• r0遍历系统进程方法总结

    方法1: ZwQuerySystemInformation

    这个方法网上一搜一大堆,不举例了

    方法2:暴力枚举PID枚举进程,代码:

    [cpp] view plain copy
    print?
    1. NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObj, PUNICODE_STRING pRegStr)  
    2. {  
    3.   
    4.     pDriverObj->DriverUnload = MyUnload;  
    5.   
    6.     DbgPrint("DriverEntry... ");  
    7.   
    8.     //1.暴力枚举PID,枚举进程  
    9.     for (ULONG i = 0; i < 65535; i += 4)  
    10.     {  
    11.         SearchProcessPID(i);  
    12.     }  
    13.     return STATUS_SUCCESS;  
    14. }  
    15. //暴力枚举PID,枚举进程  
    16. NTSTATUS SearchProcessPID(ULONG pid)  
    17. {  
    18.     NTSTATUS status = STATUS_SUCCESS;  
    19.     PEPROCESS process = NULL;  
    20.     PUCHAR processName;  
    21.     status = PsLookupProcessByProcessId((HANDLE)pid, &process);  
    22.     processName = ExAllocatePool(NonPagedPool, sizeof(process));  
    23.     if (NT_SUCCESS(status))  
    24.     {  
    25.         processName = PsGetProcessImageFileName(process);  
    26.         DbgPrint("PID:%d,processName:%s ", pid, processName);  
    27.     }  
    28.       
    NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObj, PUNICODE_STRING pRegStr)
{

	pDriverObj->DriverUnload = MyUnload;

	DbgPrint("DriverEntry...
");

	//1.暴力枚举PID,枚举进程
	for (ULONG i = 0; i < 65535; i += 4)
	{
		SearchProcessPID(i);
	}
	return STATUS_SUCCESS;
}
//暴力枚举PID,枚举进程
NTSTATUS SearchProcessPID(ULONG pid)
{
	NTSTATUS status = STATUS_SUCCESS;
	PEPROCESS process = NULL;
	PUCHAR processName;
	status = PsLookupProcessByProcessId((HANDLE)pid, &process);
	processName = ExAllocatePool(NonPagedPool, sizeof(process));
	if (NT_SUCCESS(status))
	{
		processName = PsGetProcessImageFileName(process);
		DbgPrint("PID:%d,processName:%s
", pid, processName);
	}

    方法3和方法1原理相同,枚举eprocess结构体的ActiveProcessLinks链表实现,代码如下
    [cpp] view plain copy
    print?
    1. //通过EPROCESS枚举进程  
    2. NTSTATUS SearchProcessEPROCESS()  
    3. {  
    4.     PEPROCESS process=NULL,firstProcess=NULL;  
    5.     NTSTATUS status = STATUS_SUCCESS;  
    6.     PLIST_ENTRY plist;  
    7.     process = firstProcess = PsGetCurrentProcess();  
    8.     do  
    9.     {  
    10.         PUCHAR ProcessNmae = NULL;  
    11.         ProcessNmae = PsGetProcessImageFileName(process);  
    12.         DbgPrint("PID:%d,ProcessName:%s ", (HANDLE)PsGetProcessId(process), ProcessNmae);  
    13.         plist = (PLIST_ENTRY)((ULONG)process + ACTIVE_PROCESS_LINK);  
    14.         process = (PEPROCESS)((ULONG)plist->Flink - ACTIVE_PROCESS_LINK);  
    15.         if (process == firstProcess)  
    16.         {  
    17.             break;  
    18.         }  
    19.     } while (process != NULL);  
    20.   
    21.     return status;  
    22. }  
    //通过EPROCESS枚举进程
NTSTATUS SearchProcessEPROCESS()
{
	PEPROCESS process=NULL,firstProcess=NULL;
	NTSTATUS status = STATUS_SUCCESS;
	PLIST_ENTRY plist;
	process = firstProcess = PsGetCurrentProcess();
	do
	{
		PUCHAR ProcessNmae = NULL;
		ProcessNmae = PsGetProcessImageFileName(process);
		DbgPrint("PID:%d,ProcessName:%s
", (HANDLE)PsGetProcessId(process), ProcessNmae);
		plist = (PLIST_ENTRY)((ULONG)process + ACTIVE_PROCESS_LINK);
		process = (PEPROCESS)((ULONG)plist->Flink - ACTIVE_PROCESS_LINK);
		if (process == firstProcess)
		{
			break;
		}
	} while (process != NULL);

	return status;
}



    jpg 改 rar
  • 相关阅读:
    View基础知识
    数据库性能优化之SQL优化
    poi读取Excel文件和图片
    ab压测工具的一些个人见解
    【压测工具对比系列施压对比】
    【压测工具对比系列性能对比】
    【转】linux sed命令详解
    linux下文件比对功能
    windows下自动更改IP的小工具(bat批处理文件)
    mysql中操作符LIKE与通配符%的使用
  • 原文地址:https://www.cnblogs.com/kuangke/p/5761484.html
Copyright © 2020-2023  润新知