INT32 bWMPaintSent : 1; // 0 BitPosition /*0x02C*/ INT32 bEndPaintInvalidate : 1; // 1 BitPosition /*0x02C*/ INT32 bStartPaint : 1; // 2 BitPosition /*0x02C*/ INT32 bOldUI : 1; // 3 BitPosition /*0x02C*/ INT32 bHasClientEdge : 1; // 4 BitPosition /*0x02C*/ INT32 bBottomMost : 1; // 5 BitPosition /*0x02C*/ INT32 bFullScreen : 1; // 6 BitPosition /*0x02C*/ INT32 bInDestroy : 1; // 7 BitPosition /*0x02C*/ INT32 bWin31Compat : 1; // 8 BitPosition /*0x02C*/ INT32 bWin40Compat : 1; // 9 BitPosition /*0x02C*/ INT32 bWin50Compat : 1; // 10 BitPosition /*0x02C*/ INT32 bMaximizeMonitorRegion : 1; // 11 BitPosition /*0x02C*/ INT32 bCloseButtonDown : 1; // 12 BitPosition /*0x02C*/ INT32 bMaximizeButtonDown : 1; // 13 BitPosition /*0x02C*/ INT32 bMinimizeButtonDown : 1; // 14 BitPosition /*0x02C*/ INT32 bHelpButtonDown : 1; // 15 BitPosition /*0x02C*/ INT32 bScrollBarLineUpBtnDown : 1; // 16 BitPosition /*0x02C*/ INT32 bScrollBarPageUpBtnDown : 1; // 17 BitPosition /*0x02C*/ INT32 bScrollBarPageDownBtnDown : 1; // 18 BitPosition /*0x02C*/ INT32 bScrollBarLineDownBtnDown : 1; // 19 BitPosition /*0x02C*/ INT32 bAnyScrollButtonDown : 1; // 20 BitPosition /*0x02C*/ INT32 bScrollBarVerticalTracking : 1; // 21 BitPosition /*0x02C*/ INT32 bForceNCPaint : 1; // 22 BitPosition /*0x02C*/ INT32 bForceFullNCPaintClipRgn : 1; // 23 BitPosition /*0x02C*/ INT32 FullScreenMode : 3; // 24 BitPosition /*0x02C*/ INT32 bCaptionTextTruncated : 1; // 27 BitPosition /*0x02C*/ INT32 bNoMinmaxAnimatedRects : 1; // 28 BitPosition /*0x02C*/ INT32 bSmallIconFromWMQueryDrag : 1; // 29 BitPosition /*0x02C*/ INT32 bShellHookRegistered : 1; // 30 BitPosition /*0x02C*/ INT32 bWMCreateMsgProcessed : 1; // 31 BitPosition }; }; union // 2 elements, 0x4 bytes (sizeof) { /*0x030*/ ULONG32 ExStyle; struct // 32 elements, 0x4 bytes (sizeof) { /*0x030*/ INT32 bWS_EX_DLGMODALFRAME : 1; // 0 BitPosition /*0x030*/ INT32 bUnused1 : 1; // 1 BitPosition /*0x030*/ INT32 bWS_EX_NOPARENTNOTIFY : 1; // 2 BitPosition /*0x030*/ INT32 bWS_EX_TOPMOST : 1; // 3 BitPosition /*0x030*/ INT32 bWS_EX_ACCEPTFILE : 1; // 4 BitPosition /*0x030*/ INT32 bWS_EX_TRANSPARENT : 1; // 5 BitPosition /*0x030*/ INT32 bWS_EX_MDICHILD : 1; // 6 BitPosition /*0x030*/ INT32 bWS_EX_TOOLWINDOW : 1; // 7 BitPosition /*0x030*/ INT32 bWS_EX_WINDOWEDGE : 1; // 8 BitPosition /*0x030*/ INT32 bWS_EX_CLIENTEDGE : 1; // 9 BitPosition /*0x030*/ INT32 bWS_EX_CONTEXTHELP : 1; // 10 BitPosition /*0x030*/ INT32 bMakeVisibleWhenUnghosted : 1; // 11 BitPosition /*0x030*/ INT32 bWS_EX_RIGHT : 1; // 12 