9种枚举枚举进程的方法及实现

最新推荐文章于 2024-04-24 15:47:49 发布
最新推荐文章于 2024-04-24 15:47:49 发布
阅读量1.5k 收藏 3
点赞数
文章标签: table null object exception integer list
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/instruder/article/details/5710036
版权

//

//native api获得进程表
NTSTATUS NativeApiEnumProcess()
{
 ULONG pNeededSize=0;
 int iCount = 1;
 int bOver=0;
 NTSTATUS status;
 ULONG uSize;
 PVOID pSi=NULL; 
 PSYSTEM_PROCESS_INFORMATION pSpiNext = NULL;
 uSize=0x8000;
 pSi=ExAllocatePoolWithTag(PagedPool,uSize,'pro1');
 if (pSi!=NULL)
 {
  status=ZwQuerySystemInformation(SystemProcessesAndThreadsInformation,pSi,uSize,&pNeededSize);
  DbgPrint("[NativeApi] SUCCESS uSize = %.8X, pNeededSize = %.8X, status = %.8X/n", uSize, pNeededSize, status);
  uSize=pNeededSize;
  status=ZwQuerySystemInformation(SystemProcessesAndThreadsInformation,pSi,uSize,&pNeededSize);
  if (STATUS_SUCCESS==status)
  {
   pSpiNext=(PSYSTEM_PROCESS_INFORMATION) pSi;
   while (TRUE)
   {
    PEPROCESS Pepr=NULL;
    if (pSpiNext->ProcessId==0)
    {
     KdPrint(("[NativeApi] %d - System Idle Process/n",pSpiNext->ProcessId));
     if (PsLookupProcessByProcessId((HANDLE)(pSpiNext->ProcessId),&Pepr)==STATUS_SUCCESS)
     {
      DbgPrint("%.8X/n",Pepr);
      FindAndCheckProcess(TRUE,(ULONG)Pepr);
     }

    }
    else
    {
     KdPrint(("[NativeApi] %d - %wZ/n",pSpiNext->ProcessId,&pSpiNext->ImageName));
     
     if (pSpiNext->ProcessId)
     {
      if (PsLookupProcessByProcessId((HANDLE)(pSpiNext->ProcessId),&Pepr)==STATUS_SUCCESS)
      {
       DbgPrint("%.8X/n",Pepr);
       FindAndCheckProcess(TRUE,(ULONG)Pepr);
      }
      
      
     }
     
     iCount++; 
    }
    if (pSpiNext->NextEntryOffset==0)
    {
     KdPrint(("[NativeApi] EnumProcess Over, Count is: %d/n"),iCount);
     bOver=1;
     break;
    }
    pSpiNext = (PSYSTEM_PROCESS_INFORMATION)((ULONG)pSpiNext + pSpiNext->NextEntryOffset); 
    
   }
   ExFreePoolWithTag(pSi,'pro1');
   
  }
  else
  {
   DbgPrint("[NativeApi] SUCCESS uSize = %.8X, pNeededSize = %.8X, status = %.8X/n", uSize, pNeededSize, status);
   return STATUS_UNSUCCESSFUL;
  }
  
 }
  return STATUS_SUCCESS;

 

}
//通过进程的ActiveProcessLinks枚举进程+
/************************************************************************/
/* lkd> dt nt!_EPROCESS 89a36da0
+0x000 Pcb              : _KPROCESS
+0x06c ProcessLock      : _EX_PUSH_LOCK
+0x070 CreateTime       : _LARGE_INTEGER 0x1cb16ad`6e0b0d84
+0x078 ExitTime         : _LARGE_INTEGER 0x0
+0x080 RundownProtect   : _EX_RUNDOWN_REF
+0x084 UniqueProcessId  : 0x00000344
   +0x088 ActiveProcessLinks : _LIST_ENTRY [ 0x8993a658 - 0x894e59d8 ]                                                                     */
/************************************************************************/
NTSTATUS ActivelistEnumProcess()
{

