这里 也是参考了看雪论坛分享的
这里 我找不到那个分享的网址了 比较尴尬 什么时候找到了 把分享 教程的网址放出来 。。。
本来是看 windows黑客编程技术详解 这本书 看的很起劲 但是 发现 emmm 比较可惜
那个irp 发现也不是那么的神奇 于是 直接看 内核进程的操作了
就是简单的枚举pid
#include <ntddk.h>
#include <windef.h>
typedef struct _KAPC_STATE
{
LIST_ENTRY ApcListHead[2];
PKPROCESS Process;
UCHAR KernelApcInProgress;
UCHAR KernelApcPending;
UCHAR UserApcPending;
} KAPC_STATE, *PKAPC_STATE;
typedef struct _LDR_DATA_TABLE_ENTRY
{
LIST_ENTRY64 InLoadOrderLinks;
LIST_ENTRY64 InMemoryOrderLinks;
LIST_ENTRY64 InInitializationOrderLinks;
PVOID DllBase;
PVOID EntryPoint;
ULONG SizeOfImage;
UNICODE_STRING FullDllName;
UNICODE_STRING BaseDllName;
ULONG Flags;
USHORT LoadCount;
USHORT TlsIndex;
PVOID SectionPointer;
ULONG CheckSum;
PVOID LoadedImports;
PVOID EntryPointActivationContext;
PVOID PatchInformation;
LIST_ENTRY64 ForwarderLinks;
LIST_ENTRY64 ServiceTagLinks;
LIST_ENTRY64 StaticLinks;
PVOID ContextInformation;
ULONG64 OriginalBase;
LARGE_INTEGER LoadTime;
} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
NTKERNELAPI UCHAR* PsGetProcessImageFileName(IN PEPROCESS Process);
NTKERNELAPI HANDLE PsGetProcessInheritedFromUniqueProcessId(IN PEPROCESS Process);
NTKERNELAPI PPEB PsGetProcessPeb(PEPROCESS Process);
NTKERNELAPI NTSTATUS PsLookupProcessByProcessId(HANDLE Id, PEPROCESS *Process);
NTKERNELAPI NTSTATUS PsLookupThreadByThreadId(HANDLE Id, PETHREAD *Thread);
NTKERNELAPI PEPROCESS IoThreadToProcess(PETHREAD Thread);
NTKERNELAPI VOID NTAPI KeAttachProcess(PEPROCESS Process);
NTKERNELAPI VOID NTAPI KeDetachProcess();
NTKERNELAPI VOID NTAPI KeStackAttachProcess(PEPROCESS Process, PKAPC_STATE ApcState);
NTKERNELAPI VOID NTAPI KeUnstackDetachProcess(PKAPC_STATE ApcState);
NTKERNELAPI HANDLE PsGetProcessId(IN PEPROCESS Process);
NTKERNELAPI UCHAR* PsGetProcessImageFileName(IN PEPROCESS Process);
ULONG64 LdrInPebOffset = 0x018; //peb.ldr
ULONG64 ModListInPebOffset = 0x010; //peb.ldr.InLoadOrderModuleList
PEPROCESS lookprocess(HANDLE pid)
{
PEPROCESS eprocess = NULL;
if (NT_SUCCESS(PsLookupProcessByProcessId(pid, &eprocess)))
{
return eprocess;
}
else
return NULL;
}
PETHREAD lookthread(HANDLE tid)
{
PETHREAD ethread;
if (NT_SUCCESS(PsLookupThreadByThreadId(tid, ðread)))
{
return ethread;
}
else
return NULL;
}
VOID Enumthread(PEPROCESS Process)
{
ULONG i;
PETHREAD ethrd = NULL;
PEPROCESS eproc = NULL;
for (i = 4; i < 262144; i += 4)
{
ethrd = lookthread((HANDLE)i);
if (ethrd != NULL)
{
eproc = IoThreadToProcess(ethrd);
if (eproc == Process)
