遍历进程内存

// inject.cpp : 此文件包含 "main" 函数。程序执行将在此处开始并结束。
//
#include<Windows.h>
#include <iostream>

#define STATUS_UNSUCCESSFUL (0xc0000001)
#define STATUS_INFO_LENGTH_MISMATCH 0xc0000004
#define NT_SUCCESS(x) ((x) >= 0)

typedef struct _LSA_UNICODE_STRING {
	USHORT Length;
	USHORT MaximumLength;
	PWSTR Buffer;
} LSA_UNICODE_STRING, *PLSA_UNICODE_STRING, UNICODE_STRING, *PUNICODE_STRING;

typedef enum _PROCESSINFOCLASS
{
	ProcessBasicInformation,
	ProcessQuotaLimits,
	ProcessIoCounters,
	ProcessVmCounters,
	ProcessTimes,
	ProcessBasePriority,
	ProcessRaisePriority,
	ProcessDebugPort,
	ProcessExceptionPort,
	ProcessAccessToken,
	ProcessLdtInformation,
	ProcessLdtSize,
	ProcessDefaultHardErrorMode,
	ProcessIoPortHandlers,
	ProcessPooledUsageAndLimits,
	ProcessWorkingSetWatch,
	ProcessUserModeIOPL,
	ProcessEnableAlignmentFaultFixup,
	ProcessPriorityClass,
	ProcessWx86Information,
	ProcessHandleCount,
	ProcessAffinityMask,
	ProcessPriorityBoost,
	ProcessDeviceMap,
	ProcessSessionInformation,
	ProcessForegroundInformation,
	ProcessWow64Information,
	ProcessImageFileName,
	ProcessLUIDDeviceMapsEnabled,
	ProcessBreakOnTermination,
	ProcessDebugObjectHandle,
	ProcessDebugFlags,
	ProcessHandleTracing,
	ProcessIoPriority,
	ProcessExecuteFlags,
	ProcessTlsInformation,
	ProcessCookie,
	ProcessImageInformation,
	ProcessCycleTime,
	ProcessPagePriority,
	ProcessInstrumentationCallback,
	ProcessThreadStackAllocation,
	ProcessWorkingSetWatchEx,
	ProcessImageFileNameWin32,
	ProcessImageFileMapping,
	ProcessAffinityUpdateMode,
	ProcessMemoryAllocationMode,
	MaxProcessInfoClass
} PROCESSINFOCLASS;

typedef
NTSTATUS(WINAPI *NTQUERYINFORMATIONPROCESS)
(HANDLE           ProcessHandle,
	PROCESSINFOCLASS ProcessInformationClass,
	PVOID            ProcessInformation,
	ULONG            ProcessInformationLength,
	PULONG           ReturnLength);

typedef enum _MEMORY_INFORMATION_CLASS
{
	MemoryBasicInformation, // MEMORY_BASIC_INFORMATION
	MemoryWorkingSetInformation, // MEMORY_WORKING_SET_INFORMATION
	MemoryMappedFilenameInformation, // UNICODE_STRING
	MemoryRegionInformation, // MEMORY_REGION_INFORMATION
	MemoryWorkingSetExInformation, // MEMORY_WORKING_SET_EX_INFORMATION
	MemorySharedCommitInformation, // MEMORY_SHARED_COMMIT_INFORMATION
	MemoryImageInformation // MEMORY_IMAGE_INFORMATION
} MEMORY_INFORMATION_CLASS;


typedef NTSTATUS(NTAPI*NTQUERYVIRTUALMEMORY)
(
	_In_ HANDLE ProcessHandle,
	_In_ PVOID BaseAddress,
	_In_ MEMORY_INFORMATION_CLASS MemoryInformationClass,
	_Out_writes_bytes_(MemoryInformationLength) PVOID MemoryInformation,
	_In_ SIZE_T MemoryInformationLength,
	_Out_opt_ PSIZE_T ReturnLength
	);

NTSTATUS GetProcessMappedFileName(
	_In_ HANDLE ProcessHandle,
	_In_ PVOID BaseAddress,
	_Out_ PUNICODE_STRING* FileName
)
{
	NTSTATUS status = 0;
	PVOID buffer = NULL;
	SIZE_T bufferSize = 0x100;
	SIZE_T returnLength = 0;
	NTQUERYVIRTUALMEMORY  NtQueryVirtualMemory = NULL;
	do
	{
		HMODULE hModule = LoadLibrary(L"ntdll.dll");
		if (NULL == hModule)
		{
			break;
		}
		if (!NtQueryVirtualMemory)
		{
			NtQueryVirtualMemory = (NTQUERYVIRTUALMEMORY)GetProcAddress(hModule, "NtQueryVirtualMemory");

			if (NtQueryVirtualMemory == NULL)
			{
				break;
			}
		}

		buffer = malloc(bufferSize);

		if (NULL == buffer)
		{
			break;
		}
		ZeroMemory(buffer, bufferSize);


		status = NtQueryVirtualMemory(
			ProcessHandle,
			BaseAddress,
			MemoryMappedFilenameInformation,
			buffer,
			bufferSize,
			&returnLength
		);
		if (NT_SUCCESS(status))
		{
			*FileName = (PUNICODE_STRING)buffer;
		}