BitPosition /*0x030*/ INT32 bWS_EX_RTLREADING : 1; // 13 BitPosition /*0x030*/ INT32 bWS_EX_LEFTSCROLLBAR : 1; // 14 BitPosition /*0x030*/ INT32 bUnused2 : 1; // 15 BitPosition /*0x030*/ INT32 bWS_EX_CONTROLPARENT : 1; // 16 BitPosition /*0x030*/ INT32 bWS_EX_STATICEDGE : 1; // 17 BitPosition /*0x030*/ INT32 bWS_EX_APPWINDOW : 1; // 18 BitPosition /*0x030*/ INT32 bWS_EX_LAYERED : 1; // 19 BitPosition /*0x030*/ INT32 bWS_EX_NOINHERITLAYOUT : 1; // 20 BitPosition /*0x030*/ INT32 bUnused3 : 1; // 21 BitPosition /*0x030*/ INT32 bWS_EX_LAYOUTRTL : 1; // 22 BitPosition /*0x030*/ INT32 bWS_EX_NOPADDEDBORDER : 1; // 23 BitPosition /*0x030*/ INT32 bUnused4 : 1; // 24 BitPosition /*0x030*/ INT32 bWS_EX_COMPOSITED : 1; // 25 BitPosition /*0x030*/ INT32 bUIStateActive : 1; // 26 BitPosition /*0x030*/ INT32 bWS_EX_NOACTIVATE : 1; // 27 BitPosition /*0x030*/ INT32 bWS_EX_COMPOSITEDCompositing : 1; // 28 BitPosition /*0x030*/ INT32 bRedirected : 1; // 29 BitPosition /*0x030*/ INT32 bUIStateKbdAccelHidden : 1; // 30 BitPosition /*0x030*/ INT32 bUIStateFocusRectHidden : 1; // 31 BitPosition }; }; union // 2 elements, 0x4 bytes (sizeof) { /*0x034*/ ULONG32 style; struct // 31 elements, 0x4 bytes (sizeof) { /*0x034*/ INT32 bReserved1 : 16; // 0 BitPosition /*0x034*/ INT32 bWS_MAXIMIZEBOX : 1; // 16 BitPosition /*0x034*/ INT32 bReserved2 : 16; // 0 BitPosition /*0x034*/ INT32 bWS_TABSTOP : 1; // 16 BitPosition /*0x034*/ INT32 bReserved3 : 16; // 0 BitPosition /*0x034*/ INT32 bUnused5 : 1; // 16 BitPosition /*0x034*/ INT32 bWS_MINIMIZEBOX : 1; // 17 BitPosition /*0x034*/ INT32 bReserved4 : 16; // 0 BitPosition /*0x034*/ INT32 bUnused6 : 1; // 16 BitPosition /*0x034*/ INT32 bWS_GROUP : 1; // 17 BitPosition /*0x034*/ INT32 bReserved5 : 16; // 0 BitPosition /*0x034*/ INT32 bUnused7 : 2; // 16 BitPosition /*0x034*/ INT32 bWS_THICKFRAME : 1; // 18 BitPosition /*0x034*/ INT32 bReserved6 : 16; // 0 BitPosition /*0x034*/ INT32 bUnused8 : 2; // 16 BitPosition /*0x034*/ INT32 bWS_SIZEBOX : 1; // 18 BitPosition /*0x034*/ INT32 bReserved7 : 16; // 0 BitPosition /*0x034*/ INT32 bUnused9 : 3; // 16 BitPosition /*0x034*/ INT32 bWS_SYSMENU : 1; // 19 BitPosition /*0x034*/ INT32 bWS_HSCROLL : 1; // 20 BitPosition /*0x034*/ INT32 bWS_VSCROLL : 1; // 21 BitPosition /*0x034*/ INT32 bWS_DLGFRAME : 1; // 22 BitPosition /*0x034*/ INT32 bWS_BORDER : 1; // 23 BitPosition /*0x034*/ INT32 bMaximized : 1; // 24 BitPosition /*0x034*/ INT32 bWS_CLIPCHILDREN : 1; // 25 BitPosition /*0x034*/ INT32 bWS_CLIPSIBLINGS : 1; // 26 BitPosition /*0x034*/ INT32 bDisabled : 1; // 27 BitPosition /*0x034*/ INT32 bVisible : 1; // 28 BitPosition /*0x034*/ INT32 bMinimized : 1; // 29 BitPosition /*0x034*/ INT32 bWS_CHILD : 1; // 30 BitPosition /*0x034*/ INT32 bWS_POPUP : 1; // 31 BitPosition }; }; /*0x038*/ VOID* hModule; /*0x040*/ UINT16 hMod16; /*0x042*/ UINT16 fnid; /*0x044*/ UINT8 _PADDING0_[0x4]; /*0x048*/ struct _tagWND* spwndNext; /*0x050*/ struct _tagWND* spwndPrev; /*0x058*/ struct _tagWND* spwndParent; /*0x060*/ struct _tagWND* spwndChild; /*0x068*/ struct _tagWND* spwndOwner; /*0x070*/ struct _tagRECT rcWindow; // 4 elements, 0x10 bytes (sizeof) /*0x080*/ struct _tagRECT rcClient; // 4 elements, 0x10 bytes (sizeof) /*0x090*/ FUNCT_0075_0FB0_lpfnWndProc_aStoCidPfn* lpfnWndProc; /*0x098*/ struct _tagCLS* pcls; /*0x0A0*/ struct _HRGN__* hrgnUpdate; /*0x0A8*/ struct _tagPROPLIST* ppropList; /*0x0B0*/ struct _tagSBINFO* pSBInfo; /*0x0B8*/ struct _tagMENU* spmenuSys; /*0x0C0*/ struct _tagMENU* spmenu; /*0x0C8*/ struct _HRGN__* hrgnClip; /*0x0D0*/ struct _HRGN__* hrgnNewFrame; /*0x0D8*/ struct _LARGE_UNICODE_STRING strName; // 4 elements, 0x10 bytes (sizeof) /*0x0E8*/ INT32 cbwndExtra; /*0x0EC*/ UINT8 _PADDING1_[0x4]; /*0x0F0*/ struct _tagWND* spwndLastActive; /*0x0F8*/ struct _HIMC__* hImc; /*0x100*/ UINT64 dwUserData; /*0x108*/ struct _ACTIVATION_CONTEXT* pActCtx; /*0x110*/ struct _D3DMATRIX* pTransform; /*0x118*/ struct _tagWND* spwndClipboardListenerNext; union // 2 elements, 0x4 bytes (sizeof) { /*0x120*/ ULONG32 ExStyle2; struct // 12 elements, 0x4 bytes (sizeof) { /*0x120*/ INT32 bClipboardListener : 1; // 0 BitPosition /*0x120*/ INT32 bLayeredInvalidate : 1; // 1 BitPosition /*0x120*/ INT32 bRedirectedForPrint : 1; // 2 BitPosition /*0x120*/ INT32 bLinked : 1; // 3 BitPosition /*0x120*/ INT32 bLayeredForDWM : 1; // 4 BitPosition /*0x120*/ INT32 bLayeredLimbo : 1; // 5 BitPosition /*0x120*/ INT32 bHIGHDPI_UNAWARE_Unused : 1; // 6 BitPosition /*0x120*/ INT32 bVerticallyMaximizedLeft : 1; // 7 BitPosition /*0x120*/ INT32 bVerticallyMaximizedRight : 1; // 8 BitPosition /*0x120*/ INT32 bHasOverlay : 1; // 9 BitPosition /*0x120*/ INT32 bConsoleWindow : 1; // 10 BitPosition /*0x120*/ INT32 bChildNoActivate : 1; // 11 BitPosition }; }; }tagWND, *PtagWND; tagWND+0x60处struct _tagWND* spwndChild结构
同上 可以看到
/*0x048*/ struct _tagWND* spwndNext;
/*0x050*/ struct _tagWND* spwndPrev;
/*0x058*/ struct _tagWND* spwndParent;
/*0x060*/ struct _tagWND* spwndChild;
/*0x068*/ struct _tagWND* spwndOwner;
可以通过0x48得到下一个——tagWND结构
我们用来遍历,当为NULL的时候结束
怎么知道有用这个窗口对象的进程呢?