 PEPROCESS PCurentProcess=IoGetCurrentProcess();
 DbgPrint("%.8X/n",PCurentProcess);
 PEPROCESS NextErprocess=NULL;
 LIST_ENTRY *Entry=NULL;
 LDR_DATA_TABLE_ENTRY *DataTableEntry = NULL;
 //IDLE并不在该链表中的
 Entry=(LIST_ENTRY*)((ULONG)PCurentProcess+ActivelistOffset);
 
 do
 {
  
  NextErprocess =(PEPROCESS)((ULONG)(*(PULONG)((ULONG)PCurentProcess+ActivelistOffset))-ActivelistOffset);
  DbgPrint("%.8X/n",NextErprocess);
  if (NextErprocess!=NULL)
   {
    KdPrint(("[Activelist] %d - %s/n",*(PULONG)((ULONG)NextErprocess+ProcessIdOffset),((ULONG)NextErprocess+ImageNameOffset)));
    FindAndCheckProcess(FALSE,(ULONG)NextErprocess);
   }
     
  Entry=Entry->Blink;
  PCurentProcess=NextErprocess;
    
 }while(Entry != ((LIST_ENTRY*)((ULONG)PCurentProcess+ActivelistOffset)));
 return STATUS_SUCCESS;    
}


//得到CidHandleAddr
ULONG GetCidTableAddr()
{
 
 ULONG pCidHandleAddr;

 __asm{
  mov eax,fs:[0x34]FS指向_KPCR// +0x034 KdVersionBlock   : Ptr32 Void
   mov eax,[eax+0x80]
   mov eax,[eax]
  mov pCidHandleAddr,eax
 }
 return pCidHandleAddr;
}

NTSTATUS PspCidTableProcess()

  ULONG pCidTableAddr;
  pCidTableAddr=GetCidTableAddr();

  
  PHANDLE_TABLE pCidHandleTable = NULL;
  PHANDLE_TABLE_ENTRY pTable1, *pTable2, **pTable3;
  pCidHandleTable=(PHANDLE_TABLE)(PULONG)(pCidTableAddr);
  ULONG leverl=(pCidHandleTable->TableCode)&0x3;
   //低二位是作为标志的
  ULONG PRealHandleTable=(pCidHandleTable->TableCode)& ~0x3;
  ULONG MaxHandle=pCidHandleTable->NextHandleNeedingPool;
  DbgPrint("leverl %d/n",leverl);
  __asm int 3
  switch(leverl)
  {

  case HANDLE_LAYER1:
    pTable1=(PHANDLE_TABLE_ENTRY)PRealHandleTable;
    for (ULONG index=0;index<MAX_ENT_CNT; index++ )
    {
     if (pTable1[index].Object!=NULL)
     {
      ULONG pObject=(ULONG)(pTable1[index].Object) & ~ 0x7;低三位标志
      if (MmIsAddressValid((PULONG)(pObject - 0x10)))
      {
       POBJECT_TYPE pType = (POBJECT_TYPE)(*(PULONG)(pObject - 0x10));
       //+0x018 Body             : _QUAD
       //+0x008 Type             : 0x89b4ead0 _OBJECT_TYPE
       if( pType == *PsProcessType )
       {
        DbgPrint("PId:%d/tPath:%s/n", index*4, (PUCHAR)(pObject+ImageNameOffset) );
        FindAndCheckProcess(FALSE,(ULONG)pObject);
       }
      }
     }
    }
    break;   
  case HANDLE_LAYER2:
    pTable2=(PHANDLE_TABLE_ENTRY *)PRealHandleTable;
    //二级表中有几个一级表呢?假如uMax_Handle=0x800,索引时以4步进的,一个一级表最大的句柄数就是MAX_ENT_CNT
    for (ULONG index=0;index<MaxHandle/(4*MAX_ENT_CNT);index++)//index为几个一级表
    {
     pTable1 = pTable2[index];
     if (pTable1==NULL)
     {
      break;
     }
     else
     {
      for (ULONG i=0;i<MAX_ENT_CNT; i++)//一级表的最大句柄数就是MAX_ENT_CNT
      {
       if (pTable1[i].Object!=NULL)
       {
        ULONG pObject = (ULONG)(pTable1[i].Object) & ~7;
        if( MmIsAddressValid( (PULONG)(pObject-0x10) ) )
        {
         POBJECT_TYPE pType = (POBJECT_TYPE)(*(PULONG)(pObject-0x10));
         if( pType == *PsProcessType )
         {
          DbgPrint("PId:%d/tPath:%s/n", index*MAX_ENT_CNT*4+i*4, (PUCHAR)(pObject+ImageNameOffset) );
          FindAndCheckProcess(FALSE,(ULONG)pObject);
         }
        }
       }