{
KdPrint(("[THREAD]ETHREAD = %p TID = %ld\n", ethrd, (ULONG)PsGetThreadId(ethrd)));
}
ObDereferenceObject(ethrd);
}
}
}
VOID EnumModule(PEPROCESS Process)
{
SIZE_T Peb = 0;
SIZE_T ldr = 0;
PLIST_ENTRY ModListHead = 0;
PLIST_ENTRY Module = 0;
ANSI_STRING AnsiString;
KAPC_STATE ks;
if (!MmIsAddressValid(Process))
{
return;
}
Peb = (SIZE_T)PsGetProcessPeb(Process);
if (!Peb)
return;
KeStackAttachProcess(Process, &ks);
_try
{
ldr = Peb + (SIZE_T)LdrInPebOffset;
ProbeForRead((CONST PVOID)ldr, 8, 8);
ModListHead = (PLIST_ENTRY)(*(PULONG64)ldr + ModListInPebOffset);
ProbeForRead((CONST PVOID)ModListHead, 8, 8);
Module = ModListHead->Flink;
while (ModListHead != Module)
{
KdPrint(("[MODULE]Base=%p Size=%ld Path=%wZ\n",
(PVOID)(((PLDR_DATA_TABLE_ENTRY)Module)->DllBase),
(ULONG)(((PLDR_DATA_TABLE_ENTRY)Module)->SizeOfImage),
&((PLDR_DATA_TABLE_ENTRY)Module)->FullDllName));
Module = Module->Flink;
ProbeForRead((CONST PVOID)Module, 80, 8);
}
}
_except(EXCEPTION_EXECUTE_HANDLER)
{
KdPrint(("EXCEPTION_EXECUTE_HANDLER"));
}
KeUnstackDetachProcess(&ks);
}
VOID EnumProcess()//枚举进程
{
ULONG i;
PEPROCESS eproc = NULL;
for (i = 4; i < 262144; i = i + 4)
{
eproc = lookprocess((HANDLE)i);
if (eproc != NULL)
{
KdPrint(("EPROCESS=%p,PID=%ld,PPID=%ld,NAME=%s", eproc, (DWORD)PsGetProcessId(eproc), (DWORD)PsGetProcessInheritedFromUniqueProcessId(eproc), PsGetProcessImageFileName(eproc)));
Enumthread(eproc);
EnumModule(eproc);
ObDereferenceObject(eproc);
}
}
}
VOID DriverUnload(PDRIVER_OBJECT driver)
{
KdPrint(("goodbye"));
}
VOID ZwKillProcess(HANDLE Pid)
{
HANDLE hProcess=NULL;
CLIENT_ID ClientId;
OBJECT_ATTRIBUTES ob;
ClientId.UniqueProcess = Pid;
ClientId.UniqueThread = 0;
ob.Length = sizeof(ob);
ob.RootDirectory = 0;
ob.ObjectName = 0;
ob.Attributes = 0;
ob.SecurityDescriptor = 0;
ob.SecurityQualityOfService = 0;
ZwOpenProcess(&hProcess, 1, &ob, &ClientId);
if (hProcess)
{
ZwTerminateProcess(hProcess, 0);
ZwClose(hProcess);
}
}
VOID ZwKillThread(HANDLE Tip)
{
HANDLE Thread = NULL;
CLIENT_ID ClientId;
OBJECT_ATTRIBUTES ob;
ClientId.UniqueProcess = 0;
ClientId.UniqueThread = Tip;
ob.Length = sizeof(ob);
ob.RootDirectory = 0;
ob.ObjectName = 0;
ob.SecurityQualityOfService = 0;
ob.Attributes = 0;
ob.SecurityDescriptor = 0;
//ZwOpenThread需要自行定位
if (Thread)
{
ZwClose(Thread);
}
}
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath)
{
DriverObject->DriverUnload = DriverUnload;
EnumProcess();
return STATUS_SUCCESS;
}