EnumProcessThread(枚举进程线程)

最新推荐文章于 2023-11-17 09:22:06 发布

VHeroin

最新推荐文章于 2023-11-17 09:22:06 发布

阅读量1.4k

点赞数

分类专栏： Windows Kernel SDK

Windows Kernel 同时被 2 个专栏收录

28 篇文章 7 订阅

订阅专栏

SDK

4 篇文章 0 订阅

订阅专栏

原文地址: https://blog.csdn.net/qq125096885/article/details/75045032

#pragma once
#ifndef MAX_PATH
#define MAX_PATH 260
#endif
typedef enum _SYSTEM_INFORMATION_CLASS {
SystemBasicInformation,
SystemProcessorInformation, // obsolete...delete
SystemPerformanceInformation,
SystemTimeOfDayInformation,
SystemPathInformation,
SystemProcessInformation,
SystemCallCountInformation,
SystemDeviceInformation,
SystemProcessorPerformanceInformation,
SystemFlagsInformation,
SystemCallTimeInformation,
SystemModuleInformation,
SystemLocksInformation,
SystemStackTraceInformation,
SystemPagedPoolInformation,
SystemNonPagedPoolInformation,
SystemHandleInformation,
SystemObjectInformation,
SystemPageFileInformation,
SystemVdmInstemulInformation,
SystemVdmBopInformation,
SystemFileCacheInformation,
SystemPoolTagInformation,
SystemInterruptInformation,
SystemDpcBehaviorInformation,
SystemFullMemoryInformation,
SystemLoadGdiDriverInformation,
SystemUnloadGdiDriverInformation,
SystemTimeAdjustmentInformation,
SystemSummaryMemoryInformation,
SystemMirrorMemoryInformation,
SystemPerformanceTraceInformation,
SystemObsolete0,
SystemExceptionInformation,
SystemCrashDumpStateInformation,
SystemKernelDebuggerInformation,
SystemContextSwitchInformation,
SystemRegistryQuotaInformation,
SystemExtendServiceTableInformation,
SystemPrioritySeperation,
SystemVerifierAddDriverInformation,
SystemVerifierRemoveDriverInformation,
SystemProcessorIdleInformation,
SystemLegacyDriverInformation,
SystemCurrentTimeZoneInformation,
SystemLookasideInformation,
SystemTimeSlipNotification,
SystemSessionCreate,
SystemSessionDetach,
SystemSessionInformation,
SystemRangeStartInformation,
SystemVerifierInformation,
SystemVerifierThunkExtend,
SystemSessionProcessInformation,
SystemLoadGdiDriverInSystemSpace,
SystemNumaProcessorMap,
SystemPrefetcherInformation,
SystemExtendedProcessInformation,
SystemRecommendedSharedDataAlignment,
SystemComPlusPackage,
SystemNumaAvailableMemory,
SystemProcessorPowerInformation,
SystemEmulationBasicInformation,
SystemEmulationProcessorInformation,
SystemExtendedHandleInformation,
SystemLostDelayedWriteInformation,
SystemBigPoolInformation,
SystemSessionPoolTagInformation,
SystemSessionMappedViewInformation,
SystemHotpatchInformation,
SystemObjectSecurityMode,
SystemWatchdogTimerHandler,
SystemWatchdogTimerInformation,
SystemLogicalProcessorInformation,
SystemWow64SharedInformation,
SystemRegisterFirmwareTableInformationHandler,
SystemFirmwareTableInformation,
SystemModuleInformationEx,
SystemVerifierTriageInformation,
SystemSuperfetchInformation,
SystemMemoryListInformation,
SystemFileCacheInformationEx,
MaxSystemInfoClass // MaxSystemInfoClass should always be the last enum
} SYSTEM_INFORMATION_CLASS;
typedef struct _SYSTEM_THREAD_INFORMATION
{
LARGE_INTEGER KernelTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER CreateTime;
ULONG WaitTime;
PVOID StartAddress;
CLIENT_ID ClientId;
KPRIORITY Priority;
LONG BasePriority;
ULONG ContextSwitches;
ULONG ThreadState;
KWAIT_REASON WaitReason;
}SYSTEM_THREAD_INFORMATION, *PSYSTEM_THREAD_INFORMATION;
typedef struct _SYSTEM_PROCESS_INFO
{
ULONG NextEntryOffset;
ULONG NumberOfThreads;
LARGE_INTEGER WorkingSetPrivateSize;
ULONG HardFaultCount;
ULONG NumberOfThreadsHighWatermark;
ULONGLONG CycleTime;
LARGE_INTEGER CreateTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER KernelTime;
UNICODE_STRING ImageName;
KPRIORITY BasePriority;
HANDLE UniqueProcessId;
HANDLE InheritedFromUniqueProcessId;
ULONG HandleCount;
ULONG SessionId;
ULONG_PTR UniqueProcessKey;
SIZE_T PeakVirtualSize;
SIZE_T VirtualSize;
ULONG PageFaultCount;
SIZE_T PeakWorkingSetSize;
SIZE_T WorkingSetSize;
SIZE_T QuotaPeakPagedPoolUsage;
SIZE_T QuotaPagedPoolUsage;
SIZE_T QuotaPeakNonPagedPoolUsage;
SIZE_T QuotaNonPagedPoolUsage;
SIZE_T PagefileUsage;
SIZE_T PeakPagefileUsage;
SIZE_T PrivatePageCount;
LARGE_INTEGER ReadOperationCount;
LARGE_INTEGER WriteOperationCount;
LARGE_INTEGER OtherOperationCount;
LARGE_INTEGER ReadTransferCount;
LARGE_INTEGER WriteTransferCount;
LARGE_INTEGER OtherTransferCount;
SYSTEM_THREAD_INFORMATION Threads[1];
}SYSTEM_PROCESS_INFO, *PSYSTEM_PROCESS_INFO;
typedef struct _RTL_PROCESS_MODULE_INFORMATION {
HANDLE Section; // Not filled in
PVOID MappedBase;
PVOID ImageBase;
ULONG ImageSize;
ULONG Flags;
USHORT LoadOrderIndex;
USHORT InitOrderIndex;
USHORT LoadCount;
USHORT OffsetToFileName;
UCHAR ImageName[MAXIMUM_FILENAME_LENGTH];
} RTL_PROCESS_MODULE_INFORMATION, *PRTL_PROCESS_MODULE_INFORMATION;
typedef struct _RTL_PROCESS_MODULES {
ULONG NumberOfModules;
RTL_PROCESS_MODULE_INFORMATION Modules[1];
} RTL_PROCESS_MODULES, *PRTL_PROCESS_MODULES;

