<转>内核层 进程列举 NtQuerySystemInformation
/*--------- 1.c -----------*/
#include "1.h"
//---------列举进程---------
NTSTATUS EnumProcess()
{
int iCount = 1; //进程计数
NTSTATUS status; //返回值
PVOID pSi = NULL; /*指向SystemInformationClass的指针,此处为SystemProcessesAndThreadsInformation,即我们所要获取的信息*/
PSYSTEM_PROCESS_INFORMATION pSpiNext = NULL; //同上
ULONG uSize; //pSi的大小,以BYTE为单位
ULONG pNeededSize = 0; //系统返回所需长度,因在WIN2000下不会返回,故不使用,设置为0
BOOL bOver = FALSE; //标识是否列举完成
//设定pSi大小uSize初始为32K,并为pSi分配uSize的内存,根据返回值逐步累加uSize,步长为32K
for (uSize = 0x8000; ((pSi = ExAllocatePoolWithTag(NonPagedPool, uSize, 'tag1')) != NULL); uSize += 0x8000)
{
//检索指定的系统信息,这里是有关进程的信息
status = NtQuerySystemInformation(SystemProcessesAndThreadsInformation,
pSi,
uSize,
&pNeededSize);
if (STATUS_SUCCESS == status) //NtQuerySystemInformation返回成功
{
DbgPrint("[Aliwy] SUCCESS uSize = 0x%.8X, pNeededSize = 0x%.8X, status = 0x%.8X\n", uSize, pNeededSize, status);
pSpiNext = (PSYSTEM_PROCESS_INFORMATION)pSi; /*使用pSpiNext操作,pSi要留到后面释放所分配的内存*/
while (TRUE)
{
if (pSpiNext->ProcessId == 0)
{
DbgPrint("[Aliwy] %d - System Idle Process\n", pSpiNext->ProcessId); /*进程标识符为0的是System Idle Process,需手动标明*/
}
else
{
DbgPrint("[Aliwy] %d - %wZ\n", pSpiNext->ProcessId, &pSpiNext->ImageName); /*打印出进程标识符和进程名称*/
}
if (pSpiNext->NextEntryOffset == 0) //如果NextEntryOffset为0即表示进程已列举完
{
DbgPrint("[Aliwy] EnumProcess Over, Count is: %d\n", iCount);
bOver = TRUE; //标识进程列举已完成
break; //跳出列举循环(while循环)
}
pSpiNext = (PSYSTEM_PROCESS_INFORMATION)((ULONG)pSpiNext + pSpiNext->NextEntryOffset); //指向下一个进程的信息
iCount++; //计数累加
}
ExFreePool(pSi); //释放为sPi分配的内存
if (bOver) //进程列举完成
{
break; //跳出内存分配循环(for循环)
}
}
else
{
DbgPrint("[Aliwy] FAILURE uSize = %.8X, pNeededSize = %.8X, status = %.8X\n", uSize, pNeededSize, status);
}
}
return STATUS_SUCCESS;
}
//------------------------------
//---------DriverUnload---------
VOID OnUnload( IN PDRIVER_OBJECT DriverObject )
{
DbgPrint("[Aliwy] OnUnload\n");
}
//------------------------------
//----------DriverEntry---------
NTSTATUS DriverEntry( IN PDRIVER_OBJECT theDriverObject, IN PUNICODE_STRING theRegistryPath )
{
DbgPrint("[Aliwy] DriverEntry\n");
EnumProcess();
theDriverObject->DriverUnload = OnUnload;
return STATUS_SUCCESS;
}
//------------------------------
/*----------- 1.h ------------*/
#include <ntddk.h>
#define DWORD unsigned long
#define BOOL int
//---------系统信息结构---------
typedef enum _SYSTEM_INFORMATION_CLASS {
SystemBasicInformation,
SystemProcessorInformation,
SystemPerformanceInformation,
SystemTimeOfDayInformation,
SystemNotImplemented1,
SystemProcessesAndThreadsInformation,
SystemCallCounts,
SystemConfigurationInformation,
SystemProcessorTimes,
SystemGlobalFlag,
SystemNotImplemented2,
SystemModuleInformation,
SystemLockInformation,
SystemNotImplemented3,
SystemNotImplemented4,
SystemNotImplemented5,
SystemHandleInformation,
SystemObjectInformation,
SystemPagefileInformation,
SystemInstructionEmulationCounts,
SystemInvalidInfoClass1,
SystemCacheInformation,
SystemPoolTagInformation,
SystemProcessorStatistics,
SystemDpcInformation,
SystemNotImplemented6,
SystemLoadImage,
SystemUnloadImage,
SystemTimeAdjustment,
SystemNotImplemented7,
SystemNotImplemented8,
SystemNotImplemented9,