在tagWND+0x10处 (也就是在THRDESKHEAD里)
typedef struct _THRDESKHEAD // 5 elements, 0x28 bytes (sizeof) { /*0x000*/ VOID* h; /*0x008*/ ULONG32 cLockObj; /*0x00C*/ UINT8 _PADDING0_[0x4]; /*0x010*/ struct _tagTHREADINFO* pti; /*0x018*/ struct _tagDESKTOP* rpdesk; /*0x020*/ UINT8* pSelf; }THRDESKHEAD, *PTHRDESKHEAD; 有一个tagTHREADINFO typedef struct _tagTHREADINFO // 159 elements, 0x3B0 bytes (sizeof) { /*0x000*/ struct _ETHREAD* pEThread; /*0x008*/ ULONG32 RefCount; /*0x00C*/ UINT8 _PADDING0_[0x4]; /*0x010*/ struct _TL* ptlW32; /*0x018*/ VOID* pgdiDcattr; /*0x020*/ VOID* pgdiBrushAttr; /*0x028*/ VOID* pUMPDObjs; /*0x030*/ VOID* pUMPDHeap; /*0x038*/ VOID* pUMPDObj; /*0x040*/ VOID* pProxyPort; /*0x048*/ VOID* pClientID; /*0x050*/ struct _LIST_ENTRY GdiTmpTgoList; // 2 elements, 0x10 bytes (sizeof) /*0x060*/ ULONG32 pRBRecursionCount; /*0x064*/ ULONG32 pNonRBRecursionCount; /*0x068*/ struct _TLSPRITESTATE tlSpriteState; // 24 elements, 0xA8 bytes (sizeof) /*0x110*/ VOID* pSpriteState; /*0x118*/ VOID* pDevHTInfo; /*0x120*/ ULONG32 ulDevHTInfoUniqueness; /*0x124*/ UINT8 _PADDING1_[0x4]; /*0x128*/ VOID* pdcoAA; /*0x130*/ VOID* pdcoRender; /*0x138*/ VOID* pdcoSrc; /*0x140*/ UINT8 bEnableEngUpdateDeviceSurface; /*0x141*/ UINT8 bIncludeSprites; /*0x142*/ UINT8 _PADDING2_[0x2]; /*0x144*/ ULONG32 ulWindowSystemRendering; /*0x148*/ ULONG32 iVisRgnUniqueness; /*0x14C*/ UINT8 _PADDING3_[0x4]; /*0x150*/ struct _TL* ptl; /*0x158*/ struct _tagPROCESSINFO* ppi; /*0x160*/ struct _tagQ* pq; /*0x168*/ struct _tagKL* spklActive; /*0x170*/ struct _tagCLIENTTHREADINFO* pcti; /*0x178*/ struct _tagDESKTOP* rpdesk; /*0x180*/ struct _tagDESKTOPINFO* pDeskInfo; /*0x188*/ UINT64 ulClientDelta; /*0x190*/ struct _tagCLIENTINFO* pClientInfo; /*0x198*/ ULONG32 TIF_flags; /*0x19C*/ UINT8 _PADDING4_[0x4]; /*0x1A0*/ struct _UNICODE_STRING* pstrAppName; /*0x1A8*/ struct _tagSMS* psmsSent; /*0x1B0*/ struct _tagSMS* psmsCurrent; /*0x1B8*/ struct _tagSMS* psmsReceiveList; /*0x1C0*/ LONG32 timeLast; /*0x1C4*/ UINT8 _PADDING5_[0x4]; /*0x1C8*/ UINT64 idLast; /*0x1D0*/ INT32 exitCode; /*0x1D4*/ UINT8 _PADDING6_[0x4]; /*0x1D8*/ struct _HDESK__* hdesk; /*0x1E0*/ INT32 cPaintsReady; /*0x1E4*/ UINT32 cTimersReady; /*0x1E8*/ struct _tagMENUSTATE* pMenuState; union // 2 elements, 0x8 bytes (sizeof) { /*0x1F0*/ struct _tagTDB* ptdb; /*0x1F0*/ struct _tagWINDOWSTATION* pwinsta; }; /*0x1F8*/ struct _tagSVR_INSTANCE_INFO* psiiList; /*0x200*/ ULONG32 dwExpWinVer; union // 2 elements, 0x4 bytes (sizeof) { /*0x204*/ ULONG32 dwCompatFlags; struct // 32 elements, 0x4 bytes (sizeof) { /*0x204*/ UINT32 IgnoreNoDiscard : 1; // 0 BitPosition /*0x204*/ UINT32 ForceTextBand : 1; // 1 BitPosition /*0x204*/ UINT32 UsePrintingEscape : 1; // 2 BitPosition /*0x204*/ UINT32 IgnoreTopMost : 1; // 3 BitPosition /*0x204*/ UINT32 CallTTDevice : 1; // 4 BitPosition /*0x204*/ UINT32 MultipleBands : 1; // 5 BitPosition /*0x204*/ UINT32 AlwaysSendSyncPaint : 1; // 6 BitPosition /*0x204*/ UINT32 EditSetTextMunge : 1; // 7 BitPosition /*0x204*/ UINT32 MoreExtraWndWords : 1; // 8 BitPosition /*0x204*/ UINT32 TTIgnoreRasterDupe : 1; // 9 BitPosition /*0x204*/ UINT32 HackWinFlags : 1; // 10 BitPosition /*0x204*/ UINT32 DealyHwndShakeChk : 1; // 11 BitPosition /*0x204*/ UINT32 EnumHelv : 1; // 12 BitPosition /*0x204*/ UINT32 EnumTTNotDevice : 1; // 13 BitPosition /*0x204*/ UINT32 SubtractClips : 1; // 14 BitPosition /*0x204*/ UINT32 ForceTTGrapchis : 1; // 15 BitPosition /*0x204*/ UINT32 NoHRGN1 : 1; // 16 BitPosition /*0x204*/ UINT32 NcCalcSizeOnMove : 1; // 17 BitPosition /*0x204*/ UINT32 SendMnuDblClk : 1; // 18 BitPosition /*0x204*/ UINT32 Win30AvgWidth : 1; // 19 BitPosition /*0x204*/ UINT32 GetDeviceCaps : 1; // 20 BitPosition /*0x204*/ UINT32 Winver31 : 1; // 21 BitPosition /*0x204*/ UINT32 IncreaseStack : 1; // 22 BitPosition /*0x204*/ UINT32 Win31DevModeSize : 1; // 23 BitPosition /*0x204*/ UINT32 DisableFontAssoc : 1; // 24 BitPosition /*0x204*/ UINT32 IgnoreFaults : 1; // 25 BitPosition /*0x204*/ UINT32 NoEMFSpooling : 1; // 26 BitPosition /*0x204*/ UINT32 Random31Ux : 1; // 27 BitPosition /*0x204*/ UINT32 DontJournalAttach : 1; // 28 BitPosition /*0x204*/ UINT32 DisableDBCSProp : 1; // 29 BitPosition /*0x204*/ UINT32 SmoothScrolling : 1; // 30 BitPosition /*0x204*/ UINT32 NoScrollBarCtxMenu : 1; // 31 BitPosition }; }; union // 3 elements, 0x8 bytes (sizeof) { /*0x208*/ ULONG32 dwCompatFlags2; /*0x208*/ UINT64 qwCompatFlags2; struct // 34 elements, 0x8 bytes (sizeof) { /*0x208*/ UINT64 AnimationOff : 1; // 0 BitPosition /*0x208*/ UINT64 KCOff : 1; // 1 BitPosition /*0x208*/ UINT64 No50ExStyles : 1; // 2 BitPosition /*0x208*/ UINT64 NoDrawPatRect : 1; // 3 BitPosition /*0x208*/ UINT64 MsShellDlg : 1; // 4 BitPosition /*0x208*/ UINT64 NoDDETrackDying : 1; // 5 BitPosition /*0x208*/ UINT64 GiveUpForegound : 1; // 6 BitPosition /*0x208*/ UINT64 ActiveMenus : 1; // 7 BitPosition /*0x208*/ UINT64 EditNoMouseHide : 1; // 8 BitPosition /*0x208*/ UINT64 NoBatching : 1; // 9 BitPosition /*0x208*/ UINT64 FontSubs : 1; // 10 BitPosition /*0x208*/ UINT64 No50ExStyleBits : 1; // 11 BitPosition /*0x208*/ UINT64 NoCustomPaperSize : 1; // 12 BitPosition /*0x208*/ UINT64 DDE : 1; // 13 