#include <ntifs.h>
#include <ntddk.h>
#include <ntintsafe.h>
#include "Header.h"
//删除指针
#define SafeFreeDelete(pData) { if(pData){ExFreePool(pData);pData=NULL;} }
NTSTATUS ZwQueryInformationThread(HANDLE ThreadHandle,THREADINFOCLASS ThreadInformationClass,PVOID ThreadInformation,ULONG ThreadInformationLength,PULONG ReturnLength);
NTSTATUS ZwQuerySystemInformation(SYSTEM_INFORMATION_CLASS SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength);
PETHREAD GetThread(HANDLE ThreadId)
{
PETHREAD Thread = NULL;
PETHREAD Result = NULL;
if (PsLookupThreadByThreadId(ThreadId, &Thread) == STATUS_SUCCESS)
{
Result = Thread;
ObDereferenceObject(Thread);
}
return Result;
}
HANDLE OpenThread(ULONG ThreadId)
{
NTSTATUS status;
PETHREAD Thread = NULL;
HANDLE hThread = NULL;
UNICODE_STRING Unicode;
status = PsLookupThreadByThreadId(ThreadId, &Thread);
if (NT_SUCCESS(status))
{
if (PsThreadType)
{
status = ObOpenObjectByPointer(Thread,NULL,NULL,THREAD_ALL_ACCESS,(PVOID)*PsThreadType,KernelMode,&hThread);
if (NT_SUCCESS(status))
{
ObDereferenceObject(Thread);
return hThread;
}
}
}
return 0;
}
void GetModuleName(PVOID dwBase,PCHAR strName, PCHAR strPath)
{
NTSTATUS status;
ULONG size = 0, index = 0;
PRTL_PROCESS_MODULES ProcessModules = NULL;
PRTL_PROCESS_MODULE_INFORMATION pModuleInformation = NULL;
do
{
status = ZwQuerySystemInformation(SystemModuleInformation, NULL, NULL, &size);
if (STATUS_INFO_LENGTH_MISMATCH != status || size <= 0)
{
ASSERT(FALSE);
break;
}
size *= 4;
if ((ProcessModules = (PULONG_PTR)ExAllocatePool(NonPagedPool, size)) == NULL)
{
ASSERT(FALSE);
break;
}
RtlZeroMemory(ProcessModules, size);
status = ZwQuerySystemInformation(SystemModuleInformation, ProcessModules, size, NULL);
if (!NT_SUCCESS(status))
{
ASSERT(FALSE);
break;
}
pModuleInformation = (PRTL_PROCESS_MODULE_INFORMATION)(ProcessModules->Modules);
for (index = 0; index < ProcessModules->NumberOfModules; index++)
{
PVOID ImageBaseAddress;
ULONG_PTR ImageSize;
ULONG_PTR ImageEnd;
ImageBaseAddress = pModuleInformation[index].ImageBase;
ImageSize = pModuleInformation[index].ImageSize;
ImageEnd = ImageSize + (ULONG_PTR)ImageBaseAddress;
if (ImageBaseAddress <= dwBase && dwBase <= ImageEnd)
{
strcpy(strName, pModuleInformation[index].ImageName + pModuleInformation[index].OffsetToFileName);
strcpy(strPath, pModuleInformation[index].ImageName);
break;
}
}
} while (FALSE);
SafeFreeDelete(ProcessModules);
return;
}
void EnumProcessThread(ULONG ProcessId)
{
NTSTATUS Status;
PSYSTEM_PROCESS_INFO ProcessInfo = NULL;
PVOID pBuffer = NULL;
ULONG size = 0;
//切换当前模式为内核模式
do
{
Status = ZwQuerySystemInformation(SystemProcessInformation, NULL, 0, &size);
if (Status != STATUS_INFO_LENGTH_MISMATCH || size <= 0)