      }
     }

    }
    break;
  case HANDLE_LAYER3:
   ULONG index = 0;
   //从第三级找到第二级,在从第二级找到第一级
   pTable3 = (PHANDLE_TABLE_ENTRY**)(PRealHandleTable);
   for( index = 0; index < MaxHandle/(MAX_ADD_CNT*MAX_ENT_CNT*4); index++ )
   {
    ULONG i = 0;
    pTable2 = (PHANDLE_TABLE_ENTRY*)((ULONG)pTable3[index] & ~0x3);
    if( pTable2 == NULL )
     break;
    for( i = 0; i < MAX_ADD_CNT; i++ )// 二级表都是指针。所以一个表有0x1000/4(一个ULONG指针的大小)
    {
     
     pTable1 = pTable2[i];
     if( pTable1 == NULL )
      break;
     else
     {
      ULONG j = 0;
      for( j = 0; j < MAX_ENT_CNT; j++ )
      {
       if( pTable1[j].Object != NULL )
       {
        ULONG pObject = (ULONG)(pTable1[j].Object) & ~7;
        if( MmIsAddressValid( (PULONG)(pObject-0x10) ) )
        {
         POBJECT_TYPE pType = (POBJECT_TYPE)(*(PULONG)(pObject-0x10));
         if( pType == *PsProcessType )
         {
          DbgPrint("PId:%d/tPath:%s/n", index*MAX_ADD_CNT*MAX_ENT_CNT*4+i*MAX_ENT_CNT*4+j*4,/
           (PUCHAR)(pObject+ImageNameOffset) );
          FindAndCheckProcess(FALSE,(ULONG)pObject);
         }
        }
       }
       
       
      }
      
     }
    }
    
   }
   
  
    break;
  }
 return STATUS_SUCCESS;
 
}
//通过Handletablelisthead枚举进程
/************************************************************************/
/* 要找到HeadleTableListHead,我们要注意到HandleTableListHead是一个全局的内核变量,因此它一定是在内核文件的某一个段

  (Section)里面,并且HandleTableList的其他成员是在动态分配的内存中,所以总是受到内核地址空间的限制。根据这些,
  我们需要得到任
 
 何一个进程的HandleTable的指针,然后遍历链表直到找到定位在这个内核地址空间的成员,那么这个成员就是HandleTableListHead了。
                                                                     */
/************************************************************************/
NTSTATUS HandletablelistheadEnumProcess()
{
PLIST_ENTRY HanTableListHead=NULL;
NTSTATUS nResult;
PLIST_ENTRY CurrTable=NULL;
PEPROCESS PEprocess=NULL;
PLIST_ENTRY  HandleTableList=NULL;
ULONG ulNeededSize, uLoop, uKernelSta,NtoskrnlLast;
PMODULE_LIST pModuleList=NULL;
//获取内核模块基址
ZwQuerySystemInformation(SystemModuleInformation, &ulNeededSize, 0, &ulNeededSize);
pModuleList = (PMODULE_LIST)ExAllocatePool(NonPagedPool, ulNeededSize);
nResult = ZwQuerySystemInformation(SystemModuleInformation, pModuleList, ulNeededSize, NULL);
if (NT_SUCCESS(nResult))
{//ntoskrnl is always first there
 uKernelSta =(ULONG) pModuleList->a_Modules[0].p_Base;
NtoskrnlLast=(ULONG) pModuleList->a_Modules[0].p_Base+(ULONG) pModuleList->a_Modules[0].d_Size;
}
ExFreePool(pModuleList);
//获取Handletablelisthead地址
PHANDLE_TABLE HandleTable=*(PHANDLE_TABLE *)((ULONG)PsGetCurrentProcess() + HandleTableOffset);
HandleTableList = (PLIST_ENTRY)((ULONG)HandleTable + HandleTableListOffset);
for (CurrTable=HandleTableList->Flink;CurrTable!=HandleTableList;CurrTable=CurrTable->Flink)
{
 if ((ULONG)CurrTable>uKernelSta  && (ULONG)CurrTable<NtoskrnlLast)
 {
  HanTableListHead=CurrTable;
  break;
 }

