r0遍历系统进程方法总结

方法1: ZwQuerySystemInformation

这个方法网上一搜一大堆,不举例了

方法2:暴力枚举PID枚举进程,代码:

 

  1. NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObj, PUNICODE_STRING pRegStr)  
  2. {  
  3.   
  4.     pDriverObj->DriverUnload = MyUnload;  
  5.   
  6.     DbgPrint("DriverEntry...\n");  
  7.   
  8.     //1.暴力枚举PID,枚举进程  
  9.     for (ULONG i = 0; i < 65535; i += 4)  
  10.     {  
  11.         SearchProcessPID(i);  
  12.     }  
  13.     return STATUS_SUCCESS;  
  14. }  
  15. //暴力枚举PID,枚举进程  
  16. NTSTATUS SearchProcessPID(ULONG pid)  
  17. {  
  18.     NTSTATUS status = STATUS_SUCCESS;  
  19.     PEPROCESS process = NULL;  
  20.     PUCHAR processName;  
  21.     status = PsLookupProcessByProcessId((HANDLE)pid, &process);  
  22.     processName = ExAllocatePool(NonPagedPool, sizeof(process));  
  23.     if (NT_SUCCESS(status))  
  24.     {  
  25.         processName = PsGetProcessImageFileName(process);  
  26.         DbgPrint("PID:%d,processName:%s\n", pid, processName);  
  27.     }  
  28.       
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObj, PUNICODE_STRING pRegStr)
{

	pDriverObj->DriverUnload = MyUnload;

	DbgPrint("DriverEntry...\n");

	//1.暴力枚举PID,枚举进程
	for (ULONG i = 0; i < 65535; i += 4)
	{
		SearchProcessPID(i);
	}
	return STATUS_SUCCESS;
}
//暴力枚举PID,枚举进程
NTSTATUS SearchProcessPID(ULONG pid)
{
	NTSTATUS status = STATUS_SUCCESS;
	PEPROCESS process = NULL;
	PUCHAR processName;
	status = PsLookupProcessByProcessId((HANDLE)pid, &process);
	processName = ExAllocatePool(NonPagedPool, sizeof(process));
	if (NT_SUCCESS(status))
	{
		processName = PsGetProcessImageFileName(process);
		DbgPrint("PID:%d,processName:%s\n", pid, processName);
	}
	

方法3和方法1原理相同,枚举eprocess结构体的ActiveProcessLinks链表实现,代码如下

 

 

  1. //通过EPROCESS枚举进程  
  2. NTSTATUS SearchProcessEPROCESS()  
  3. {  
  4.     PEPROCESS process=NULL,firstProcess=NULL;  
  5.     NTSTATUS status = STATUS_SUCCESS;  
  6.     PLIST_ENTRY plist;  
  7.     process = firstProcess = PsGetCurrentProcess();  
  8.     do  
  9.     {  
  10.         PUCHAR ProcessNmae = NULL;  
  11.         ProcessNmae = PsGetProcessImageFileName(process);  
  12.         DbgPrint("PID:%d,ProcessName:%s\n", (HANDLE)PsGetProcessId(process), ProcessNmae);  
  13.         plist = (PLIST_ENTRY)((ULONG)process + ACTIVE_PROCESS_LINK);  
  14.         process = (PEPROCESS)((ULONG)plist->Flink - ACTIVE_PROCESS_LINK);  
  15.         if (process == firstProcess)  
  16.         {  
  17.             break;  
  18.         }  
  19.     } while (process != NULL);  
  20.   
  21.     return status;  
  22. }  
//通过EPROCESS枚举进程
NTSTATUS SearchProcessEPROCESS()
{
	PEPROCESS process=NULL,firstProcess=NULL;
	NTSTATUS status = STATUS_SUCCESS;
	PLIST_ENTRY plist;
	process = firstProcess = PsGetCurrentProcess();
	do
	{
		PUCHAR ProcessNmae = NULL;
		ProcessNmae = PsGetProcessImageFileName(process);
		DbgPrint("PID:%d,ProcessName:%s\n", (HANDLE)PsGetProcessId(process), ProcessNmae);
		plist = (PLIST_ENTRY)((ULONG)process + ACTIVE_PROCESS_LINK);
		process = (PEPROCESS)((ULONG)plist->Flink - ACTIVE_PROCESS_LINK);
		if (process == firstProcess)
		{
			break;
		}
	} while (process != NULL);

	return status;
}


 


jpg 改 rar

posted @ 2016-08-11 16:25  狂客  阅读(559)  评论(0编辑  收藏  举报