内核枚举进程总结_pslookupprocessbyprocessid 枚举进程-CSDN博客

本文链接：https://blog.csdn.net/zhuhuibeishadiao/article/details/51292605

我知道的有三种方法

这里的第三种和第二种是一样的隐藏进程也可以在这么做手脚

但需要注意多线程,在操作前,理应加锁

可以参考这篇文章

http://blog.csdn.net/zfdyq0/article/details/41813747

1.暴力枚举进程通过PsLookupProcessByProcessId/Cid获得EPROCESS

第一个参数我们使用循环填入0~65535

for (ULONG i = 0; i < 65535; i += 4)  
{  
     SearchProcessPID(i);  
}  
return STATUS_SUCCESS;

其中注入PsLookupProcessByProcessId会导致bypass,建议使用Cid

2.通过ZwQuerySystemInformation

3.通过进程活动连来枚举

代码如下：

#include "ntddk.h"


typedef struct  _PROCESS_INFO
{
	ULONG_PTR eprocess;
	ULONG pid;
	ULONG ppid;
	UNICODE_STRING pathName;
	UNICODE_STRING ImageFileName;
}PROCESSINFO,*PPROCESSINFO;

typedef struct _SYSTEM_THREADS
{
	 LARGE_INTEGER  KernelTime;
	 LARGE_INTEGER  UserTime;
	 LARGE_INTEGER  CreateTime;
	 ULONG    WaitTime;
	 PVOID    StartAddress;
	 CLIENT_ID   ClientID;
	 KPRIORITY   Priority;
	 KPRIORITY   BasePriority;
	 ULONG    ContextSwitchCount;
	 ULONG    ThreadState;
	 KWAIT_REASON  WaitReason;
	 ULONG    Reserved; //Add
}SYSTEM_THREADS,*PSYSTEM_THREADS;
  
typedef struct _SYSTEM_PROCESS_INFORMATION {  
    ULONG                   NextEntryOffset;  
    ULONG                   NumberOfThreads;  
    LARGE_INTEGER           Reserved[3];  
    LARGE_INTEGER           CreateTime;  
    LARGE_INTEGER           UserTime;  
    LARGE_INTEGER           KernelTime;  
    UNICODE_STRING          ImageName;  
    KPRIORITY               BasePriority;  
    HANDLE                  ProcessId;  
    HANDLE                  InheritedFromProcessId;  
    ULONG                   HandleCount;  
    ULONG                   Reserved2[2];  
    ULONG                   PrivatePageCount;  
    VM_COUNTERS             VirtualMemoryCounters;  
    IO_COUNTERS             IoCounters;