BitPosition /*0x208*/ UINT64 DefaultCharset : 1; // 14 BitPosition /*0x208*/ UINT64 NoCharDeadKey : 1; // 15 BitPosition /*0x208*/ UINT64 TryExceptCallWndProc : 1; // 16 BitPosition /*0x208*/ UINT64 NoInitFlagsOnFocus : 1; // 17 BitPosition /*0x208*/ UINT64 DDENoSync : 1; // 18 BitPosition /*0x208*/ UINT64 NoGhost : 1; // 19 BitPosition /*0x208*/ UINT64 DDENoAsyncReg : 1; // 20 BitPosition /*0x208*/ UINT64 StrictLLHook : 1; // 21 BitPosition /*0x208*/ UINT64 NoShadow : 1; // 22 BitPosition /*0x208*/ UINT64 ForceFusion : 1; // 23 BitPosition /*0x208*/ UINT64 NoTimeCbProtect : 1; // 24 BitPosition /*0x208*/ UINT64 DpiAware : 1; // 25 BitPosition /*0x208*/ UINT64 OpenGLEMF : 1; // 26 BitPosition /*0x208*/ UINT64 TransparentBltMirror : 1; // 27 BitPosition /*0x208*/ UINT64 NoPaddedBorder : 1; // 28 BitPosition /*0x208*/ UINT64 ForceLegacyResizeNCMetr : 1; // 29 BitPosition /*0x208*/ UINT64 HardwareMixer : 1; // 30 BitPosition /*0x208*/ UINT64 NoSoftCursOnMoveSize : 1; // 31 BitPosition /*0x208*/ UINT64 NoWindowArrangement : 1; // 32 BitPosition /*0x208*/ UINT64 SpareCompatFlags2 : 31; // 33 BitPosition }; }; /*0x210*/ struct _tagQ* pqAttach; /*0x218*/ struct _tagTHREADINFO* ptiSibling; /*0x220*/ struct _MOVESIZEDATA* pmsd; /*0x228*/ ULONG32 fsHooks; /*0x22C*/ UINT8 _PADDING7_[0x4]; /*0x230*/ struct _tagHOOK* sphkCurrent; /*0x238*/ INT64 lParamHkCurrent; /*0x240*/ UINT64 wParamHkCurrent; /*0x248*/ struct _tagSBTRACK* pSBTrack; /*0x250*/ VOID* hEventQueueClient; /*0x258*/ struct _KEVENT* pEventQueueServer; /*0x260*/ struct _LIST_ENTRY PtiLink; // 2 elements, 0x10 bytes (sizeof) /*0x270*/ INT32 iCursorLevel; /*0x274*/ struct _tagPOINT ptLast; // 2 elements, 0x8 bytes (sizeof) /*0x27C*/ struct _tagPOINT ptLastReal; // 2 elements, 0x8 bytes (sizeof) /*0x284*/ UINT8 _PADDING8_[0x4]; /*0x288*/ struct _tagWND* spwndDefaultIme; /*0x290*/ struct _tagIMC* spDefaultImc; /*0x298*/ struct _HKL__* hklPrev; /*0x2A0*/ INT32 cEnterCount; /*0x2A4*/ UINT8 _PADDING9_[0x4]; /*0x2A8*/ struct _tagMLIST mlPost; // 3 elements, 0x18 bytes (sizeof) /*0x2C0*/ UINT16 fsChangeBitsRemoved; /*0x2C2*/ WCHAR wchInjected; /*0x2C4*/ ULONG32 fsReserveKeys; /*0x2C8*/ struct _KEVENT** apEvent; /*0x2D0*/ ULONG32 amdesk; /*0x2D4*/ UINT32 cWindows; /*0x2D8*/ UINT32 cVisWindows; /*0x2DC*/ UINT8 _PADDING10_[0x4]; /*0x2E0*/ struct _tagHOOK* aphkStart[16]; /*0x360*/ struct _tagCLIENTTHREADINFO cti; // 6 elements, 0x10 bytes (sizeof) /*0x370*/ VOID* hPrevHidData; /*0x378*/ struct _HTOUCHINPUT__* hTouchInputCurrent; /*0x380*/ struct _HGESTUREINFO__* hGestureInfoCurrent; /*0x388*/ struct _tagMSGPPINFO