}
__asm int 3
//开始枚举
for (CurrTable =  HanTableListHead->Flink;
CurrTable != HanTableListHead;
CurrTable =  CurrTable->Flink)
{
 PEprocess = *(PEPROCESS *)((PUCHAR)CurrTable - HandleTableListOffset + QuotaProcessOffset);
 if (PEprocess)
 {
  KdPrint(("[Handletablelisthead] %d - %s/n",*(PULONG)((ULONG)PEprocess+ProcessIdOffset),(PUCHAR)((ULONG)PEprocess+ImageNameOffset)));
  FindAndCheckProcess(FALSE,(ULONG)PEprocess);
 }
}

return STATUS_SUCCESS;
}


//从csrss进程中枚举进程,这个是个子系统进程,包含记录了当前的进程

NTSTATUS WalkCsrssEnumProcess()
{
PEPROCESS CurentPro=IoGetCurrentProcess();

DbgPrint("%.8X/n",CurentPro);
__asm int 3
PEPROCESS pTempPro=CurentPro;
PEPROCESS pEProcess = NULL;

NTSTATUS Status = STATUS_SUCCESS;
PHANDLE_TABLE pObjectTable = NULL;
PHANDLE_TABLE_ENTRY table1, *table2, **table3;
ULONG level;
ULONG pRealHandleTable;
 ULONG uHandleCount;

//获取csrss的PEPROCESS
/************************************************************************/
/* lkd> dd 8992ada0+0X88
8992ae28  898d0c18 89acad28 000016d0 00024ac4
8992ae38  000001d0 000019a0 000254ec 00000396
 dd PEPROCESS=898d0c18-0x88                                             
 */
/************************************************************************/
do
{
 DbgPrint("name is %s/n",(PCHAR)((ULONG)pTempPro+ImageNameOffset));
// __asm int 3
 if (strcmp((PCHAR)((ULONG)pTempPro+ImageNameOffset),"csrss.exe")==0)
 {
 
  /*return pTempPro;*/
  //开始枚举
  pEProcess=pTempPro;

  pObjectTable = (PHANDLE_TABLE)(*(PULONG)((ULONG)pEProcess + HandleTableOffset));
  level = pObjectTable->TableCode & 3;
  pRealHandleTable = pObjectTable->TableCode & ~3;
  uHandleCount = pObjectTable->NextHandleNeedingPool;
  switch( level )
  {
  case 0:
   {
    ULONG index = 0;
    table1 = (PHANDLE_TABLE_ENTRY)pRealHandleTable;
    for( index = 0; index < MAX_ENT_CNT; index++ )
    {
     ULONG pObject = (ULONG)(table1[index].Object) & ~7;
     if( MmIsAddressValid( (PULONG)(pObject+0x8) ) )
     {
      POBJECT_TYPE pType = (POBJECT_TYPE)(*(PULONG)(pObject+0x8));
      if( pType == *PsProcessType )
      {
       PEPROCESS pAddr = (PEPROCESS)(pObject+0x18);
       DbgPrint("PId:%d/tPath:%s/n", *(PULONG)((ULONG)pAddr+ProcessIdOffset), (PUCHAR)((ULONG)pAddr+ImageNameOffset) );
       FindAndCheckProcess(FALSE,(ULONG)pAddr);
      }
     }
    }
    break;
    
   }
  case 1:
   {
    ULONG index = 0;
    table2 = (PHANDLE_TABLE_ENTRY*)pRealHandleTable;
    for( index = 0; index < uHandleCount/(4*MAX_ENT_CNT); index++ )
    {
     ULONG i = 0;
     table1 = table2[index];
     if( table1 == NULL )
      break;
     for( i = 0; i < MAX_ENT_CNT; i++ )
     {
      ULONG pObject = (ULONG)(table1[i].Object) & ~7;
      if( MmIsAddressValid( (PULONG)(pObject+0x8) ) )
      {
       POBJECT_TYPE pType = (POBJECT_TYPE)(*(PULONG)(pObject+0x8));
       if( pType == *PsProcessType )
       {
        ULONG pAddr = (ULONG)(pObject+0x18);
        DbgPrint("PId:%d/tPath:%s/n", *(PULONG)(pAddr+ProcessIdOffset),  (PUCHAR)(pAddr+ImageNameOffset) );
        FindAndCheckProcess(FALSE,(ULONG)pAddr);
       }
      }
      