{
ASSERT(FALSE);
break;
}
size *= 2;
pBuffer = ExAllocatePool(NonPagedPool, size); //分配内存缓冲区
if (pBuffer==NULL)
{
ASSERT(FALSE);
break;
}
RtlZeroMemory(pBuffer, size);
Status = ZwQuerySystemInformation(SystemProcessInformation, pBuffer, size, &size);
if (!NT_SUCCESS(Status))
{
ASSERT(FALSE);
break;
}
ProcessInfo = (PSYSTEM_PROCESS_INFO)pBuffer;
while (TRUE)
{
if (ProcessInfo->UniqueProcessId == ProcessId)
{
for (ULONG_PTR i = 0; i < ProcessInfo->NumberOfThreads; i++)
{
HANDLE hThread = NULL;
PVOID Win32StartAddress = 0;
PETHREAD Thread;
HANDLE ThreadId;
ULONG Priority;
ULONG ContextSwitches;
ULONG ThreadState;
ULONG WaitReason;
char* pModuleName = ExAllocatePool(NonPagedPool, MAX_PATH);
char* pImagePath = ExAllocatePool(NonPagedPool, MAX_PATH);
ASSERT(pModuleName);
ASSERT(pImagePath);
RtlZeroMemory(pModuleName, MAX_PATH);
RtlZeroMemory(pImagePath, MAX_PATH);
ThreadId = ProcessInfo->Threads[i].ClientId.UniqueThread; // 进程ID 与线程ID
Thread = GetThread(ThreadId); // 线程 PETHREAD
Priority= (ULONG)ProcessInfo->Threads[i].Priority; // 线程优先级
ContextSwitches = ProcessInfo->Threads[i].ContextSwitches; // 切换数
ThreadState = ProcessInfo->Threads[i].ThreadState; // 当前状态
WaitReason = ProcessInfo->Threads[i].WaitReason; //等待原因
//Suspended
hThread = OpenThread(ProcessInfo->Threads[i].ClientId.UniqueThread);
if (hThread)
{
Status = ZwQueryInformationThread(hThread, ThreadQuerySetWin32StartAddress, (PVOID)Win32StartAddress, sizeof(PVOID), NULL);
ZwClose(hThread);
if (!NT_SUCCESS(Status))
{
Win32StartAddress = ProcessInfo->Threads[i].StartAddress;
}
GetModuleName(Win32StartAddress, pModuleName, pImagePath);
}
KdPrint(("ThreadId=%d Thread=%p Priority=%d ContextSwitches=%d ThreadState=%d WaitReason=%d Win32StartAddress=%p ModuleName=%s ImagePath=%s\n", ThreadId, Thread, Priority, ContextSwitches, ThreadState, WaitReason,Win32StartAddress, pModuleName, pImagePath));
SafeFreeDelete(pModuleName);
SafeFreeDelete(pImagePath);
}
break;
}
if (ProcessInfo==NULL)
{
break;
}
if (ProcessInfo->NextEntryOffset == 0)
{
break;
}
ProcessInfo = (PSYSTEM_PROCESS_INFO)(((PUCHAR)ProcessInfo) + ProcessInfo->NextEntryOffset);
}
} while (FALSE);
SafeFreeDelete(pBuffer);
return;
}
VOID DriverUnload(IN PDRIVER_OBJECT DriverObject)
{
return;
}
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath)
{
DriverObject->DriverUnload = DriverUnload;
DbgBreakPoint();
EnumProcessThread(PsGetCurrentProcessId());
return STATUS_SUCCESS;
}

VHeroin

关注

0
点赞
踩
4

收藏

觉得还不错? 一键收藏
0
评论
EnumProcessThread(枚举进程线程)

原文地址: https://blog.csdn.net/qq125096885/article/details/75045032 版权声明：本文为博主原创文章，未经博主允许不得转载。 https://blog.csdn.net/qq125096885/article/details/75045032 #pragma once #ifndef MA...
复制链接

扫一扫