MsgPPInfo; // 1 elements, 0x4 bytes (sizeof) /*0x38C*/ UINT32 cNestedStableVisRgn; /*0x390*/ struct _LIST_ENTRY readyHead; // 2 elements, 0x10 bytes (sizeof) union // 2 elements, 0x8 bytes (sizeof) { struct // 5 elements, 0x4 bytes (sizeof) { /*0x3A0*/ ULONG32 fSpecialInitialization : 1; // 0 BitPosition /*0x3A0*/ ULONG32 fgfSwitchInProgressSetter : 1; // 1 BitPosition /*0x3A0*/ ULONG32 fPack : 26; // 2 BitPosition /*0x3A0*/ ULONG32 fThreadCleanupFinished : 1; // 28 BitPosition /*0x3A0*/ ULONG32 fETWReserved : 3; // 29 BitPosition }; /*0x3A0*/ ULONG32 ulThreadFlags2; }; /*0x3A8*/ struct _tagPOPUPMENU* ppmlockFree; }tagTHREADINFO, *PtagTHREADINFO; 第一个成员就是ETHREAD有了ETHREAD
有两个方法 ,一是使用 IoThreadToProcess直接得到EPROCESS
而是在ETHREAD+0x210处记录了EPROCESS
总的来说:
是这么遍历的
EPROCESS->Win32Process(tagPROCESSINFO)->struct _tagDESKTOP* rpdeskStartup->struct _tagDESKTOPINFO* pDeskInfo->struct _tagWND* spwnd->struct _tagWND* spwndChild
这个_tagWND+0x48处记录着下一个tagWND 使用这个来遍历全部
tagWND获得EPROCESS
在tagWND+0x10处 (也就是在THRDESKHEAD里)
有一个tagTHREADINFO
tagTHREADINFO第一个成员是ETHREAD 然后使用IoThreadToProcess获取EPROCESS即可
下面是代码:在win7 x64中测试通过
传入桌面进程的EPROCESS
不过硬编码是硬伤
这怎么发现的可以看看win32子系统的实现
新的发现,在tagWND下_THRDESKHEAD的第一个成员h 是hwnd
在tagWND + 0xd8处
+0x0d8 strName : _LARGE_UNICODE_STRING
存放窗口标题
//#include <ntddk.h>#include <ntifs.h>NTKERNELAPI PVOID PsGetProcessWin32Process( IN PEPROCESS Process );NTKERNELAPI PEPROCESS IoThreadToProcess(IN PETHREAD Thread);NTKERNELAPI UCHAR* PsGetProcessImageFileName(PEPROCESS Process); //win7x64 通过win32Process枚举进程 传入explorer.exe的EPROCESS 必须是explorer.exeVOID EnumWindows(PEPROCESS explorer){//NTSTATUS status; PEPROCESS gui_process; ULONG_PTR win32_process,tag_desk_top,tag_desk_info,tag_desk_wnd,tag_wnd; ULONG_PTR tag_thread_info,ethread;//eprocess;PEPROCESS tmp_process;ULONG_PTR strName = 0;ULONG_PTR h = 0; //ULONG_PTR pstrAppName = 0;ULONG_PTR ProcessID = 0;//_LARGE_UNICODE_STRING//status = PsLookupProcessByProcessId((HANDLE)1384,&gui_process);if(explorer == NULL)return;gui_process = explorer; KeAttachProcess(gui_process); do {//win32_process = *(ULONG_PTR*)((ULONG_PTR)gui_process + 0x258);//tagPROCESSINFO win32_process = (ULONG_PTR)PsGetProcessWin32Process(gui_process); if(win32_process == 0 ) {DbgPrint("win32_process"); break; }tag_desk_top = *(ULONG_PTR*)(win32_process+0x110);//tagDESKTOPif(tag_desk_top == 0){DbgPrint("tag_desk_top");break;}tag_desk_info = *(ULONG_PTR*)(tag_desk_top+0x8);//tagDESKTOPINFOif(tag_desk_info == 0){DbgPrint("tag_desk_info");break;}tag_desk_wnd = *(ULONG_PTR*)(tag_desk_info+0x10);//struct _tagWND* spwnd; if(tag_desk_wnd == 