     }
     
    }
    break;
   }
  case 2:
   {
    ULONG index = 0;
    table3 = (PHANDLE_TABLE_ENTRY**)pRealHandleTable;
    for( index = 0; index < uHandleCount/(4*MAX_ENT_CNT*MAX_ADD_CNT); index++ )
    {
     ULONG i = 0;
     table2 = (PHANDLE_TABLE_ENTRY*)((ULONG)table3[index] & ~0x3);
     if( table2 == NULL )
      break;
     for( i = 0; i < MAX_ADD_CNT; i++ )
     {
      ULONG j = 0;
      table1 = table2[i];
      if( table1 == NULL )
       break;
      for( j = 0; j < MAX_ENT_CNT; j++ )
      {
       ULONG pObject = (ULONG)(table1[j].Object) & ~7;
       if( MmIsAddressValid( (PULONG)(pObject+0x8) ) )
       {
        POBJECT_TYPE pType = (POBJECT_TYPE)(*(PULONG)(pObject+0x8));
        if( pType == *PsProcessType )
        {
         ULONG pAddr = (ULONG)(pObject+0x18);
         DbgPrint("PId:%d/tPath:%s/n", *(PULONG)(pAddr+ProcessIdOffset),  (PUCHAR)(pAddr+ImageNameOffset) );
         FindAndCheckProcess(FALSE,(ULONG)pAddr);
        }
       }
       
      }
     }
     
    }
    break;
   }
  }

 //枚举成功
 return STATUS_SUCCESS;


 }
 pTempPro=(PEPROCESS)(*(PULONG)((ULONG)pTempPro+ActivelistOffset)-ActivelistOffset);
} while (CurentPro!=pTempPro);
return STATUS_UNSUCCESSFUL;

 

}

//通过自身的HANDLETABLE枚举进程
NTSTATUS FromCruentProEnumProcess()
{

 PEPROCESS PCurrentProc=IoGetCurrentProcess();
 DbgPrint("%.8X/n",PCurrentProc);
 PLIST_ENTRY CurrList=NULL;
 PEPROCESS PEprocess,Ptemp=PCurrentProc;
 ULONG Phandle;
 PLIST_ENTRY PCurrentHandleList=NULL;
  //__asm int 3
 do
 {
  Phandle=(ULONG)(*(PULONG)((ULONG)PCurrentProc+HandleTableOffset));
  DbgPrint("Phandle %.8X/n",Phandle);
  PCurrentHandleList=(PLIST_ENTRY)(Phandle+HandleTableListOffset);
  CurrList=PCurrentHandleList->Flink;
  DbgPrint("Phandle %.8X/n",CurrList);//E1000CEC

 // __asm int 3
  PEprocess = *(PEPROCESS *)((PUCHAR)CurrList- HandleTableListOffset + QuotaProcessOffset);
  if (PEprocess)
  {
   KdPrint(("[FromCruentPro] %d - %s/n",*(PULONG)((ULONG)PEprocess+ProcessIdOffset),(PUCHAR)((ULONG)PEprocess+ImageNameOffset)));
   FindAndCheckProcess(FALSE,(ULONG)PEprocess);
  }
  else
  {
   return STATUS_UNSUCCESSFUL;
  }
  //ULONG Phandle=(ULONG)(*(PULONG)((ULONG)PCurrentProc+HandleTableOffset));
  PCurrentProc=PEprocess;

 } while (PCurrentProc!=Ptemp);
   
 return STATUS_SUCCESS;
 