		//#define STATUS_BUFFER_OVERFLOW           ((NTSTATUS)0x80000005L)
		else if (status == (NTSTATUS)0x80000005L)
		{
			free(buffer);
			bufferSize = returnLength;
			buffer = malloc(bufferSize + 2);

			if (NULL == buffer)
			{
				break;
			}

			ZeroMemory(buffer, bufferSize);
			status = NtQueryVirtualMemory(
				ProcessHandle,
				BaseAddress,
				MemoryMappedFilenameInformation,
				buffer,
				bufferSize + 2,
				&returnLength
			);
			if (!NT_SUCCESS(status))
			{
				free(buffer);
				break;
			}
			*FileName = (PUNICODE_STRING)buffer;
		}

	} while (0);

	return status;
}

//\\Device\\HarddiskVolume1\x86.sys    c:\x86.sys    
BOOL DeviceDosPathToNtPath(wchar_t* pszDosPath, wchar_t* pszNtPath)
{
	static TCHAR    szDriveStr[MAX_PATH] = { 0 };
	static TCHAR    szDevName[MAX_PATH] = { 0 };
	TCHAR            szDrive[3];
	INT             cchDevName;
	INT             i;

	//检查参数  
	if (IsBadReadPtr(pszDosPath, 1) != 0)return FALSE;
	if (IsBadWritePtr(pszNtPath, 1) != 0)return FALSE;


	//获取本地磁盘字符串  
	ZeroMemory(szDriveStr, ARRAYSIZE(szDriveStr));
	ZeroMemory(szDevName, ARRAYSIZE(szDevName));
	if (GetLogicalDriveStrings(sizeof(szDriveStr), szDriveStr))
	{
		for (i = 0; szDriveStr[i]; i += 4)
		{
			if (!lstrcmpi(&(szDriveStr[i]), L"A:\\") || !lstrcmpi(&(szDriveStr[i]), L"B:\\"))
				continue;

			szDrive[0] = szDriveStr[i];
			szDrive[1] = szDriveStr[i + 1];
			szDrive[2] = '\0';
			if (!QueryDosDevice(szDrive, szDevName, MAX_PATH))//查询 Dos 设备名  
				return FALSE;

			cchDevName = lstrlen(szDevName);
			if (_wcsnicmp(pszDosPath, szDevName, cchDevName) == 0)//命中  
			{
				lstrcpy(pszNtPath, szDrive);//复制驱动器  
				lstrcat(pszNtPath, pszDosPath + cchDevName);//复制路径  

				return TRUE;
			}
		}
	}

	lstrcpy(pszNtPath, pszDosPath);
	return FALSE;
}

VOID Scan(DWORD ProcessId)
{

PVOID baseAddress;
MEMORY_BASIC_INFORMATION basicInfo;

HMODULE hModule = LoadLibrary(L"ntdll.dll");
if (NULL == hModule)
{
	return;
}

NTQUERYVIRTUALMEMORY NtQueryVirtualMemory = (NTQUERYVIRTUALMEMORY)GetProcAddress(hModule, "NtQueryVirtualMemory");

if (NULL == NtQueryVirtualMemory)
{
	
	return;
}

NTQUERYINFORMATIONPROCESS NtQueryInformationProcess = (NTQUERYINFORMATIONPROCESS)GetProcAddress(hModule, "NtQueryInformationProcess");
if (NULL == NtQueryInformationProcess)
{
	return;
}

baseAddress = (PVOID)0;

HANDLE processHandle = OpenProcess(PROCESS_ALL_ACCESS,FALSE,ProcessId);

if (NULL == processHandle)
{
	return;
}

while (NT_SUCCESS(NtQueryVirtualMemory(
	processHandle,
	baseAddress,
	MemoryBasicInformation,
	&basicInfo,
	sizeof(MEMORY_BASIC_INFORMATION),
	NULL
)))
{
	do
	{
		if ((basicInfo.State& MEM_FREE) == MEM_FREE )
		{
			break;
		}
		if (   (basicInfo.Protect&PAGE_READWRITE) != PAGE_READWRITE 
			&& (basicInfo.Protect& PAGE_EXECUTE_READWRITE)!= PAGE_EXECUTE_READWRITE
			&& (basicInfo.Protect&PAGE_EXECUTE_WRITECOPY)!= PAGE_EXECUTE_WRITECOPY)
		{
			break;
		}

		PUNICODE_STRING fileName = NULL;
		//是否是DLL内存
		if (NT_SUCCESS(GetProcessMappedFileName(processHandle, baseAddress, &fileName)))
		{

			char *ntPath = NULL;
			WCHAR dosPath[MAX_PATH] = { 0 };

			if (DeviceDosPathToNtPath(fileName->Buffer, dosPath))
			{
				printf("%S\n", dosPath);
			}

			if (ntPath)
			{
				free(ntPath);
				ntPath = NULL;
			}

		}
		//do something

	} while (0);

	baseAddress = (PVOID)((ULONG_PTR)baseAddress + basicInfo.RegionSize);
}

if (processHandle)
{
	CloseHandle(processHandle);
	processHandle = NULL;
}
return;
}

int main()
{
	Scan(20416);
	system("pause");
	return 0;
}


  • 0
    点赞
  • 2
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值