0){DbgPrint("tag_desk_wnd");break;}tag_wnd = *(ULONG_PTR*)(tag_desk_wnd+0x60);///*0x060*/ struct _tagWND* spwndChild; if(tag_wnd == 0){DbgPrint("tag_wnd");break;}while(tag_wnd){h = *(ULONG_PTR*)tag_wnd;if(h != 0){DbgPrint("hwnd:0x%llx----tag_wnd:0x%llx\n",h,tag_wnd);}tag_thread_info = *(ULONG_PTR*)(tag_wnd+0x10);if(tag_thread_info == 0){tag_wnd = *(ULONG_PTR*)(tag_wnd+0x48);///*0x048*/ struct _tagWND* spwndNext; continue;}///*0x1A0*/ struct _UNICODE_STRING* pstrAppName; 常年为NULL/*pstrAppName = tag_thread_info + 0x1a0;if(pstrAppName != 0){DbgPrint("pstrAppName:%wZ\n",pstrAppName);}*/ethread = *(ULONG_PTR*)(tag_thread_info);if(ethread == 0){tag_wnd = *(ULONG_PTR*)(tag_wnd+0x48);///*0x048*/ struct _tagWND* spwndNext; continue;}//eprocess = *(ULONG_PTR*)(ethread+0x210);//_KTHREAD +0x210 Process : Ptr64 _KPROCESStmp_process = IoThreadToProcess((PETHREAD)ethread);if(tmp_process == NULL){tag_wnd = *(ULONG_PTR*)(tag_wnd+0x48);///*0x048*/ struct _tagWND* spwndNext; continue;}///*0x0D8*/ struct _LARGE_UNICODE_STRING strName; strName = *(ULONG_PTR*)(tag_wnd + 0xd8 +0x8);if(strName != 0)DbgPrint("strName:%S",strName);ProcessID = (ULONG_PTR)PsGetProcessId(tmp_process);DbgPrint("\nProcessID:%d\n",ProcessID);//DbgPrint("%s\n",eprocess+0x2e0);DbgPrint("ProcessName:%s\n",PsGetProcessImageFileName(tmp_process));tag_wnd = *(ULONG_PTR*)(tag_wnd+0x48);///*0x048*/ struct _tagWND* spwndNext;} }while(0);KeDetachProcess(); // ObDereferenceObject(gui_process);}VOID DriverUnload(PDRIVER_OBJECT pDriverObject){UNREFERENCED_PARAMETER(pDriverObject);DbgPrint("[kernel]88!\n");}NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegPath){UNREFERENCED_PARAMETER(pRegPath);pDriverObject->DriverUnload = DriverUnload;EnumWindows((PEPROCESS)0xfffffa801a596b30);return STATUS_SUCCESS;}测试图:有一些是没有strName的
0 0
- 使用EPROCESS下Win32Process枚举进程
- 通过EPROCESS枚举进程
- windbg下EPROCESS获取进程加载模块
- 通过EPROCESS链表枚举进程(代码转)
- R0下通过EPROCESS获取进程加载模块
- 获得进程的EPROCESS
- 获得进程的EPROCESS
- EPROCESS进程断链
- 执行体进程--EPROCESS
- 获得进程的EPROCESS
- 枚举进程(1)——遍历通过EPROCESS结构的ActiveProcessLinks链表
- 枚举进程(2)——利用EPROCESS/PEB地址特征进行内存搜索
- 获得进程的EPROCESS--转
- 通过EPROCESS获取进程名
- EPROCESS取进程全路径
- JIURL玩玩Win2k进程线程篇 EPROCESS
- EPROCESS:NT进程的核心(更新)
- JIURL玩玩Win2k进程线程篇 EPROCESS
- 一张图让你理解ajax原理
- FPGA/CPLD工作原理
- uva12265 selling land
- 1、Mysql数据库的安装与配置
- 一个web服务器并发测试工具 (含源码)
- 使用EPROCESS下Win32Process枚举进程
- myeclipse用debug调试断点报错ClassNotFoundException怎么办
- 文件与目录操作--link、unlink、remove和rename函数 及 文件与目录--utime函数
- 求字符串的排列
- The request sent by the client was syntactically incorrect ()"解决办法
- RatingBar的使用
- Unity Shader 光照模式
- js_cookies_传值&cookies空格等处理
- python bash style