}

//进程的SessionProcessLinks获得进程表
NTSTATUS SessionProcessLinksEnumProcess()
{
 PEPROCESS PCur=IoGetCurrentProcess();
 PEPROCESS Ptemp=PCur;
 //取system下一个的进程
 __asm int 3
   DbgPrint("%.8X/n",Ptemp);
// Ptemp=(PEPROCESS)((ULONG)(*(PULONG)((ULONG)PCur+ActivelistOffset))-ActivelistOffset);
Ptemp = (PEPROCESS)( *(PULONG)(*(PULONG)((ULONG)Ptemp + ActivelistOffset+4) + 0x4) - ActivelistOffset );//取用户进程
 DbgPrint("%.8X/n",Ptemp);
 PCur=Ptemp;
 do
 {
  if (MmIsAddressValid(Ptemp))
  {
   KdPrint(("[SessionProcessLinks] %d - %s/n",*(PULONG)((ULONG)Ptemp+ProcessIdOffset),(PUCHAR)((ULONG)Ptemp+ImageNameOffset)));
   FindAndCheckProcess(FALSE,(ULONG)Ptemp);
   Ptemp=(PEPROCESS)(*(PULONG)((ULONG)Ptemp+SessionProcessLinksOffset)-SessionProcessLinksOffset);
   
  }
  else
  {
   break;
  }
 

 } while (PCur!=Ptemp);

 return STATUS_SUCCESS;
}

//通过EPROCESS ---VM---WorkingSetExpansionLinks获取进程
NTSTATUS WorkingSetExpansionLinksEnumProcess()
{

 PEPROCESS Ptemp,PCur=IoGetCurrentProcess();
 Ptemp=PCur;
 __asm int 3
 do
 {
  __try{
   if (MmIsAddressValid(Ptemp)==FALSE)
   {
    break;
   }
   KdPrint(("[WorkingSetExpansionLinks] %d - %s/n",*(PULONG)((ULONG)Ptemp+ProcessIdOffset),(PUCHAR)((ULONG)Ptemp+ImageNameOffset))); 
   FindAndCheckProcess(FALSE,(ULONG)Ptemp);
   Ptemp=(PEPROCESS)(*(PULONG)((ULONG)Ptemp+WorkingSetExpansionLinksOffset)-WorkingSetExpansionLinksOffset);
   if (!Ptemp)
   {
    break;
   }

  }
  __except(EXCEPTION_EXECUTE_HANDLER)
  {
   break;
  }
 
 } while (Ptemp!=PCur);
 return STATUS_SUCCESS;
}

//从TypeList中枚举进程,需要维持一个标志,而且要重启后生效,故....
NTSTATUS TypeListEnumProcess()
{

  
 return STATUS_SUCCESS;
}
/************************************************************************/
/* lkd> !object 88aa84b8//PEROCESS
Object: 88aa84b8  Type: (89b52ca0) Process
ObjectHeader: 88aa84a0 (old version)
HandleCount: 7  PointerCount: 289
lkd> dt nt!_OBJECT_HEADER 88aa84a0
+0x000 PointerCount     : 289
+0x004 HandleCount      : 7
+0x004 NextToFree       : 0x00000007
+0x008 Type             : 0x89b52ca0 _OBJECT_TYPE
+0x00c NameInfoOffset   : 0 ''
+0x00d HandleInfoOffset : 0 ''
+0x00e QuotaInfoOffset  : 0 ''
+0x00f Flags            : 0x20 ' '
+0x010 ObjectCreateInfo : 0x8990e3b0 _OBJECT_CREATE_INFORMATION
+0x010 QuotaBlockCharged : 0x8990e3b0
+0x014 SecurityDescriptor : 0xe1fbedf9
+0x018 Body             : _QUAD
                                                                     */
/************************************************************************/
BOOLEAN IsRealProcess(ULONG uAddr)
{
 ULONG uType = 0;
  ULONG pObjectTypeAddr = 0;
 if (IsValidAddr(uAddr)!=VALID_PAGE)
 {
  return FALSE;
 }
 pObjectTypeAddr=uAddr-ObjectHeaderSize+TypeHeaderOffset;
 if (IsValidAddr(pObjectTypeAddr)!=VALID_PAGE)
 {
  return FALSE;
 }
 else
 {
  ULONG pObjectType=*(PULONG)pObjectTypeAddr;
  if (pObjectType==*(PULONG)PsProcessType)
  {
   return TRUE;
  }
 }
 return FALSE;