SystemCrashDumpInformation,
SystemExceptionInformation,
SystemCrashDumpStateInformation,
SystemKernelDebuggerInformation,
SystemContextSwitchInformation,
SystemRegistryQuotaInformation,
SystemLoadAndCallImage,
SystemPrioritySeparation,
SystemNotImplemented10,
SystemNotImplemented11,
SystemInvalidInfoClass2,
SystemInvalidInfoClass3,
SystemTimeZoneInformation,
SystemLookasideInformation,
SystemSetTimeSlipEvent,
SystemCreateSession,
SystemDeleteSession,
SystemInvalidInfoClass4,
SystemRangeStartInformation,
SystemVerifierInformation,
SystemAddVerifier,
SystemSessionProcessesInformation
} SYSTEM_INFORMATION_CLASS, *PSYSTEM_INFORMATION_CLASS;
//------------------------------
//---------线程信息结构---------
typedef struct _SYSTEM_THREAD {
LARGE_INTEGER KernelTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER CreateTime;
ULONG WaitTime;
PVOID StartAddress;
CLIENT_ID ClientId;
KPRIORITY Priority;
LONG BasePriority;
ULONG ContextSwitchCount;
ULONG State;
KWAIT_REASON WaitReason;
} SYSTEM_THREAD, *PSYSTEM_THREAD;
//------------------------------
//---------进程信息结构---------
typedef struct _SYSTEM_PROCESS_INFORMATION {
ULONG NextEntryOffset; //NextEntryDelta 构成结构序列的偏移量
ULONG NumberOfThreads; //线程数目
LARGE_INTEGER Reserved[3];
LARGE_INTEGER CreateTime; //创建时间
LARGE_INTEGER UserTime; //用户模式(Ring 3)的CPU时间
LARGE_INTEGER KernelTime; //内核模式(Ring 0)的CPU时间
UNICODE_STRING ImageName; //进程名称
KPRIORITY BasePriority; //进程优先权
HANDLE ProcessId; //ULONG UniqueProcessId 进程标识符
HANDLE InheritedFromProcessId; //父进程的标识符
ULONG HandleCount; //句柄数目
ULONG Reserved2[2];
ULONG PrivatePageCount;
VM_COUNTERS VirtualMemoryCounters; //虚拟存储器的结构
IO_COUNTERS IoCounters; //IO计数结构
SYSTEM_THREAD Threads[0]; //进程相关线程的结构数组
} SYSTEM_PROCESS_INFORMATION, *PSYSTEM_PROCESS_INFORMATION;
//typedef SYSTEM_PROCESSES SYSTEM_PROCESS_INFORMATION;
//typedef PSYSTEM_PROCESSES PSYSTEM_PROCESS_INFORMATION;
//MSDN此结构定义在SDK的winternl.h中,以上部分信息未文档化
//_SYSTEM_PROCESS_INFORMATION = _SYSTEM_PROCESSES
//------------------------------
//---------函数声明-------------
NTSYSAPI
NTSTATUS
NTAPI
NtQuerySystemInformation(IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
OUT PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength OPTIONAL);
//------------------------------
另外再转一个
#include "ntddk.h"
#define printf DbgPrint
typedef enum _SYSTEM_INFORMATION_CLASS {
SystemBasicInformation, // 0
SystemProcessorInformation, // 1
SystemPerformanceInformation, // 2
SystemTimeOfDayInformation, // 3
SystemNotImplemented1, // 4
SystemProcessesAndThreadsInformation, // 5
SystemCallCounts, // 6
SystemConfigurationInformation, // 7
SystemProcessorTimes, // 8
SystemGlobalFlag, // 9
SystemNotImplemented2, // 10
SystemModuleInformation, // 11
SystemLockInformation, // 12
SystemNotImplemented3, // 13
SystemNotImplemented4, // 14
SystemNotImplemented5, // 15
SystemHandleInformation, // 16
SystemObjectInformation, // 17
SystemPagefileInformation, // 18
SystemInstructionEmulationCounts, // 19
SystemInvalidInfoClass1, // 20
SystemCacheInformation, // 21
SystemPoolTagInformation, // 22
SystemProcessorStatistics, // 23
SystemDpcInformation, // 24
SystemNotImplemented6, // 25
SystemLoadImage, // 26
SystemUnloadImage, // 27
SystemTimeAdjustment, // 28