}
//暴力搜索内存MmSystemRangeStart以上查找PROCESS对象
NTSTATUS SerachMemoryEnumProcess()
{
 ULONG uStartAddr;
 __asm{
  mov eax,MmSystemRangeStart
   mov eax,[eax]
   mov uStartAddr,eax
 }
 PEPROCESS PCurrent=IoGetCurrentProcess();
 KdPrint(("[SerachMemory] %d - %s/n",*(PULONG)((ULONG)PCurrent+ProcessIdOffset),(PUCHAR)((ULONG)PCurrent+ImageNameOffset))); 
 for (;uStartAddr<(ULONG)PCurrent+0x800000;uStartAddr+=4)
 {
  ULONG bRet;
  bRet=IsValidAddr( uStartAddr );
  if (bRet==VALID_PAGE)
  {
   if ((*(PULONG)uStartAddr & 0xffff0000)==PEBFlags)//这里定位到的是PEB
   {
    if (IsRealProcess(uStartAddr-PEBOffset))
    {
     __try{

      KdPrint(("[SerachMemory] %d - %s/n",*(PULONG)(uStartAddr-PEBOffset+ProcessIdOffset),(PUCHAR)(uStartAddr-PEBOffset+ImageNameOffset))); 
      if (*(PULONG)(uStartAddr-PEBOffset+ExitTimeOffset)!=0)
      {
       //已经推出了 
      }
      else
      {
       FindAndCheckProcess(FALSE,(ULONG)(uStartAddr-PEBOffset));
      }
     }
     __except(EXCEPTION_EXECUTE_HANDLER)
     {
      
     }
     
     
    }
    uStartAddr -= 4;
     uStartAddr += 0x25c;
    
   }
  }
  else if( bRet == PDEINVALID )
  {
   uStartAddr -= 4;
   uStartAddr += 0x400000;
  }
  else
  {
   uStartAddr -= 4;
   uStartAddr += 0x1000;
  }

 }

}

 

 

//剩下的还有通过xp下的2个线程调度表来枚举,不过有些太不稳定了,忽略。。

 

现在隐藏进程都好难了,呜呜呜

 