SystemNotImplemented7, // 29
SystemNotImplemented8, // 30
SystemNotImplemented9, // 31
SystemCrashDumpInformation, // 32
SystemExceptionInformation, // 33
SystemCrashDumpStateInformation, // 34
SystemKernelDebuggerInformation, // 35
SystemContextSwitchInformation, // 36
SystemRegistryQuotaInformation, // 37
SystemLoadAndCallImage, // 38
SystemPrioritySeparation, // 39
SystemNotImplemented10, // 40
SystemNotImplemented11, // 41
SystemInvalidInfoClass2, // 42
SystemInvalidInfoClass3, // 43
SystemTimeZoneInformation, // 44
SystemLookasideInformation, // 45
SystemSetTimeSlipEvent, // 46
SystemCreateSession, // 47
SystemDeleteSession, // 48
SystemInvalidInfoClass4, // 49
SystemRangeStartInformation, // 50
SystemVerifierInformation, // 51
SystemAddVerifier, // 52
SystemSessionProcessesInformation // 53
} SYSTEM_INFORMATION_CLASS;
typedef struct _SYSTEM_THREAD_INFORMATION {
LARGE_INTEGER KernelTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER CreateTime;
ULONG WaitTime;
PVOID StartAddress;
CLIENT_ID ClientId;
KPRIORITY Priority;
KPRIORITY BasePriority;
ULONG ContextSwitchCount;
LONG State;
LONG WaitReason;
} SYSTEM_THREAD_INFORMATION, * PSYSTEM_THREAD_INFORMATION;
typedef struct _SYSTEM_PROCESS_INFORMATION {
ULONG NextEntryDelta;
ULONG ThreadCount;
ULONG Reserved1[6];
LARGE_INTEGER CreateTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER KernelTime;
UNICODE_STRING ProcessName;
KPRIORITY BasePriority;
ULONG ProcessId;
ULONG InheritedFromProcessId;
ULONG HandleCount;
ULONG Reserved2[2];
VM_COUNTERS VmCounters;
IO_COUNTERS IoCounters;
SYSTEM_THREAD_INFORMATION Threads[1];
} SYSTEM_PROCESS_INFORMATION, * PSYSTEM_PROCESS_INFORMATION;
NTSYSAPI
NTSTATUS
NTAPI
ZwQuerySystemInformation(
IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
OUT PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength OPTIONAL
);
void Ring0EnumProcess();
VOID OnUnload(IN PDRIVER_OBJECT DriverObject)
{
printf("the driver is unload");
}
NTSTATUS DriverEntry(IN OUT PDRIVER_OBJECT theDriverObject, IN PUNICODE_STRING RegistryPath)
{
theDriverObject->DriverUnload = OnUnload;
Ring0EnumProcess();
return STATUS_SUCCESS;
}
void Ring0EnumProcess()
{
//初始化缓冲区大小 32kb
ULONG cbBuffer = 0x8000;
PVOID pBuffer = NULL;
NTSTATUS ntStatus;
PSYSTEM_PROCESS_INFORMATION pInfo;
do
{ //分配内存缓冲区
pBuffer = ExAllocatePool(NonPagedPool, cbBuffer);
if (pBuffer == NULL)
{
KdPrint(("分配内存失败!"));
return;
}
ntStatus = ZwQuerySystemInformation(SystemProcessesAndThreadsInformation, pBuffer, cbBuffer, NULL);
if (ntStatus == STATUS_INFO_LENGTH_MISMATCH) //如果缓冲区太小
{
ExFreePool(pBuffer); //释放缓冲区
cbBuffer*=2; //增加缓冲区到原来的2倍
}
else if (!NT_SUCCESS(ntStatus)) //如果获取信息不成功
{
ExFreePool(pBuffer);
return;
}
}
while(ntStatus == STATUS_INFO_LENGTH_MISMATCH);
pInfo = (PSYSTEM_PROCESS_INFORMATION)pBuffer;
while(TRUE)
{
LPWSTR pszProcessName = pInfo->ProcessName.Buffer;
//如果获取映像名失败则返回空
if (pszProcessName == NULL)
{
pszProcessName = L"NULL";
}
DbgPrint("pid %d ps %S\n", pInfo->ProcessId, pInfo->ProcessName.Buffer); //调试输出结果
if (pInfo->NextEntryDelta == 0)
{
break; //没有后继了,退出链表循环.
}
pInfo = (PSYSTEM_PROCESS_INFORMATION)(((PUCHAR)pInfo)+pInfo->NextEntryDelta);
}
ExFreePool(pBuffer); //释放分配的内存
return;
}