努力努力在努力

instruder
关注
  • 0
    点赞
  • 3
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
枚举进程(ZwQuerySystemInformation)
KOOKNUT的博客
03-13 1535
枚举进程的另外一方法,也是CreateToolhelp32Snapshot内部真实的调用枚举进程信息的函数,在ntdll下导出的函数ZwQuerySystemInformation。这个函数是ntdll动态库下的一个导出函数,我们首先需要获得ntdll的模块句柄,接下来查找函数ZwQuerySystemInformation的函数地址,进行函数指针强转之后,进行调用。ZwQuerySys...
易语言枚举进程所有句柄
07-16
易语言枚举进程所有句柄源码,枚举进程所有句柄,获取系统所有句柄信息,获取句柄名,获取句柄类型,获取句柄引用数,List,Count,GetItem,GetCurrentProcessId,GetCurrentProcess,RtlMoveMemory_SYSTEM_HANDLE_INFORMATION,DuplicateHandle,OpenProcess,CloseHandle
进程遍历(枚举),模块遍历,线程遍历,进程链表,线程链表,模块链表
fzy20062008的专栏
08-07 1507
关键字: R3 Peb.Ldr,PEB_LDR_DATA NtQuerySystemInformation,ZwQueryInformationProcess, CreateToolhelp32Snapshot,EnumProcesses,EnumProcessModules ReadProcessMemory,NtReadProcessMemory kernel32.dll,psa...
进程名取得进程ID
paradox_1_0的博客
09-08 1759
1.此处进程名是指进程可执行文件的名称(任务管理器进程列表中显示的映像名称); 2.windows下没有现成的API,实现思路采用CreateToolhelp32Snapshot函数创建进程快照然后依次遍历比较; 3.使用CreateToolhelp32Snapshot函数需要包含头文件#include<tlhelp32.h> 4.具体原理讲解: HANDLE WINAPI ...
枚举进程的所有模块
qiuxue110的专栏
02-27 758
若要确定哪些进程加载了特定 DLL,必须枚举每个进程的模块。 下面的示例代码使用EnumProcessModules函数枚举系统中当前进程模块。 #include <windows.h> #include <tchar.h> #include <stdio.h> #include <psapi.h> // To ensure correct resolution of symbols, add Psapi.lib to TARGETLIBS // a..
mfc 枚举enum使用例子
新手学编程
11-18 3633
enum EnAppState { ST_STARTING, ST_STARTED, ST_CONNECTING, ST_CONNECTED, ST_STOPPING, ST_STOPPED }; SetAppState(ST_STOPPED); void CServerDlg::SetAppState(EnAppState state) { m_enState = s
易语言系列————————窗口_枚举所有子窗口(精易模块)
热门推荐
java_dotar_01的专栏
06-13 1万+
易语言开发中,有时想直接从一个窗口中拿取 窗口下所有控件的信息,可以用window知道的api入手,但是精益模块有带有这个功能哦。    窗口_枚举所有子窗口()            三个参数:            一、欲寻找控件的窗口句柄            二、查询出来的所有子窗口句柄数组            三、查询的控件类名    对于前两个参数,相信大家都知道,第一个就是 窗口...
易语言枚举窗口进程
07-16
易语言枚举窗口进程源码,枚举窗口进程,取模块路径,取特征码,读内存十六进制文本,取得窗口_,取前台窗口_,取进程线程标识符_,Module32First,CreateToolhelp32Snapshot,打开进程_,ReadProcessMemory,CloseHandle
易语言枚举所有子窗口讲解
08-26
在本篇内容中小编给大家分享了易语言枚举所有子窗口的相关知识点内容,需要的朋友们参考下。
EnumChildWindows枚举所有窗口-2
jinwei29的博客
10-06 979
Imports System.Runtime.InteropServices Imports System.Text '调查窗口标题文字或控件内容的长短(在vb里使用:直接使用vb窗体或控件的caption或text属性) Private Declare Function GetWindowTextLength Lib "user32" Alias "GetWindowTextL...
易语言窗口c_句柄取进程名,易语言枚举进程通过窗口句柄获取已经登录的QQ号码...
weixin_39909366的博客
05-18 427
DLL命令表.版本 2.DLL命令 GetDesktopWindow, 整数型, "user32.dll", "GetDesktopWindow".DLL命令 CreateToolhelp32Snapshot, 整数型, "kernel32", "CreateToolhelp32Snapshot".参数 dwFlags, 整数型, , 0.参数 th32ProcessIE, 整数型, , 0.DL...
易语言枚举进程模块源码
07-28
易语言枚举进程模块源码。
关于枚举窗口进程易语言例子
04-21
枚举窗口进程 关于枚举窗口进程易语言例子
易语言枚举进程的三方法
07-22
易语言枚举进程的三方法源码,枚举进程的三方法,子程序1,子程序2,CloseHandle,CreateToolhelp32Snapshot,NtQuerySystemInformation,HeapFree,GetProcessHeap,HeapAlloc,RtlMoveMemory,LocalSize_SPINFOR,EnumProcesses,EnumProcessModules,GetModuleFileNa
易语言源码易语言枚举进程的三方法源码.rar
03-31
易语言源码易语言枚举进程的三方法源码.rar
易语言枚举隐藏的进程
08-21
易语言枚举隐藏的进程源码系统结构:进程信息,EnumPro,取公司名称,GetCommandLine,数值到时间,GetUser_WTS,DOS路径转换_,处理事件_,LoadLibrary,GetProcAddress,FreeLibrary,loadDll,GetActiveWindow,...
易语言枚举进程的三方法源码
06-06
易语言枚举进程的三方法源码。@易语言在线学习。
枚举进程和PID_枚举进程和PID_
09-30
使用Delphi10.4.1枚举windows系统进程和PID,支持win10
【C++】---STL之list详解
最新发布
weixin_75128035的博客
04-24 327
erase删除pos位置元素后,pos位置之后的元素会往前搬移,没有导致底层空间的改变,理论上讲迭代 器不应该会失效,但是:如果pos刚好是最后一个元素,删完之后pos刚好是end的位置,而end位置是 没有元素的,那么pos就失效了。因此删除list中任意位置上元素时,vs就认为该位置迭代器失效 了。我的主页还有其他文章,欢迎学习指点。关注我,让我们一起学习,一起成长吧!2、优点:可以在任意位置进行插入删除,插入删除的效率比较高。好了,今天的分享就到这里了。
linux 枚举进程
09-13
在Linux中,有几方法可以枚举进程。 1. 使用`ps`命令:ps命令是一个常用的工具,用于列出当前正在运行的进程。通过`ps -ef`命令可以列出所有进程的详细信息。你还可以使用管道和`grep`命令来过滤出特定进程的信息...

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值